TechSpot

Need help with gmer log

By tmoss
Nov 29, 2011
  1. Recently posted some problems I was having but got no responses...Talked to a couple of tech guys onm the phone and they think I have a rootkit... Avira, Malwarebytes, Microsoft malware, Kaspersky TSSD, all say I am clean...

    Ran GMER and this is what came up...Not sure what it means..

    MER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-29 21:42:05
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0085
    Running: 1etlz9sz.exe; Driver: C:\Users\ADMINI~1.TMO\AppData\Local\Temp\fgloipoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \FileSystem\fastfat \Fat 8CBDFA7A

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    GMER doesn't indicate any rootkit activity.

    What are the problems?
     
  3. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Windows Vista Ultimate...Lately I have had lots of strange things happening...First of all, I started losing permissions to run certain programs such as SuperAntispyware and Malwarebytes and I had not madeany changes to anything.... Eventually ran Microsoft Essentials, Microsoft Malware, and Avira, all said I was Clean...Tried to just look around in some system files (did not change anything) and got my account restricted with black screen...Anyway seems microsoft was changing things on my pc if that's possible... Long story short, I have access back to programs but when I go down to my connect to network icon it says status not available and also says the dependency or group could not be started...Can get online in safe mode, but with no sound...My back-up for Vista was loaded on D-drive and now I can't restore , also some functions such as in user accounts I can't click on any of the tasks... On services page A lot of the services say can't be started on local...A lot of services info has been changed and may be the culprit but not sure...Is there hope?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  5. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Logs

    Here are the logs you requested and thank you for your help...Also not sure if this matters but when I lik on certain things I get"cannot find" %windir%\\system32\\rundll.exe

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8281

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    12/1/2011 12:59:07 AM
    mbam-log-2011-12-01 (00-59-07).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 377230
    Time elapsed: 47 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ______________________________________________________

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-01 02:21:12
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0085
    Running: 976to6tz.exe; Driver: C:\Users\ADMINI~1.TMO\AppData\Local\Temp\fgloipoc.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe[3972] kernel32.dll!CreateThread + 1A 76CDCB48 4 Bytes CALL 004553F1 C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (Advanced SystemCare 5 Tray/IObit)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe[3972] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [00455548] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (Advanced SystemCare 5 Tray/IObit)
    IAT C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe[3972] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00455548] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (Advanced SystemCare 5 Tray/IObit)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ____________________________________________________-
     
  6. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Logs continued

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Administrator at 2:29:27 on 2011-12-01
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.1373 [GMT -5:00]
    .
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\aestsrv.exe
    C:\Windows\System32\alg.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k wdisvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\google\google desktop search\GoogleDesktop.exe
    C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\google\google desktop search\GoogleDesktop.exe
    C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = www.4Loot.com
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080221
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\googledesktop.exe" /startup
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [<NO NAME>]
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [DellSupportCenter]
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 1 (0x1)
    mPolicies-system: disableCAD = 1 (0x1)
    mPolicies-system: DisableStatusMessages = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{34620C71-3B3E-47CC-B5C0-C467306FDF63} : DhcpNameServer = 192.168.0.1
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    LSA: Notification Packages = scecli psqlpwd
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\administrator.tmoss-pc\appdata\roaming\mozilla\firefox\profiles\wplzfdlp.default\
    FF - prefs.js: browser.startup.homepage - www.4Loot.com
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: accessibility.blockautorefresh - true
    FF - user.js: app.update.auto - false
    FF - user.js: app.update.disable_button.showUpdateHistory - false
    FF - user.js: app.update.lastUpdateTime.addon-background-update-timer - 1321938616
    FF - user.js: app.update.lastUpdateTime.background-update-timer - 1321938856
    FF - user.js: app.update.lastUpdateTime.blocklist-background-update-timer - 1321938736
    FF - user.js: app.update.lastUpdateTime.search-engine-update-timer - 1321963275
    FF - user.js: browser.cache.disk.capacity - 1048576
    FF - user.js: browser.cache.disk.smart_size.first_run - false
    FF - user.js: browser.cache.disk.smart_size_cached_value - 1048576
    FF - user.js: browser.display.use_document_fonts - 0
    FF - user.js: browser.migration.version - 5
    FF - user.js: browser.places.importBookmarksHTML - false
    FF - user.js: browser.places.smartBookmarksVersion - 2
    FF - user.js: browser.preferences.advanced.selectedTabIndex - 2
    FF - user.js: browser.privatebrowsing.autostart - true
    FF - user.js: browser.rights.3.shown - true
    FF - user.js: browser.shell.checkDefaultBrowser - false
    FF - user.js: browser.startup.homepage_override.buildID - 20111104165243
    FF - user.js: browser.startup.homepage_override.mstone - rv:8.0
    FF - user.js: browser.urlbar.autocomplete.enabled - false
    FF - user.js: dom.event.contextmenu.enabled - false
    FF - user.js: extensions.blocklist.pingCountTotal - 4
    FF - user.js: extensions.blocklist.pingCountVersion - 4
    FF - user.js: extensions.bootstrappedAddons - {}
    FF - user.js: extensions.databaseSchema - 6
    FF - user.js: extensions.enabledAddons - {FDE3FEE9-893E-4cc7-A814-60E0DE7B2E01}:5.0
    FF - user.js: extensions.installCache - [{\name\:\app-global\,\addons\:{\{972ce4c6-7e08-4474-a285-3208198ce6fd}\:{\descriptor\:\c:\\\\program files\\\\mozilla firefox\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\,\mtime\:1321144850386},\{cafeefac-0016-0000-0029-abcdeffedcba}\:{\descriptor\:\c:\\\\program files\\\\mozilla firefox\\\\extensions\\\\{cafeefac-0016-0000-0029-abcdeffedcba}\,\mtime\:1321631140430}}},{\name\:\app-profile\,\addons\:{\{fde3fee9-893e-4cc7-a814-60e0de7b2e01}\:{\descriptor\:\c:\\\\users\\\\administrator.tmoss-pc\\\\appdata\\\\roaming\\\\mozilla\\\\firefox\\\\profiles\\\\wplzfdlp.default\\\\extensions\\\\{fde3fee9-893e-4cc7-a814-60e0de7b2e01}.xpi\,\mtime\:1321805383513}}}]
    FF - user.js: extensions.lastAppVersion - 8.0
    FF - user.js: extensions.lastPlatformVersion - 8.0
    FF - user.js: extensions.pendingOperations - false
    FF - user.js: extensions.shownSelectionUI - true
    FF - user.js: font.default.x-user-def - serif
    FF - user.js: font.language.group - x-armn
    FF - user.js: font.minimum-size.x-user-def - 12
    FF - user.js: font.name.serif.x-western - Arial
    FF - user.js: font.size.fixed.x-user-def - 14
    FF - user.js: font.size.variable.x-user-def - 14
    FF - user.js: general.skins.selectedSkin - Aeon_Clouds
    FF - user.js: idle.lastDailyNotification - 1321940893
    FF - user.js: intl.accept_languages - en-us
    FF - user.js: intl.charset.default - armscii-8
    FF - user.js: intl.charsetmenu.browser.cache - windows-1250, UTF-16, ISO-8859-1, UTF-8
    FF - user.js: network.cookie.prefsMigrated - true
    FF - user.js: places.database.lastMaintenance - 1321940893
    FF - user.js: places.history.expiration.transient_current_max_pages - 64340
    FF - user.js: plugin.disable_full_page_plugin_for_types -
    FF - user.js: pref.advanced.javascript.disable_button.advanced - false
    FF - user.js: pref.browser.language.disable_button.remove - false
    FF - user.js: pref.browser.language.disable_button.up - false
    FF - user.js: pref.downloads.disable_button.edit_actions - false
    FF - user.js: pref.general.disable_button.default_browser - false
    FF - user.js: pref.privacy.disable_button.view_passwords - false
    FF - user.js: pref.privacy.disable_button.view_passwords_exceptions - false
    FF - user.js: privacy.sanitize.migrateFx3Prefs - true
    FF - user.js: security.OCSP.disable_button.managecrl - false
    FF - user.js: security.disable_button.openCertManager - false
    FF - user.js: security.disable_button.openDeviceManager - false
    FF - user.js: services.sync.clients.lastSync - 0
    FF - user.js: services.sync.clients.lastSyncLocal - 0
    FF - user.js: services.sync.migrated - true
    FF - user.js: services.sync.tabs.lastSync - 0
    FF - user.js: services.sync.tabs.lastSyncLocal - 0
    FF - user.js: storage.vacuum.last.index - 1
    FF - user.js: storage.vacuum.last.places.sqlite - 1321450834
    FF - user.js: toolkit.telemetry.prompted - true
    FF - user.js: urlclassifier.keyupdatetime.hxxps://sb-ssl.google.com/safebrowsing/newkey - 1324395828
    FF - user.js: xpinstall.whitelist.add -
    FF - user.js: xpinstall.whitelist.add.103 -
    FF - user.js: xpinstall.whitelist.add.36 -
    FF - user.js: browser.startup.homepage - www.4Loot.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-2-20 73728]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-8-3 379496]
    R3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwLv32.sys [2010-10-7 6639616]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-22 21504]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 135664]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-11-3 2255464]
    S2 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 135664]
    S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-11-22 490840]
    .
    =============== Created Last 30 ================
    .
    2011-12-01 05:18:23 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Apple
    2011-12-01 05:06:13 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-01 05:06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-01 04:59:30 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\roaming\Malwarebytes
    2011-12-01 03:01:14 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\HP
    2011-11-25 20:51:45 -------- d-----w- c:\windows\system32\NtmsData
    2011-11-25 17:37:19 -------- d--h--w- c:\windows\PIF
    2011-11-25 04:32:22 -------- d-----w- c:\programdata\Avira
    2011-11-22 16:21:18 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2011-11-21 09:05:26 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Microsoft Games
    2011-11-20 12:42:51 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\roaming\PeerNetworking
    2011-11-20 12:16:23 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Adobe
    2011-11-18 15:47:30 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\MediaDirect
    2011-11-18 14:19:28 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Microsoft Corporation
    2011-11-18 09:29:54 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Apple Computer
    2011-11-17 19:16:52 675152 ----a-w- c:\windows\system32\gpprefcl.dll
    2011-11-16 14:48:29 -------- d-----w- c:\windows\pss
    2011-11-13 00:28:53 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Mozilla
    2011-11-13 00:03:28 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\Google
    2011-11-13 00:03:26 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\SupportSoft
    2011-11-12 22:03:07 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\local\ArcSoft
    2011-11-12 22:02:51 -------- d-----w- c:\users\administrator.tmoss-pc\appdata\roaming\IObit
    2011-11-09 05:26:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-11-09 05:26:27 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 05:26:27 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2011-11-09 05:26:25 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-05 17:34:27 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2011-11-04 08:19:15 -------- d-----w- c:\program files\Windows Portable Devices
    2011-11-04 07:00:59 839168 ----a-w- c:\windows\system32\drivers\umdf\WpdMtpDr.dll
    2011-11-03 09:04:24 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-11-03 08:06:44 -------- d-----w- c:\program files\common files\Intel
    2011-11-03 07:36:49 66664 ----a-w- c:\windows\system32\nvshext.dll
    2011-11-03 07:36:49 599144 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-11-03 07:36:49 309352 ----a-w- c:\windows\system32\nvhotkey.dll
    2011-11-03 07:36:48 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
    2011-11-03 07:36:47 2558568 ----a-w- c:\windows\system32\nvsvc.dll
    2011-11-03 07:36:46 3730024 ----a-w- c:\windows\system32\nvcpl.dll
    2011-11-03 07:36:46 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-11-03 07:36:07 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
    2011-11-03 07:25:12 6613096 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-11-03 07:25:12 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-11-03 07:25:11 914024 ----a-w- c:\windows\system32\nvdispco32.dll
    2011-11-03 07:25:11 875112 ----a-w- c:\windows\system32\nvgenco32.dll
    2011-11-03 07:25:11 5404776 ----a-w- c:\windows\system32\nvcuda.dll
    2011-11-03 07:25:11 2412136 ----a-w- c:\windows\system32\nvapi.dll
    2011-11-03 07:25:11 2391656 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-11-03 07:25:11 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-11-03 07:25:11 17193576 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-11-03 07:25:11 16595560 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-11-03 07:25:11 12636776 ----a-w- c:\windows\system32\nvd3dum.dll
    2011-11-03 07:25:11 10304104 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    .
    ==================== Find3M ====================
    .
    2011-11-18 15:45:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-04 18:44:39 40960 ----a-w- c:\windows\system32\cliconfg.rll
    2011-10-04 18:43:28 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
    2011-10-04 18:40:46 65536 ----a-w- c:\windows\system32\drivers\IPMIDrv.sys
    2011-10-04 18:40:45 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
    2011-10-04 18:40:45 200704 ----a-w- c:\windows\system32\drivers\e1e6032.sys
    2011-10-04 18:40:45 12288 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2011-10-04 18:40:43 40960 ----a-w- c:\windows\system32\drivers\amdk8.sys
    2011-10-04 18:40:41 811008 ----a-w- c:\windows\system32\cximage.dll
    2011-10-04 18:40:41 36864 ----a-w- c:\windows\system32\CtCamMgr.dll
    2011-10-04 18:38:55 573440 ----a-w- c:\windows\system32\atiumdva.dll
    2011-10-04 18:38:55 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-10-04 18:38:54 647168 ----a-w- c:\windows\system32\aestecap.dll
    2011-10-04 18:38:54 131072 ----a-w- c:\windows\system32\aestacap.dll
    2011-10-04 18:19:42 90112 ----a-w- c:\windows\CtDrvIns.exe
    2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 2:31:09.02 ===============

    _____________________________________________________________________________________

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Ultimate
    Boot Device: \Device\HarddiskVolume3
    Install Date: 2/20/2008 11:20:32 PM
    System Uptime: 12/1/2011 2:27:43 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0XR509
    Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | Microprocessor | 1000/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 136 GiB total, 85.427 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 2.232 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.5
    Advanced Audio FX Engine
    Advanced SystemCare 5
    Advanced Video FX Engine
    Apple Application Support
    Apple Software Update
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    Browser Address Error Redirector
    CCleaner
    CCScore
    Dell Touchpad
    Dell Webcam Center
    Dell Webcam Manager
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    Fingerprint Reader Suite 5.6
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet 1000 J110 series Basic Device Software
    HP Update
    Intel PROSet Wireless
    Intel(R) Matrix Storage Manager
    Intel(R) PROSet/Wireless WiFi Software
    Java Auto Updater
    Java(TM) 6 Update 29
    Kodak EasyShare software
    KODAK Share Button App
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MediaDirect
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 8.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music, Photos & Videos Launcher
    netbrdg
    NVIDIA 3D Vision Controller Driver
    NVIDIA 3D Vision Controller Driver 280.19
    NVIDIA 3D Vision Driver 280.26
    NVIDIA Control Panel 280.26
    NVIDIA Graphics Driver 280.26
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.4.28
    NVIDIA Update Components
    OfotoXMI
    OutlookAddinSetup
    Product Documentation Launcher
    QuickSet
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    SFR
    SHASTA
    SigmaTel Audio
    skin0001
    SKINXSDK
    Sonic Activation Module
    Spelling Dictionaries Support For Adobe Reader 8
    staticcr
    System Requirements Lab for Intel
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VPRINTOL
    Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
    Windows Media Player Firefox Plugin
    WIRELESS
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/1/2011 2:32:26 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The system cannot find the file specified.
    12/1/2011 2:30:29 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:30:29 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    12/1/2011 2:30:29 AM, Error: Service Control Manager [7000] - The Network Store Interface Service service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:30:28 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:29:47 AM, Error: Service Control Manager [7000] - The SSDP Discovery service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:29:46 AM, Error: Service Control Manager [7023] - The Application Information service terminated with the following error: The system could not find the environment option that was entered.
    12/1/2011 2:29:46 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:29:46 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    12/1/2011 2:29:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    12/1/2011 2:29:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/1/2011 2:29:45 AM, Error: Service Control Manager [7022] - The Diagnostic Service Host service hung on starting.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the COM+ System Application service to connect.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7001] - The Terminal Services Configuration service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7001] - The SL UI Notification Service service depends on the Network List Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Network Store Interface Service service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7000] - The Group Policy Client service failed to start due to the following error: The system cannot find the file specified.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7000] - The Function Discovery Resource Publication service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:28:23 AM, Error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/1/2011 2:28:08 AM, Error: Microsoft-Windows-TaskScheduler [701] - Task Scheduler service failed to start Task Compatibility module. Tasks may not be able to register on previous Window versions. Additional Data: Error Value: 2147942526.
    12/1/2011 2:26:04 AM, Error: Service Control Manager [7000] - The TPM Base Services service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    12/1/2011 2:24:57 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr Wanarpv6
    12/1/2011 2:24:57 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    12/1/2011 2:24:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    12/1/2011 2:24:38 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/1/2011 2:24:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    12/1/2011 2:24:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/1/2011 2:24:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    12/1/2011 2:24:24 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001DE0739EA3 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    12/1/2011 1:43:10 AM, Error: EventLog [6008] - The previous system shutdown at 1:41:29 AM on 12/1/2011 was unexpected.
    12/1/2011 1:26:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}
    11/30/2011 9:55:01 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr spldr ssmdrv Wanarpv6
    11/30/2011 9:52:24 PM, Error: Service Control Manager [7001] - The Avira Web Protection service depends on the Avira Realtime Protection service which failed to start because of the following error: The operation completed successfully.
    11/30/2011 10:32:44 PM, Error: VDS Dynamic Provider [10] - The provider failed while storing notifications from the driver. The Virtual Disk Service should be restarted. hr=80042505
    11/30/2011 10:31:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service sdrsvc with arguments "" in order to run the server: {47135EEA-06B6-4452-8787-4A187C64A47E}
    11/30/2011 10:11:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    11/30/2011 10:10:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr ssmdrv tdx Wanarpv6 ws2ifsl
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:31:10 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 8:29:59 PM, Error: EventLog [6008] - The previous system shutdown at 8:25:19 PM on 11/29/2011 was unexpected.
    11/29/2011 7:56:18 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    11/29/2011 7:40:13 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IMF Service service to connect.
    11/29/2011 7:40:13 PM, Error: Service Control Manager [7000] - The IMF Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/29/2011 6:41:50 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr SASDIFSV SASKUTIL spldr ssmdrv Wanarpv6
    11/29/2011 3:40:02 PM, Error: Service Control Manager [7030] - The Avira Realtime Protection service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/29/2011 3:25:50 PM, Error: Service Control Manager [7001] - The Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The dependency service or group failed to start.
    11/28/2011 5:45:10 PM, Error: EventLog [6008] - The previous system shutdown at 5:39:22 PM on 11/28/2011 was unexpected.
    11/28/2011 4:02:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
    11/28/2011 4:02:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    11/28/2011 3:48:58 PM, Error: Service Control Manager [7000] - The Function Discovery Provider Host service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    11/28/2011 3:40:17 PM, Error: Service Control Manager [7000] - The Thread Ordering Server service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    11/28/2011 3:39:28 PM, Error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the UPnP Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/28/2011 3:05:16 PM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    11/28/2011 12:28:29 PM, Error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
    11/27/2011 4:16:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    11/27/2011 3:58:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ehSched with arguments "-Service" in order to run the server: {AFD8EA5A-2B6E-4504-B681-C6E8BAD64BB6}
    11/27/2011 3:33:47 PM, Error: Service Control Manager [7030] - The Computer Browser service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:33:12 PM, Error: Service Control Manager [7030] - The Net.Tcp Port Sharing Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:32:42 PM, Error: Service Control Manager [7030] - The WinHTTP Web Proxy Auto-Discovery Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:32:18 PM, Error: Service Control Manager [7030] - The Windows Backup service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:31:46 PM, Error: Service Control Manager [7030] - The Smart Card Removal Policy service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:31:19 PM, Error: Service Control Manager [7030] - The Remote Access Connection Manager service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:31:01 PM, Error: Service Control Manager [7030] - The Remote Access Auto Connection Manager service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:30:25 PM, Error: Service Control Manager [7030] - The Remote Registry service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:28:55 PM, Error: Service Control Manager [7030] - The SigmaTel Audio Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/27/2011 3:22:35 PM, Error: Service Control Manager [7038] - The SDRSVC service was unable to log on as .\Administrator with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    11/27/2011 3:22:35 PM, Error: Service Control Manager [7000] - The Windows Backup service failed to start due to the following error: The service did not start due to a logon failure.
    11/27/2011 3:18:34 PM, Error: EventLog [6008] - The previous system shutdown at 3:16:11 PM on 11/27/2011 was unexpected.
    11/27/2011 1:53:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr
    11/27/2011 1:52:16 PM, Error: Service Control Manager [7023] -
    11/27/2011 1:52:16 PM, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Responder service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
    11/27/2011 1:52:16 PM, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Mapper I/O Driver service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
    11/27/2011 1:46:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service sdrsvc with arguments "" in order to run the server: {47135EEA-06B6-4452-8787-4A187C64A47E}
    11/27/2011 1:15:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/25/2011 5:21:36 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    11/25/2011 5:21:36 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/25/2011 5:21:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/25/2011 5:19:54 PM, Error: Service Control Manager [7038] - The ALG service was unable to log on as .\Administrator with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    11/25/2011 5:19:54 PM, Error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
    11/25/2011 4:56:42 PM, Error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    11/25/2011 4:56:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1079" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/25/2011 4:53:42 PM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    11/25/2011 4:38:21 PM, Error: Service Control Manager [7001] - The Background Intelligent Transfer Service service depends on the COM+ Event System service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/25/2011 3:17:56 PM, Error: Service Control Manager [7000] - The Secure Socket Tunneling Protocol Service service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    11/25/2011 3:15:47 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    11/25/2011 3:14:01 PM, Error: Service Control Manager [7038] - The ALG service was unable to log on as .\TMoss with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    11/25/2011 3:14:01 PM, Error: Service Control Manager [7001] - The SL UI Notification Service service depends on the COM+ Event System service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/25/2011 3:13:46 PM, Error: EventLog [6008] - The previous system shutdown at 12:47:26 PM on 11/25/2011 was unexpected.
    .
    ==== End Of File ===========================
     
  7. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    You're not running any AV program.
    Install one of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan and report on any findings.

    =============================================================

    Uninstall Advanced SystemCare 5.
    Registry cleaners/optimizers are not recommended for several reasons:

    • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

      The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
    • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
    • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
    • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
    • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
    Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Axast says Everything is clean but Ade is blocked.., ..After running combo fix I can't click on anything without it saying the registry file is marked for deletion...

    __________________________________________________________________________________

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-04 14:31:06
    -----------------------------
    14:31:06.370 OS Version: Windows 6.0.6002 Service Pack 2
    14:31:06.371 Number of processors: 2 586 0xF0D
    14:31:06.372 ComputerName: TMOSS-PC UserName:
    14:31:52.993 Initialize success
    14:31:53.299 AVAST engine defs: 11120401
    14:32:12.166 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    14:32:12.168 Disk 0 Vendor: FUJITSU_ 0085 Size: 152627MB BusType: 3
    14:32:12.182 Disk 0 MBR read successfully
    14:32:12.184 Disk 0 MBR scan
    14:32:12.187 Disk 0 Windows VISTA default MBR code
    14:32:12.192 Disk 0 scanning sectors +312578048
    14:32:12.265 Disk 0 scanning C:\Windows\system32\drivers
    14:32:20.317 Service scanning
    14:32:20.883 Modules scanning
    14:32:21.125 Disk 0 trace - called modules:
    14:32:21.170 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    14:32:21.173 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85963ac8]
    14:32:21.176 3 CLASSPNP.SYS[883ce8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84a03030]
    14:32:21.715 AVAST engine scan C:\Windows
    14:32:23.957 AVAST engine scan C:\Windows\system32
    14:33:58.471 AVAST engine scan C:\Windows\system32\drivers
    14:34:07.425 AVAST engine scan C:\Users\Administrator.TMoss-PC
    14:34:35.848 AVAST engine scan C:\ProgramData
    14:34:59.544 Scan finished successfully
    14:39:31.764 Disk 0 MBR has been saved successfully to "C:\Users\Administrator.TMoss-PC\Desktop\MBR.dat"
    14:39:32.012 The log file has been saved successfully to "C:\Users\Administrator.TMoss-PC\Desktop\aswMBR.txt"


    ________________________________________________________________________




    ComboFix 11-12-04.03 - Administrator 12/04/2011 14:59:10.1.2 - x86
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.888 [GMT -5:00]
    Running from: c:\users\Administrator.TMoss-PC\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Documents.lnk
    c:\programdata\Roaming
    c:\users\TMoss\{96742679-5970-43C1-98B0-2776BDDFEA29}.tmp
    c:\users\TMoss\{DD5CC897-60C5-448D-9192-8B7E10017E3D}.tmp
    c:\users\TMoss\~DF14CC.tmp
    c:\users\TMoss\~DF51F0.tmp
    c:\users\TMoss\~DF52FB.tmp
    c:\users\TMoss\~DF58B1.tmp
    c:\users\TMoss\~DF6607.tmp
    c:\users\TMoss\~DF7579.tmp
    c:\users\TMoss\~DFABBA.tmp
    c:\users\TMoss\~DFC262.tmp
    c:\users\TMoss\~DFE03B.tmp
    c:\users\TMoss\~DFE189.tmp
    c:\users\TMoss\~DFF2FA.tmp
    c:\users\TMoss\34B.tmp
    c:\users\TMoss\DMI29D7.tmp
    c:\users\TMoss\E2D0.tmp
    c:\users\TMoss\F871.tmp
    c:\users\TMoss\install_flashplayer11x32_mssd_aih.exe
    c:\users\TMoss\install_flashplayer11x32_mssd_aih_1.exe
    c:\users\TMoss\tmp1279.tmp
    c:\users\TMoss\tmp1815.tmp
    c:\users\TMoss\tmp2057.tmp
    c:\users\TMoss\tmp2AED.tmp
    c:\users\TMoss\tmp30AE.tmp
    c:\users\TMoss\tmp3AF5.tmp
    c:\users\TMoss\tmp4C03.tmp
    c:\users\TMoss\tmp5393.tmp
    c:\users\TMoss\tmp5B28.tmp
    c:\users\TMoss\tmp6221.tmp
    c:\users\TMoss\tmp67F.tmp
    c:\users\TMoss\tmp822A.tmp
    c:\users\TMoss\tmp94EF.tmp
    c:\users\TMoss\tmpACA0.tmp
    c:\users\TMoss\tmpD25F.tmp
    c:\users\TMoss\tmpED9B.tmp
    c:\users\TMoss\tmpFC4D.tmp
    c:\users\TMoss\tmpFF5E.tmp
    c:\users\TMoss\wbk1293.tmp
    c:\users\TMoss\wbk1A5C.tmp
    c:\users\TMoss\wbk1F26.tmp
    c:\users\TMoss\wbk3DA6.tmp
    c:\users\TMoss\wbk7227.tmp
    c:\users\TMoss\wbk734E.tmp
    c:\users\TMoss\wbk7CCF.tmp
    c:\users\TMoss\wbkCFCF.tmp
    c:\users\TMoss\wbkF646.tmp
    c:\windows\system32\config\systemprofile\GUR1C65.tmp
    c:\windows\system32\config\systemprofile\GUR2902.tmp
    c:\windows\system32\config\systemprofile\GUR8880.tmp
    c:\windows\system32\config\systemprofile\GURAE48.tmp
    c:\windows\system32\config\systemprofile\GURB4DD.tmp
    c:\windows\system32\config\systemprofile\GURBB81.tmp
    c:\windows\system32\config\systemprofile\GURC30.tmp
    c:\windows\system32\config\systemprofile\sig88CE.tmp
    c:\windows\system32\config\systemprofile\sig9405.tmp
    c:\windows\system32\config\systemprofile\sig9445.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-04 20:11 . 2011-12-04 20:11 -------- d-----w- c:\users\UpdatusUser.TMoss-PC\AppData\Local\temp
    2011-12-04 20:11 . 2011-12-04 20:11 -------- d-----w- c:\users\UpdatusUser.TMoss-PC.000\AppData\Local\temp
    2011-12-04 20:11 . 2011-12-04 20:11 -------- d-----w- c:\users\TMoss\AppData\Local\temp
    2011-12-04 20:11 . 2011-12-04 20:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-04 17:23 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-12-04 17:23 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-12-04 17:23 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-04 17:23 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-12-04 17:23 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-12-04 17:23 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-12-04 17:23 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-04 17:23 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2011-12-04 17:22 . 2011-12-04 17:22 -------- d-----w- c:\programdata\AVAST Software
    2011-12-04 17:22 . 2011-12-04 17:22 -------- d-----w- c:\program files\AVAST Software
    2011-12-04 01:59 . 2011-12-04 01:59 -------- d-----w- c:\users\TMoss\WPDNSE
    2011-12-04 01:59 . 2011-12-04 01:59 -------- d-----w- c:\users\TMoss\ArcUpdater
    2011-12-01 05:06 . 2011-12-01 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-01 05:06 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-28 20:29 . 2011-11-28 20:29 -------- d-----w- c:\windows\system32\config\systemprofile\TfsStore
    2011-11-25 20:51 . 2011-12-03 04:31 -------- d-----w- c:\windows\system32\NtmsData
    2011-11-25 17:37 . 2011-11-25 17:37 -------- d--h--w- c:\windows\PIF
    2011-11-25 04:32 . 2011-12-01 03:13 -------- d-----w- c:\programdata\Avira
    2011-11-23 09:28 . 2011-11-23 09:28 -------- d-----w- c:\users\TMoss\OneNote
    2011-11-22 23:27 . 2011-11-22 23:27 -------- d-----w- c:\users\TMoss\New Folder
    2011-11-22 16:21 . 2011-10-20 03:16 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2011-11-18 05:19 . 2011-11-18 05:19 -------- d-----w- c:\users\TMoss\AppData\Local\ElevatedDiagnostics
    2011-11-18 05:18 . 2011-11-18 05:19 -------- d-----w- c:\users\TMoss\msdtadmin
    2011-11-18 05:18 . 2011-11-18 05:19 -------- d-----w- c:\users\TMoss\MATS-Temp
    2011-11-17 22:05 . 2011-11-17 22:05 -------- d-----w- c:\users\TMoss\Temp3_ivdf_fusebundle_nt_en.zip
    2011-11-17 22:04 . 2011-11-17 22:04 -------- d-----w- c:\users\TMoss\Temp1_manifest.zip
    2011-11-17 22:04 . 2011-11-17 22:04 -------- d-----w- c:\users\TMoss\Temp1_rdrmessage.zip
    2011-11-17 22:04 . 2011-11-17 22:04 -------- d-----w- c:\users\TMoss\Temp1_PROCESSLISTRELATED.ZIP
    2011-11-17 22:04 . 2011-11-17 22:04 -------- d-----w- c:\users\TMoss\Temp1_PROCESSLIST.ZIP
    2011-11-17 22:03 . 2011-11-17 22:04 -------- d-----w- c:\users\TMoss\Temp2_ivdf_fusebundle_nt_en.zip
    2011-11-17 22:02 . 2011-11-17 22:03 -------- d-----w- c:\users\TMoss\Temp1_ivdf_fusebundle_nt_en.zip
    2011-11-17 21:33 . 2011-11-18 04:15 -------- d-----w- c:\users\TMoss\plugtmp-3
    2011-11-17 19:16 . 2009-06-03 23:56 675152 ----a-w- c:\windows\system32\gpprefcl.dll
    2011-11-17 05:44 . 2011-11-17 05:44 -------- d-----w- c:\users\TMoss\AppData\Roaming\ArcSoft
    2011-11-16 20:23 . 2011-11-16 20:23 -------- d-----w- c:\users\TMoss\CR_1F2CC.tmp
    2011-11-16 19:20 . 2011-11-16 19:20 -------- d-----w- c:\users\TMoss\OIS
    2011-11-16 14:54 . 2011-11-16 14:54 -------- d-----w- c:\users\TMoss\E2D0.dir
    2011-11-16 07:48 . 2011-11-16 07:48 -------- d-----w- c:\users\TMoss\msohtmlclip
    2011-11-16 02:58 . 2011-11-16 03:21 -------- d-----w- c:\users\TMoss\plugtmp-2
    2011-11-16 02:10 . 2011-11-16 02:10 -------- d-----w- c:\users\TMoss\VBE
    2011-11-15 21:39 . 2011-11-15 22:13 -------- d-----w- c:\users\TMoss\plugtmp-1
    2011-11-15 20:59 . 2011-11-15 21:36 -------- d-----w- c:\users\TMoss\plugtmp
    2011-11-13 01:11 . 2011-11-17 20:59 -------- d-----w- c:\users\TMoss\mozilla-media-cache
    2011-11-13 01:10 . 2011-11-17 15:40 -------- d-----w- c:\users\TMoss\Low
    2011-11-13 00:29 . 2011-11-13 00:30 -------- d-----w- c:\windows\system32\config\systemprofile\Google Toolbar
    2011-11-12 22:00 . 2011-12-02 15:05 -------- d-----w- c:\users\Administrator.TMoss-PC
    2011-11-10 16:42 . 2011-11-30 00:38 -------- d-----w- c:\users\Guest
    2011-11-10 16:18 . 2011-11-10 16:18 -------- d-----w- c:\windows\system32\config\systemprofile\HP
    2011-11-09 05:26 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-11-09 05:26 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 05:26 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2011-11-09 05:26 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-07 13:02 . 2011-11-07 13:02 -------- d-----w- c:\users\TMoss\AppData\Roaming\PeerNetworking
    2011-11-05 17:34 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-18 15:45 . 2011-07-29 09:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-03 09:04 . 2011-11-03 09:04 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-11-03 09:02 . 2011-11-03 09:02 81408 ----a-w- c:\windows\system32\wevtfwd.dll
    2011-11-03 09:02 . 2011-11-03 09:02 79872 ----a-w- c:\windows\system32\wecutil.exe
    2011-11-03 09:02 . 2011-11-03 09:02 56320 ----a-w- c:\windows\system32\wecapi.dll
    2011-11-03 09:02 . 2011-11-03 09:02 54272 ----a-w- c:\windows\system32\WsmRes.dll
    2011-11-03 09:02 . 2011-11-03 09:02 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-11-03 09:02 . 2011-11-03 09:02 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
    2011-11-03 09:02 . 2011-11-03 09:02 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
    2011-11-03 09:02 . 2011-11-03 09:02 241152 ----a-w- c:\windows\system32\winrscmd.dll
    2011-11-03 09:02 . 2011-11-03 09:02 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
    2011-11-03 09:02 . 2011-11-03 09:02 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-11-03 09:02 . 2011-11-03 09:02 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-11-03 09:02 . 2011-11-03 09:02 201184 ----a-w- c:\windows\system32\winrm.vbs
    2011-11-03 09:02 . 2011-11-03 09:02 146944 ----a-w- c:\windows\system32\wecsvc.dll
    2011-11-03 09:02 . 2011-11-03 09:02 145408 ----a-w- c:\windows\system32\WsmAuto.dll
    2011-11-03 09:02 . 2011-11-03 09:02 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-11-03 09:02 . 2011-11-03 09:02 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
    2011-11-03 09:02 . 2011-11-03 09:02 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-11-03 09:02 . 2011-11-03 09:02 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-11-03 09:02 . 2011-11-03 09:02 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
    2011-10-04 18:44 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
    2011-10-04 18:43 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
    2011-10-04 18:41 . 2009-04-13 01:39 102400 ----a-w- c:\windows\system32\stacsv.exe
    2011-10-04 18:41 . 2009-04-13 01:38 4947968 ----a-w- c:\windows\system32\stacgui.cpl
    2011-10-04 18:41 . 2009-04-13 01:38 1601536 ----a-w- c:\windows\system32\stlang.dll
    2011-10-04 18:41 . 2008-02-21 12:12 90112 ----a-w- c:\windows\system32\snymsico.dll
    2011-10-04 18:41 . 2008-02-21 11:49 5976064 ----a-w- c:\windows\system32\SETE54F.tmp
    2011-10-04 18:41 . 2008-02-21 11:49 520192 ----a-w- c:\windows\system32\SETDD79.tmp
    2011-10-04 18:41 . 2008-02-21 11:47 430080 ----a-w- c:\windows\system32\PRODUCTRED.scr
    2011-10-04 18:41 . 2009-06-16 19:59 151552 ----a-w- c:\windows\system32\nvcod155.dll
    2011-10-04 18:41 . 2009-01-30 13:12 135168 ----a-w- c:\windows\system32\nvcod138.dll
    2011-10-04 18:41 . 2008-02-21 12:12 167936 ----a-w- c:\windows\system32\nvccoin.dll
    2011-10-04 18:41 . 2008-02-21 11:49 36864 ----a-w- c:\windows\system32\nvcod100.dll
    2011-10-04 18:41 . 2008-02-21 12:12 684032 ----a-w- c:\windows\system32\NETw4c32.dll
    2011-10-04 18:41 . 2008-02-21 12:12 2772992 ----a-w- c:\windows\system32\NETw4r32.dll
    2011-10-04 18:41 . 2008-02-21 04:32 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-10-04 18:41 . 2008-02-21 04:32 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-10-04 18:41 . 2008-02-21 04:32 1060864 ----a-w- c:\windows\system32\MFC71.DLL
    2011-10-04 18:41 . 2007-06-06 14:38 237568 ----a-w- c:\windows\system32\KPDPMUI.dll
    2011-10-04 18:41 . 2007-06-06 14:38 344064 ----a-w- c:\windows\system32\KPDPM.dll
    2011-10-04 18:41 . 2007-06-06 14:18 196608 ----a-w- c:\windows\system32\KPDRES.DLL
    2011-10-04 18:41 . 2008-02-21 04:34 126976 ----a-w- c:\windows\system32\Imsmudlg.exe
    2011-10-04 18:41 . 2004-08-09 12:04 73728 ----a-w- c:\windows\system32\ISUSPM.cpl
    2011-10-04 18:40 . 2006-11-02 08:42 65536 ----a-w- c:\windows\system32\drivers\IPMIDrv.sys
    2011-10-04 18:40 . 2006-11-02 10:25 200704 ----a-w- c:\windows\system32\drivers\e1e6032.sys
    2011-10-04 18:40 . 2006-11-02 08:55 12288 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2011-10-04 18:40 . 2006-11-02 08:51 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
    2011-10-04 18:40 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\amdk8.sys
    2011-10-04 18:40 . 2008-02-21 12:12 811008 ----a-w- c:\windows\system32\cximage.dll
    2011-10-04 18:40 . 2008-02-21 12:12 36864 ----a-w- c:\windows\system32\CtCamMgr.dll
    2011-10-04 18:38 . 2006-11-02 10:25 573440 ----a-w- c:\windows\system32\atiumdva.dll
    2011-10-04 18:38 . 2006-11-02 10:25 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-10-04 18:38 . 2009-04-13 01:39 647168 ----a-w- c:\windows\system32\aestecap.dll
    2011-10-04 18:38 . 2009-04-13 01:39 131072 ----a-w- c:\windows\system32\aestacap.dll
    2011-10-04 18:19 . 2008-02-21 12:12 90112 ----a-w- c:\windows\CtDrvIns.exe
    2011-09-12 23:14 . 2011-10-16 21:17 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{36D3B948-6529-481A-BA8E-C690C6DA1E72}\mpengine.dll
    2011-09-06 13:30 . 2011-10-16 21:05 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 06:53 . 2011-05-16 03:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-04-17 05:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-10-04 159744]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Google Desktop Search"="c:\program files\google\google desktop search\googledesktop.exe" [2008-02-21 1838592]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2011-10-04 221184]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-08-03 309352]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "disableCAD"= 1 (0x1)
    "DisableStatusMessages"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-04-17 05:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
    2007-04-17 04:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    R1 MpKsl1df80b25;MpKsl1df80b25;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD577C2D-8561-4964-B5E2-CC8198010596}\MpKsl1df80b25.sys [x]
    R1 MpKsld7277ef1;MpKsld7277ef1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D99EA361-4946-4B19-A3CE-DFEBA5C663E0}\MpKsld7277ef1.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 135664]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
    R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 135664]
    R4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\ianvstor.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-12-03 73728]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-28 55128]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
    S2 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-10-07 6639616]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWFSBLK
    *NewlyCreated* - ASWMBR
    *NewlyCreated* - ASWMONFLT
    *NewlyCreated* - ASWRDR
    *NewlyCreated* - ASWSNX
    *NewlyCreated* - ASWSP
    *NewlyCreated* - ASWTDI
    *Deregistered* - aswMBR
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    rsmsvcs REG_MULTI_SZ ntmssvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 01:58]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 01:58]
    .
    2011-11-23 c:\windows\Tasks\User_Feed_Synchronization-{CEB27D76-DC5F-4C92-96A8-72AEA390B0B6}.job
    - c:\windows\system32\msfeedssync.exe [2011-03-17 17:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = www.4Loot.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Administrator.TMoss-PC\AppData\Roaming\Mozilla\Firefox\Profiles\wplzfdlp.default\
    FF - prefs.js: browser.startup.homepage - www.4Loot.com
    FF - user.js: accessibility.blockautorefresh - true
    FF - user.js: app.update.auto - false
    FF - user.js: app.update.disable_button.showUpdateHistory - false
    FF - user.js: app.update.lastUpdateTime.addon-background-update-timer - 1321938616
    FF - user.js: app.update.lastUpdateTime.background-update-timer - 1321938856
    FF - user.js: app.update.lastUpdateTime.blocklist-background-update-timer - 1321938736
    FF - user.js: app.update.lastUpdateTime.search-engine-update-timer - 1321963275
    FF - user.js: browser.cache.disk.capacity - 1048576
    FF - user.js: browser.cache.disk.smart_size.first_run - false
    FF - user.js: browser.cache.disk.smart_size_cached_value - 1048576
    FF - user.js: browser.display.use_document_fonts - 0
    FF - user.js: browser.migration.version - 5
    FF - user.js: browser.places.importBookmarksHTML - false
    FF - user.js: browser.places.smartBookmarksVersion - 2
    FF - user.js: browser.preferences.advanced.selectedTabIndex - 2
    FF - user.js: browser.privatebrowsing.autostart - true
    FF - user.js: browser.rights.3.shown - true
    FF - user.js: browser.shell.checkDefaultBrowser - false
    FF - user.js: browser.startup.homepage_override.buildID - 20111104165243
    FF - user.js: browser.startup.homepage_override.mstone - rv:8.0
    FF - user.js: browser.urlbar.autocomplete.enabled - false
    FF - user.js: dom.event.contextmenu.enabled - false
    FF - user.js: extensions.blocklist.pingCountTotal - 4
    FF - user.js: extensions.blocklist.pingCountVersion - 4
    FF - user.js: extensions.bootstrappedAddons - {}
    FF - user.js: extensions.databaseSchema - 6
    FF - user.js: extensions.enabledAddons - {FDE3FEE9-893E-4cc7-A814-60E0DE7B2E01}:5.0
    FF - user.js: extensions.installCache - [{\name\:\app-global\,\addons\:{\{972ce4c6-7e08-4474-a285-3208198ce6fd}\:{\descriptor\:\c:\\\\Program Files\\\\Mozilla Firefox\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\,\mtime\:1321144850386},\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\:{\descriptor\:\c:\\\\Program Files\\\\Mozilla Firefox\\\\extensions\\\\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\,\mtime\:1321631140430}}},{\name\:\app-profile\,\addons\:{\{FDE3FEE9-893E-4cc7-A814-60E0DE7B2E01}\:{\descriptor\:\c:\\\\Users\\\\Administrator.TMoss-PC\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\wplzfdlp.default\\\\extensions\\\\{FDE3FEE9-893E-4cc7-A814-60E0DE7B2E01}.xpi\,\mtime\:1321805383513}}}]
    FF - user.js: extensions.lastAppVersion - 8.0
    FF - user.js: extensions.lastPlatformVersion - 8.0
    FF - user.js: extensions.pendingOperations - false
    FF - user.js: extensions.shownSelectionUI - true
    FF - user.js: font.default.x-user-def - serif
    FF - user.js: font.language.group - x-armn
    FF - user.js: font.minimum-size.x-user-def - 12
    FF - user.js: font.name.serif.x-western - Arial
    FF - user.js: font.size.fixed.x-user-def - 14
    FF - user.js: font.size.variable.x-user-def - 14
    FF - user.js: general.skins.selectedSkin - Aeon_Clouds
    FF - user.js: idle.lastDailyNotification - 1321940893
    FF - user.js: intl.accept_languages - en-us
    FF - user.js: intl.charset.default - armscii-8
    FF - user.js: intl.charsetmenu.browser.cache - windows-1250, UTF-16, ISO-8859-1, UTF-8
    FF - user.js: network.cookie.prefsMigrated - true
    FF - user.js: places.database.lastMaintenance - 1321940893
    FF - user.js: places.history.expiration.transient_current_max_pages - 64340
    FF - user.js: plugin.disable_full_page_plugin_for_types -
    FF - user.js: pref.advanced.javascript.disable_button.advanced - false
    FF - user.js: pref.browser.language.disable_button.remove - false
    FF - user.js: pref.browser.language.disable_button.up - false
    FF - user.js: pref.downloads.disable_button.edit_actions - false
    FF - user.js: pref.general.disable_button.default_browser - false
    FF - user.js: pref.privacy.disable_button.view_passwords - false
    FF - user.js: pref.privacy.disable_button.view_passwords_exceptions - false
    FF - user.js: privacy.sanitize.migrateFx3Prefs - true
    FF - user.js: security.OCSP.disable_button.managecrl - false
    FF - user.js: security.disable_button.openCertManager - false
    FF - user.js: security.disable_button.openDeviceManager - false
    FF - user.js: services.sync.clients.lastSync - 0
    FF - user.js: services.sync.clients.lastSyncLocal - 0
    FF - user.js: services.sync.migrated - true
    FF - user.js: services.sync.tabs.lastSync - 0
    FF - user.js: services.sync.tabs.lastSyncLocal - 0
    FF - user.js: storage.vacuum.last.index - 1
    FF - user.js: storage.vacuum.last.places.sqlite - 1321450834
    FF - user.js: toolkit.telemetry.prompted - true
    FF - user.js: urlclassifier.keyupdatetime.hxxps://sb-ssl.google.com/safebrowsing/newkey - 1324395828
    FF - user.js: xpinstall.whitelist.add -
    FF - user.js: xpinstall.whitelist.add.103 -
    FF - user.js: xpinstall.whitelist.add.36 -
    FF - user.js: browser.startup.homepage - www.4Loot.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-DellSupportCenter - (no file)
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    SafeBoot-IMFservice
    MSConfigStartUp-Advanced SystemCare 5 - c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-04 15:11
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
    27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
    ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
    "{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
    ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,38,12,e4,48,13,
    36,9b,0a,89,06,fb,ff,c3,c8,3d,de,d1,0d
    "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
    fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
    "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
    b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:ba,6e,ee,09,f0,99,cc,01
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,ac,4d,b2,b0,9e,6a,4e,9e,07,37,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,ac,4d,b2,b0,9e,6a,4e,9e,07,37,\
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (Administrator)
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,3b,1b,a1,de,0c,
    39,57,19,bf,59,81,17,5f,cc,20,e0,8d,54
    "{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,3b,1b,9a,57,14,
    28,9b,14,8c,0b,9e,e6,df,d4,3f,c5,d5,02
    "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,82,11,
    e5,68,9c,45,06,a5,34,c9,b5,2e,93,15,18
    "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c2,fe,
    a7,57,92,bb,59,a6,e2,5f,fc,ce,4f,f5,14
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,14,cb,
    02,9f,b8,e8,0a,bf,99,a5,0b,8b,6b,fd,d8
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,3b,1b,48,f1,4c,
    b0,ef,51,fa,05,99,3c,90,4c,50,31,33,ec
    "{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,3b,1b,d0,05,77,
    d0,85,61,75,08,bf,17,ff,20,3a,fd,b7,6c
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1c,dc,
    c1,77,f4,30,0b,a6,7b,c3,79,c6,80,c8,b2
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,60,16,
    ce,78,45,0d,08,bb,a2,1d,1f,df,57,34,5b
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (Administrator)
    "Timestamp"=hex:fe,46,4e,3e,9b,a1,cc,01
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,b1,f2,e9,91,39,02,4b,bc,fb,09,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,b1,f2,e9,91,39,02,4b,bc,fb,09,\
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.1033_1033_MTOC_WINWORD_COL\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\wordpad.exe"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.avi"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.CDA"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.contact\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="contact_wab_auto_file"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HxH\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\Winword.exe"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\Winword.exe"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M3U"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.MHT"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.MHT"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP3"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.PARTIAL"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.SVG"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.URL"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAV"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAX"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="IE.AssocFile.WEBSITE"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMA"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMD"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMS"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMV"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMZ"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WPL"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WVX"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(748)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Fingerprint Reader Suite\homefus2.dll
    c:\program files\Fingerprint Reader Suite\infra.dll
    .
    - - - - - - - > 'Explorer.exe'(1808)
    c:\program files\Fingerprint Reader Suite\farchns.dll
    c:\program files\Fingerprint Reader Suite\infra.dll
    .
    Completion time: 2011-12-04 15:16:57
    ComboFix-quarantined-files.txt 2011-12-04 20:16
    .
    Pre-Run: 90,386,669,568 bytes free
    Post-Run: 90,321,354,752 bytes free
    .
    - - End Of File - - 14EBD6F94C91D7672A2E3C7869850152
     
  9. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    What is Ade?

    You didn't read my instructions carefully enough.
    Read "Note 3".
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Combofix log looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Still having errors after OTL Such as clicking on some things such as manage user account and numerous other links will give the error cannot find %windir%\\system32\\rundll.exe....Other links will say can't find enviroment variable....Media player won't open and Can't install new one....Acess denied to some folders and files....Connect to network says connection status unknown, dependency service or group failed to start, but yet it lets me online......I can uninstall programs and the get re-installed...

    OTL logfile created on: 12/4/2011 10:28:44 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator.TMoss-PC\Desktop
    Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 45.70% Memory free
    4.91 Gb Paging File | 3.86 Gb Available in Paging File | 78.50% Paging File free
    Paging file location(s): c:\pagefile.sys 3050 3750 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 136.47 Gb Total Space | 84.25 Gb Free Space | 61.73% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 2.15 Gb Free Space | 21.45% Space Free | Partition Type: NTFS

    Computer Name: TMOSS-PC | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/12/04 21:10:57 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.TMoss-PC\Desktop\OTL.exe
    PRC - [2011/11/28 13:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/11/05 01:53:18 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2011/10/04 13:04:56 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
    PRC - [2011/08/03 06:50:00 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    PRC - [2011/03/07 12:21:00 | 000,107,008 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
    PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2007/09/07 03:51:00 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
    PRC - [2007/09/07 03:50:56 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/11/05 01:53:18 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
    MOD - [2011/08/03 02:31:28 | 000,255,592 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
    MOD - [2011/07/09 10:30:57 | 006,271,648 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
    SRV - File not found [Auto | Stopped] -- -- (seclogon)
    SRV - File not found [On_Demand | Stopped] -- -- (QWAVE)
    SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2011/08/03 06:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/08/03 02:31:42 | 000,379,496 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2011/06/22 17:49:24 | 000,866,576 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2011/06/22 17:30:38 | 000,481,552 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
    SRV - [2011/06/06 11:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2008/02/20 23:49:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2008/02/15 17:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\stacsv.exe -- (STacSV)
    SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2007/12/02 23:27:54 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
    SRV - [2007/03/21 14:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2011/10/04 13:40:45 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2011/08/03 06:50:00 | 010,304,104 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2010/10/07 04:11:38 | 006,639,616 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwLv32.sys -- (NETwLv32) Intel(R)
    DRV - [2010/05/04 10:51:46 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2010/05/04 10:50:54 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2009/07/17 02:37:06 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2008/02/15 17:27:02 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2007/10/10 17:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
    DRV - [2007/09/07 03:50:54 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2007/09/07 01:35:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2007/09/07 01:35:44 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/09/07 01:35:42 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2007/08/13 04:44:26 | 002,226,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
    DRV - [2007/03/05 10:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
    DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========




    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-263534564-1765753400-3299622415-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.joinred.com/ [binary data]
    IE - HKU\S-1-5-21-263534564-1765753400-3299622415-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.4Loot.com
    IE - HKU\S-1-5-21-263534564-1765753400-3299622415-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "www.4Loot.com"

    FF - user.js..browser.startup.homepage: "www.4Loot.com"

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/04 12:23:09 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/25 16:17:51 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/28 15:28:45 | 000,000,000 | ---D | M]

    [2011/11/12 19:28:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\mozilla\Extensions
    [2011/11/30 17:37:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\mozilla\Firefox\Profiles\wplzfdlp.default\extensions
    [2011/11/18 10:45:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/11/18 10:45:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    File not found (No name found) -- C:\USERS\ADMINISTRATOR.TMOSS-PC\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WPLZFDLP.DEFAULT\EXTENSIONS\TOOLBAR@ASK.COM
    [2011/11/05 01:53:18 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2009/11/06 11:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2011/11/18 10:45:12 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2009/11/06 11:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2011/11/04 22:21:03 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
    [2011/11/04 22:21:03 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2011/12/04 15:11:36 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableCAD = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
    O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-263534564-1765753400-3299622415-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-263534564-1765753400-3299622415-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-263534564-1765753400-3299622415-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\S-1-5-21-263534564-1765753400-3299622415-500\..Trusted Ranges: GD ([http] in Local intranet)
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{34620C71-3B3E-47CC-B5C0-C467306FDF63}: DhcpNameServer = 192.168.0.1
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -C:\Program Files\google\google desktop search\GoogleDesktopNetwork3.dll (Google)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) -C:\Windows\System32\vrlogon.dll (UPEK Inc.)
    O20 - Winlogon\Notify\psfus: DllName - (C:\Windows\system32\psqlpwd.dll) - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found
    NetSvcs: seclogon - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Error creating restore point.

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/04 21:10:56 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator.TMoss-PC\Desktop\OTL.exe
    [2011/12/04 15:36:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/12/04 15:14:18 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/12/04 14:56:10 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2011/12/04 14:54:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/12/04 14:54:22 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/12/04 14:54:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/12/04 14:45:00 | 004,327,310 | R--- | C] (Swearware) -- C:\Users\Administrator.TMoss-PC\Desktop\ComboFix.exe
    [2011/12/04 14:30:44 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Administrator.TMoss-PC\Desktop\aswMBR.exe
    [2011/12/04 12:56:12 | 000,000,000 | ---D | C] -- C:\TEMP
    [2011/12/04 12:55:29 | 000,000,000 | ---D | C] -- C:\Windows\System32\_avast_
    [2011/12/04 12:23:18 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/12/04 12:23:18 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/12/04 12:23:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/12/04 12:23:17 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/12/04 12:23:17 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/12/04 12:23:17 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/12/04 12:23:17 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/12/04 12:23:08 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/12/04 12:23:08 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/12/04 12:22:51 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/12/04 12:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/12/02 23:18:26 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\KodakCredentialStore
    [2011/12/02 23:18:16 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\KodakGallery
    [2011/12/02 23:18:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Skinux
    [2011/12/02 14:58:48 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Print Creations
    [2011/12/02 10:05:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\New Folder
    [2011/12/01 00:18:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Apple
    [2011/12/01 00:06:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/01 00:06:13 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/12/01 00:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/11/30 23:59:30 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Malwarebytes
    [2011/11/30 22:01:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\HP
    [2011/11/29 19:56:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Creative
    [2011/11/29 14:17:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\Dell Webcam Center
    [2011/11/28 18:28:18 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
    [2011/11/25 15:51:45 | 000,000,000 | ---D | C] -- C:\Windows\System32\NtmsData
    [2011/11/25 12:37:19 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
    [2011/11/24 23:32:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
    [2011/11/21 04:05:26 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft Games
    [2011/11/21 03:31:26 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Documents\Scanned Documents
    [2011/11/21 03:31:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\Fax
    [2011/11/20 07:42:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\PeerNetworking
    [2011/11/20 07:16:23 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Adobe
    [2011/11/18 10:47:30 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\MediaDirect
    [2011/11/18 10:47:29 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\CyberLink
    [2011/11/18 09:19:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft Corporation
    [2011/11/18 06:04:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\OneNote Notebooks
    [2011/11/18 05:36:36 | 000,000,000 | --SD | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Data Sources
    [2011/11/18 04:29:54 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Apple Computer
    [2011/11/18 02:37:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\Security
    [2011/11/16 09:48:29 | 000,000,000 | ---D | C] -- C:\Windows\pss
    [2011/11/16 09:09:23 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/11/16 08:55:57 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/11/16 04:24:45 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Macromedia
    [2011/11/12 19:29:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Adobe
    [2011/11/12 19:29:05 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Google
    [2011/11/12 19:28:53 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Mozilla
    [2011/11/12 19:28:52 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Mozilla
    [2011/11/12 19:04:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Google Gadgets
    [2011/11/12 19:03:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Google
    [2011/11/12 19:03:26 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\SupportSoft
    [2011/11/12 17:03:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\ArcSoft
    [2011/11/12 17:02:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\IObit
    [2011/11/12 17:02:31 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\ArcSoft
    [2011/11/12 17:02:17 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    [2011/11/12 17:02:17 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Searches
    [2011/11/12 17:02:17 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    [2011/11/12 17:00:57 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Identities
    [2011/11/12 17:00:56 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Contacts
    [2011/11/12 17:00:45 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Intel
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Temporary Internet Files
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Templates
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Start Menu
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\SendTo
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Recent
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\PrintHood
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\NetHood
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Videos
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Pictures
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Documents\My Music
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\My Documents
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Local Settings
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\History
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Cookies
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\Application Data
    [2011/11/12 17:00:40 | 000,000,000 | -HSD | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Application Data
    [2011/11/12 17:00:38 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    [2011/11/12 17:00:38 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Temp
    [2011/11/12 17:00:38 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft Help
    [2011/11/12 17:00:38 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft
    [2011/11/12 17:00:38 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Media Center Programs
    [2011/11/12 17:00:37 | 000,000,000 | --SD | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Videos
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Saved Games
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Pictures
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Music
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Links
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Favorites
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Downloads
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Documents
    [2011/11/12 17:00:37 | 000,000,000 | R--D | C] -- C:\Users\Administrator.TMoss-PC\Desktop
    [2011/11/12 17:00:37 | 000,000,000 | -H-D | C] -- C:\Users\Administrator.TMoss-PC\AppData
    [2011/11/12 17:00:37 | 000,000,000 | ---D | C] -- C:\Users\Administrator.TMoss-PC\Roaming
    [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/12/04 21:18:22 | 001,469,958 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/12/04 21:18:22 | 000,405,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/12/04 21:13:51 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/12/04 21:13:51 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/12/04 21:13:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/12/04 21:13:42 | 2145,452,032 | -HS- | M] () -- C:\hiberfil.sys
    [2011/12/04 21:10:57 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.TMoss-PC\Desktop\OTL.exe
    [2011/12/04 15:46:49 | 001,008,114 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\rkill.scr
    [2011/12/04 15:43:42 | 001,008,114 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\rkill.com
    [2011/12/04 15:11:36 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/12/04 14:45:03 | 004,327,310 | R--- | M] (Swearware) -- C:\Users\Administrator.TMoss-PC\Desktop\ComboFix.exe
    [2011/12/04 14:39:31 | 000,000,512 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\MBR.dat
    [2011/12/04 14:30:46 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Administrator.TMoss-PC\Desktop\aswMBR.exe
    [2011/12/04 13:00:21 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/12/04 12:48:40 | 000,000,680 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\AppData\Local\d3d9caps.dat
    [2011/12/04 12:23:18 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/12/02 21:09:05 | 000,024,206 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\UserTile.png
    [2011/12/02 20:56:07 | 000,000,000 | -H-- | M] () -- C:\Users\Administrator.TMoss-PC\Documents\Default.rdp
    [2011/12/02 12:12:24 | 000,027,648 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/12/02 11:07:25 | 000,001,113 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/12/01 00:06:17 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/29 19:39:39 | 000,100,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2011/11/28 13:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/11/28 13:01:23 | 000,199,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/11/27 13:42:01 | 000,004,267 | ---- | M] () -- C:\WirelessDiagLog.csv
    [2011/11/24 23:15:46 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2011/11/23 12:24:41 | 000,000,290 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CEB27D76-DC5F-4C92-96A8-72AEA390B0B6}.job
    [2011/11/23 12:15:48 | 000,081,920 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\AutoRecovery save of MS.WINWORD.12.1033_1033_MTOC_WINWORD_COL
    [2011/11/22 22:45:06 | 000,000,000 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\Take meeting notes in OneNote.wma
    [2011/11/18 23:22:51 | 000,010,113 | ---- | M] () -- C:\[Book1]MICROSOFT_Please_Read_Now
    [2011/11/18 23:16:46 | 000,010,113 | ---- | M] () -- C:\Windows\System32\[Book1]MICROSOFT_Please_Read_Now
    [2011/11/16 07:30:21 | 000,001,315 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Desktop\!Safe_WinVista_Ultimate_SP2_32_Start_v200.zip
    [2011/11/15 20:48:47 | 000,070,656 | ---- | M] () -- C:\Windows\System32\umstartup.etl
    [2011/11/15 15:55:47 | 000,030,720 | ---- | M] () -- C:\Windows\System32\umstartup000.etl
    [2011/11/12 19:40:56 | 000,000,872 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/11/12 19:40:56 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/11/12 19:29:02 | 000,000,945 | ---- | M] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/11/12 19:28:54 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
    [2011/11/10 03:56:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2011/11/10 01:56:54 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/12/04 21:13:42 | 2145,452,032 | -HS- | C] () -- C:\hiberfil.sys
    [2011/12/04 15:46:49 | 001,008,114 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\rkill.scr
    [2011/12/04 15:43:41 | 001,008,114 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\rkill.com
    [2011/12/04 14:54:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/12/04 14:54:22 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/12/04 14:54:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/12/04 14:54:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/12/04 14:54:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/12/04 14:39:31 | 000,000,512 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\MBR.dat
    [2011/12/04 12:23:18 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/12/02 20:56:07 | 000,000,000 | -H-- | C] () -- C:\Users\Administrator.TMoss-PC\Documents\Default.rdp
    [2011/12/02 11:07:25 | 000,001,113 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
    [2011/12/01 00:06:17 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/23 12:24:41 | 000,000,290 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{CEB27D76-DC5F-4C92-96A8-72AEA390B0B6}.job
    [2011/11/23 12:15:47 | 000,081,920 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\AutoRecovery save of MS.WINWORD.12.1033_1033_MTOC_WINWORD_COL
    [2011/11/22 22:45:06 | 000,000,000 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\Take meeting notes in OneNote.wma
    [2011/11/22 11:21:18 | 000,020,312 | ---- | C] () -- C:\Windows\System32\RegistryDefragBootTime.exe
    [2011/11/20 07:42:52 | 000,024,206 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\UserTile.png
    [2011/11/18 23:22:51 | 000,010,113 | ---- | C] () -- C:\[Book1]MICROSOFT_Please_Read_Now
    [2011/11/18 23:14:23 | 000,010,113 | ---- | C] () -- C:\Windows\System32\[Book1]MICROSOFT_Please_Read_Now
    [2011/11/16 07:30:21 | 000,001,315 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Desktop\!Safe_WinVista_Ultimate_SP2_32_Start_v200.zip
    [2011/11/16 07:28:38 | 000,000,680 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Local\d3d9caps.dat
    [2011/11/14 12:22:08 | 000,027,648 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/11/12 19:40:56 | 000,000,872 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/11/12 19:29:02 | 000,000,945 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/11/12 19:28:54 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/11/12 17:02:19 | 000,000,951 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    [2011/11/12 17:02:16 | 000,000,946 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
    [2011/11/12 17:00:55 | 000,000,917 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
    [2011/11/12 17:00:39 | 000,000,258 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
    [2011/11/12 17:00:39 | 000,000,240 | ---- | C] () -- C:\Users\Administrator.TMoss-PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
    [2011/11/05 12:32:22 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2011/11/03 00:28:50 | 000,000,648 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2011/08/03 02:31:54 | 000,311,912 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
    [2009/10/20 19:58:08 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/10/20 19:58:08 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2009/10/20 19:57:03 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2009/04/27 02:01:13 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/04/22 23:26:32 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
    [2009/04/08 20:27:39 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
    [2008/02/21 07:12:33 | 000,167,936 | ---- | C] () -- C:\Windows\System32\nvccoin.dll
    [2008/02/21 07:12:32 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
    [2008/02/20 23:46:59 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
    [2006/11/09 15:01:13 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
    [2006/11/02 07:55:52 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:46:27 | 000,100,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 07:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 05:33:01 | 001,469,958 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,405,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/11/29 19:44:07 | 000,000,000 | ---D | M] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\IObit
    [2011/11/20 07:42:51 | 000,000,000 | ---D | M] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\PeerNetworking
    [2011/12/02 23:18:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Skinux
    [2011/11/10 11:43:05 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\IObit
    [2011/11/16 23:36:16 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\Auslogics
    [2011/11/17 11:03:15 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\DataSafeOnline
    [2011/11/30 22:57:58 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\IObit
    [2009/04/08 20:24:32 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\iolo
    [2011/11/07 08:02:43 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\PeerNetworking
    [2011/03/11 11:22:09 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\Skinux
    [2011/11/03 03:28:15 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\SystemRequirementsLab
    [2011/08/08 17:01:48 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\TomTom
    [2011/11/03 00:06:57 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\URSoft
    [2011/11/15 16:50:22 | 000,000,000 | ---D | M] -- C:\Users\TMoss\AppData\Roaming\uTorrent
    [2011/11/10 04:20:27 | 000,032,550 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2011/11/23 12:24:41 | 000,000,290 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CEB27D76-DC5F-4C92-96A8-72AEA390B0B6}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < >

    < >

    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2009/04/08 19:36:48 | 000,035,637 | ---- | M] () -- C:\caavsetupLog.txt
    [2011/03/08 11:13:11 | 000,089,410 | ---- | M] () -- C:\caisslog.txt
    [2011/12/04 15:16:58 | 000,039,972 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2008/02/21 07:12:45 | 000,004,878 | RH-- | M] () -- C:\dell.sdr
    [2011/11/18 03:48:49 | 000,000,057 | -HS- | M] () -- C:\desktop.ini
    [2011/11/25 16:29:20 | 000,072,724 | ---- | M] () -- C:\Hardware.txt
    [2011/12/04 21:13:42 | 2145,452,032 | -HS- | M] () -- C:\hiberfil.sys
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/12/01 23:40:36 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/12/04 21:13:41 | 3198,156,800 | -HS- | M] () -- C:\pagefile.sys
    [2011/12/04 15:51:55 | 000,000,366 | ---- | M] () -- C:\rkill.log
    [2011/11/27 13:42:01 | 000,004,267 | ---- | M] () -- C:\WirelessDiagLog.csv
    [2011/11/18 23:22:51 | 000,010,113 | ---- | M] () -- C:\[Book1]MICROSOFT_Please_Read_Now
     
  12. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    OTL Continued

    < %systemroot%\Fonts\*.com >
    [2006/11/02 07:35:26 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 07:35:26 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 07:35:26 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2011/03/03 23:45:22 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 07:34:09 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
    [2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/11/28 13:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/04/25 13:14:04 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2011/10/04 13:40:32 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2011/10/04 13:40:32 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2011/10/04 13:40:32 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2011/10/04 13:40:33 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2011/10/04 13:40:33 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >
    [2011/11/18 06:28:01 | 000,000,000 | ---- | M] () -- C:\Windows\system32\config\systemprofile\FXSAPIDebugLogFile.txt
    [2011/11/18 06:28:01 | 000,000,000 | ---- | M] () -- C:\Windows\system32\config\systemprofile\FXSTIFFDebugLogFile.txt
    [2011/11/14 12:25:35 | 000,004,313 | ---- | M] () -- C:\Windows\system32\config\systemprofile\GoogleToolbarInstaller1.log
    [2011/11/12 19:29:26 | 000,000,460 | ---- | M] () -- C:\Windows\system32\config\systemprofile\GoogleToolbarInstaller2.log
    [2011/11/24 23:13:05 | 000,161,348 | ---- | M] () -- C:\Windows\system32\config\systemprofile\MpCmdRun.log
    [2011/11/15 20:48:44 | 000,000,462 | ---- | M] () -- C:\Windows\system32\config\systemprofile\WERADCF.tmp.version.txt
    [2011/11/15 20:48:44 | 000,018,558 | ---- | M] () -- C:\Windows\system32\config\systemprofile\WERADD0.tmp.appcompat.txt
    [2011/11/15 20:48:44 | 000,000,000 | ---- | M] () -- C:\Windows\system32\config\systemprofile\WERAFB4.tmp.hdmp
    [3 C:\Windows\system32\config\systemprofile\*.tmp files -> C:\Windows\system32\config\systemprofile\*.tmp -> ]

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/11/12 19:29:02 | 000,000,221 | -HS- | M] () -- C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/12/04 14:30:46 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Administrator.TMoss-PC\Desktop\aswMBR.exe
    [2011/12/04 14:45:03 | 004,327,310 | R--- | M] (Swearware) -- C:\Users\Administrator.TMoss-PC\Desktop\ComboFix.exe
    [2011/12/04 21:10:57 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator.TMoss-PC\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2006/11/02 07:33:56 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/11/12 17:02:17 | 000,000,402 | -HS- | M] () -- C:\Users\Administrator.TMoss-PC\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/11/03 00:28:50 | 000,000,648 | RHS- | M] () -- C:\ProgramData\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:1CE11B51

    < End of report >
    ___________________________________________________________________________


    OTL Extras logfile created on: 12/4/2011 10:28:44 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator.TMoss-PC\Desktop
    Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 45.70% Memory free
    4.91 Gb Paging File | 3.86 Gb Available in Paging File | 78.50% Paging File free
    Paging file location(s): c:\pagefile.sys 3050 3750 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 136.47 Gb Total Space | 84.25 Gb Free Space | 61.73% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 2.15 Gb Free Space | 21.45% Space Free | Partition Type: NTFS

    Computer Name: TMOSS-PC | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-263534564-1765753400-3299622415-500\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{08561B8D-FB9F-44E6-88C4-C2941660DDF6}" = lport=445 | protocol=6 | dir=in | app=system |
    "{09EFCF07-598C-46AB-91FA-A3E121B3DC0F}" = lport=138 | protocol=17 | dir=in | app=system |
    "{0ED4FDD9-20F3-45CB-8EF4-20608D6C6C2C}" = rport=445 | protocol=6 | dir=out | app=system |
    "{3C1E2EF6-B8C8-4402-B53A-7A0FF55E68BF}" = lport=137 | protocol=17 | dir=in | app=system |
    "{600EF06B-75A9-493F-BCF5-D9C5A60022E8}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{8A957DDE-C6FC-4494-9F39-41E6757E16DB}" = rport=137 | protocol=17 | dir=out | app=system |
    "{8BE39C49-9786-4CE6-BCE7-614907CFE94A}" = rport=139 | protocol=6 | dir=out | app=system |
    "{A75B0B95-5D99-4E7D-8F1E-FE3CD128BABD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{BF474C9E-5762-4290-8B71-4D5898A81506}" = rport=138 | protocol=17 | dir=out | app=system |
    "{FC0D1BE2-C533-4DD4-9431-82DB98513D0A}" = lport=139 | protocol=6 | dir=in | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{178E7EF4-CAB5-497E-AFEA-2D0CE28E4713}" = protocol=17 | dir=in | app=c:\program files\avast software\avast\avastui.exe |
    "{2D26D067-29EA-494A-A3F7-09B5F395E7FF}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{3C1E7513-B1F5-4F8C-8F53-56A0E64F8B27}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{8845AD43-1C64-43CE-8C73-A6ED7B955737}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{E4B36607-D961-499A-A79D-2D556FE42BB2}" = protocol=6 | dir=in | app=c:\program files\avast software\avast\avastui.exe |
    "{EF7C65D8-85A5-404C-8797-10FEFD95D0AD}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
    "{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
    "{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
    "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3FE3D6A5-2F5E-4870-A3AC-D1D88E0B2797}" = Intel(R) PROSet/Wireless WiFi Software
    "{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
    "{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51ED885E-78EC-4DBF-81E1-F7EF47174B5A}" = HP Deskjet 1000 J110 series Basic Device Software
    "{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
    "{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
    "{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
    "{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
    "{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
    "{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
    "{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
    "{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
    "{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
    "{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
    "{9A5909B3-8CF3-4E06-92A8-F3CB7C97EF20}" = KODAK Share Button App
    "{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A2289997-10A3-48F2-AA03-99180D761661}" = Fingerprint Reader Suite 5.6
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
    "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
    "{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
    "{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
    "{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 280.26
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 280.26
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 280.26
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 280.19
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.4.28
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
    "{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
    "{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet
    "{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
    "{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
    "{CD41B576-4787-4D5C-95EE-24A4ABD89CD3}" = System Requirements Lab for Intel
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
    "{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
    "{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
    "{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    "{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
    "{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
    "{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
    "3D970B9F930E7AAE23C06D39A1AC98548C90B442" = Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Advanced Audio FX Engine" = Advanced Audio FX Engine
    "Advanced Video FX Engine" = Advanced Video FX Engine
    "avast" = avast! Free Antivirus
    "CCleaner" = CCleaner
    "Dell Webcam Center" = Dell Webcam Center
    "Dell Webcam Manager" = Dell Webcam Manager
    "Google Desktop" = Google Desktop
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
    "NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver
    "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
    "ProInst" = Intel PROSet Wireless

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = EventSystem | ID = 4609
    Description =

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 19
    Description = Volume Shadow Copy Service error: The EventSystem service is disabled
    or is attempting to start during Safe Mode. The Volume Shadow Copy service cannot
    start while in safe mode. If not in safe mode, make sure that EventSystem service
    is enabled. CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]


    Operation:

    Subscribing Writer Context: Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}

    Writer Name: ASR Writer Writer Instance ID: {863d3e35-6a5b-40d7-ab40-f2293ff44f26}

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x80040206. Operation: Subscribing Writer Context: Writer
    Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4} Writer Name: ASR Writer Writer
    Instance ID: {863d3e35-6a5b-40d7-ab40-f2293ff44f26}

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = EventSystem | ID = 4609
    Description =

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 19
    Description = Volume Shadow Copy Service error: The EventSystem service is disabled
    or is attempting to start during Safe Mode. The Volume Shadow Copy service cannot
    start while in safe mode. If not in safe mode, make sure that EventSystem service
    is enabled. CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]


    Operation:

    Subscribing Writer Context: Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}

    Writer Name: Shadow Copy Optimization Writer Writer Instance ID: {514bc427-cb5e-4128-818e-65e4f3819550}

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x80040206. Operation: Subscribing Writer Context: Writer
    Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f} Writer Name: Shadow Copy Optimization
    Writer Writer Instance ID: {514bc427-cb5e-4128-818e-65e4f3819550}

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = EventSystem | ID = 4609
    Description =

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 34
    Description = Volume Shadow Copy Service error: The VSS event class is not registered.
    This will prevent any VSS writers from receiving events. This may be caused due
    to a setup failure or as a result of an application's installer or uninstaller.


    Operation:

    Gathering Writer Data Executing Asynchronous Operation Context: Execution
    Context: Requestor Current State: GatherWriterMetadata

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x80040154. Operation: Gathering Writer Data Executing
    Asynchronous Operation Context: Execution Context: Requestor Current State:
    GatherWriterMetadata

    Error - 12/4/2011 11:32:00 PM | Computer Name = TMoss-PC | Source = System Restore | ID = 8193
    Description = Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe;
    Descripton = OTL Restore Point - 12/4/2011 10:32:00 PM; Hr = 0x8000ffff).

    [ Media Center Events ]
    Error - 11/21/2011 5:18:14 AM | Computer Name = TMoss-PC | Source = ehSched | ID = 5
    Description = CResourceMgr::GetEhepgdat Error GetEhepgdatDispatcher 0x80040154

    Error - 12/3/2011 12:26:24 AM | Computer Name = TMoss-PC | Source = ehSched | ID = 5
    Description = CResourceMgr::GetEhepgdat Error GetEhepgdatDispatcher 0x80040154

    Error - 12/3/2011 12:26:25 AM | Computer Name = TMoss-PC | Source = ehSched | ID = 5
    Description = CResourceMgr::GetEhepgdat Error GetEhepgdatDispatcher 0x80131534

    [ System Events ]
    Error - 12/4/2011 11:37:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 12/4/2011 11:37:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7001
    Description =

    Error - 12/4/2011 11:37:55 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 12/4/2011 11:37:55 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7001
    Description =

    Error - 12/4/2011 11:38:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 12/4/2011 11:38:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7001
    Description =

    Error - 12/4/2011 11:38:55 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 12/4/2011 11:38:55 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7001
    Description =

    Error - 12/4/2011 11:39:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 12/4/2011 11:39:25 PM | Computer Name = TMoss-PC | Source = Service Control Manager | ID = 7001
    Description =


    < End of report >
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check "Include All Files" option.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    ==============================================================

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    Click Go and post the result.

    ===========================================================

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
     
  14. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Farbar Service Scanner
    Ran by Administrator (administrator) on 04-12-2011 at 23:59:53
    Windows Vista (TM) Ultimate Service Pack 2 (X86)
    ********************************************************

    Service Check:
    ==============

    File Check:
    ===========
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2011-11-09 00:26] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit

    Connection Status:
    ==================
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.

    **** End of log ****

    ________________________________________________________________________________

    MiniToolBox by Farbar
    Ran by Administrator (administrator) on 05-12-2011 at 00:04:05
    Windows Vista (TM) Ultimate Service Pack 2 (X86)

    ***************************************************************************

    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= FF Proxy Settings: ==============================


    "Reset FF Proxy Settings": Firefox Proxy settings were reset.

    ========================= Hosts content: =================================

    127.0.0.1 localhost

    ========================= IP Configuration: ================================



    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4

    reset
    set global
    set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=575 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
    set interface interface="NETGEAR" forwarding=disabled advertise=disabled mtu=861 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled


    popd
    # End of IPv4 configuration



    Windows IP Configuration

    Host Name . . . . . . . . . . . . : TMoss-PC
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
    Physical Address. . . . . . . . . : 00-15-C5-86-7E-59
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter NETGEAR:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
    Physical Address. . . . . . . . . : 00-1D-E0-73-9E-A3
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::85b7:55db:6f57:1b8f%10(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Sunday, December 04, 2011 9:14:02 PM
    Lease Expires . . . . . . . . . . : Monday, December 05, 2011 9:14:01 PM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DHCPv6 IAID . . . . . . . . . . . : 167779808
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-4E-B3-F6-00-15-C5-86-7E-59
    DNS Servers . . . . . . . . . . . : 192.168.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 6:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 7:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : isatap.{205DD987-4F01-45E4-B2B2-CC7BC0A6FAF4}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : isatap.{34620C71-3B3E-47CC-B5C0-C467306FDF63}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Server: UnKnown
    Address: 192.168.0.1

    Name: google.com
    Addresses: 74.125.159.104
    74.125.159.106
    74.125.159.99
    74.125.159.103
    74.125.159.147
    74.125.159.105



    Pinging google.com [74.125.159.105] with 32 bytes of data:

    Reply from 74.125.159.105: bytes=32 time=28ms TTL=52

    Reply from 74.125.159.105: bytes=32 time=29ms TTL=52



    Ping statistics for 74.125.159.105:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 28ms, Maximum = 29ms, Average = 28ms

    Server: UnKnown
    Address: 192.168.0.1

    Name: yahoo.com
    Addresses: 98.139.180.149
    209.191.122.70
    72.30.2.43
    98.137.149.56



    Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

    Reply from 98.137.149.56: bytes=32 time=111ms TTL=47

    Reply from 98.137.149.56: bytes=32 time=144ms TTL=47



    Ping statistics for 98.137.149.56:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 111ms, Maximum = 144ms, Average = 127ms

    Server: UnKnown
    Address: 192.168.0.1

    Name: bleepingcomputer.com
    Address: 208.43.87.2



    Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

    Reply from 208.43.87.2: Destination host unreachable.

    Reply from 208.43.87.2: Destination host unreachable.



    Ping statistics for 208.43.87.2:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



    Pinging 127.0.0.1 with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



    Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ===========================================================================
    Interface List
    9 ...00 15 c5 86 7e 59 ...... Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
    10 ...00 1d e0 73 9e a3 ...... Intel(R) Wireless WiFi Link 4965AGN
    1 ........................... Software Loopback Interface 1
    8 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    13 ...00 00 00 00 00 00 00 e0 isatap.{205DD987-4F01-45E4-B2B2-CC7BC0A6FAF4}
    14 ...00 00 00 00 00 00 00 e0 isatap.{34620C71-3B3E-47CC-B5C0-C467306FDF63}
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 25
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.0.0 255.255.255.0 On-link 192.168.0.2 281
    192.168.0.2 255.255.255.255 On-link 192.168.0.2 281
    192.168.0.255 255.255.255.255 On-link 192.168.0.2 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 192.168.0.2 281
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 192.168.0.2 281
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 306 ::1/128 On-link
    10 281 fe80::/64 On-link
    10 281 fe80::85b7:55db:6f57:1b8f/128
    On-link
    1 306 ff00::/8 On-link
    10 281 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None
    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
    Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
    Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
    Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
    Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
    Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
    Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (12/04/2011 10:32:00 PM) (Source: System Restore) (User: )
    Description: Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe; Descripton = OTL Restore Point - 12/4/2011 10:32:00 PM; Hr = 0x8000ffff).

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040154.


    Operation:
    Gathering Writer Data
    Executing Asynchronous Operation

    Context:
    Execution Context: Requestor
    Current State: GatherWriterMetadata

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: The VSS event class is not registered. This will prevent any
    VSS writers from receiving events. This may be caused due to a setup failure or as a result of an
    application's installer or uninstaller.


    Operation:
    Gathering Writer Data
    Executing Asynchronous Operation

    Context:
    Execution Context: Requestor
    Current State: GatherWriterMetadata

    Error: (12/04/2011 10:32:00 PM) (Source: EventSystem) (User: )
    Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp4580070437

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.


    Operation:
    Subscribing Writer

    Context:
    Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
    Writer Name: Shadow Copy Optimization Writer
    Writer Instance ID: {514bc427-cb5e-4128-818e-65e4f3819550}

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: The EventSystem service is disabled or is attempting to start during Safe Mode.
    The Volume Shadow Copy service cannot start while in safe mode.
    If not in safe mode, make sure that EventSystem service is enabled.
    CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]


    Operation:
    Subscribing Writer

    Context:
    Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
    Writer Name: Shadow Copy Optimization Writer
    Writer Instance ID: {514bc427-cb5e-4128-818e-65e4f3819550}

    Error: (12/04/2011 10:32:00 PM) (Source: EventSystem) (User: )
    Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp4580070437

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.


    Operation:
    Subscribing Writer

    Context:
    Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
    Writer Name: ASR Writer
    Writer Instance ID: {863d3e35-6a5b-40d7-ab40-f2293ff44f26}

    Error: (12/04/2011 10:32:00 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: The EventSystem service is disabled or is attempting to start during Safe Mode.
    The Volume Shadow Copy service cannot start while in safe mode.
    If not in safe mode, make sure that EventSystem service is enabled.
    CLSID:{4e14fba2-2e22-11d1-9964-00c04fbbb345} Name:CEventSystem [0x80040206]


    Operation:
    Subscribing Writer

    Context:
    Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
    Writer Name: ASR Writer
    Writer Instance ID: {863d3e35-6a5b-40d7-ab40-f2293ff44f26}

    Error: (12/04/2011 10:32:00 PM) (Source: EventSystem) (User: )
    Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp4580070437


    System errors:
    =============
    Error: (12/05/2011 00:04:12 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:11 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:11 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:10 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:10 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:09 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:09 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:08 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:08 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079

    Error: (12/05/2011 00:04:07 AM) (Source: Service Control Manager) (User: )
    Description: Network Connections%%1079


    Microsoft Office Sessions:
    =========================

    **** End of log ****
    __________________________________________________________________________________-
     
  15. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Junction

    What do you think is going on here...


    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    .\\?\c:\\ProgramData\Application Data: JUNCTION
    Print Name : C:\ProgramData
    Substitute Name: C:\ProgramData

    \\?\c:\\ProgramData\Desktop: JUNCTION
    Print Name : C:\Users\Public\Desktop
    Substitute Name: C:\Users\Public\Desktop

    \\?\c:\\ProgramData\Documents: JUNCTION
    Print Name : C:\Users\Public\Documents
    Substitute Name: C:\Users\Public\Documents

    \\?\c:\\ProgramData\Favorites: JUNCTION
    Print Name : C:\Users\Public\Favorites
    Substitute Name: C:\Users\Public\Favorites

    \\?\c:\\ProgramData\Start Menu: JUNCTION
    Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
    Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

    \\?\c:\\ProgramData\Templates: JUNCTION
    Print Name : C:\ProgramData\Microsoft\Windows\Templates
    Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

    .
    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076cee386f8bd_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c0127fb4860_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce742900f488898ce_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.


    .


    Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{039d2d60-111f-11e1-8342-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{33dd6e32-19fc-11e1-aed9-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{4d22f30b-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{4d22f310-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b8e5-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9c1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9c9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9d1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9d9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9e1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9e9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9f1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945b9fd-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba05-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba0d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba15-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba1d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba25-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba2d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba35-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba3d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba45-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba4d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba55-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba5d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba65-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945ba7f-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945bb89-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945bba2-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945bbd7-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{6945bbde-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{cec21ff6-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{cec21ffe-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{cec22018-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{eb28177d-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\{eb28178b-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



    Failed to open \\?\c:\\System Volume Information\SystemRestore\System Volume Information: Access is denied.


    \\?\c:\\Users\All Users: SYMBOLIC LINK
    Print Name : C:\ProgramData
    Substitute Name: \??\C:\ProgramData

    \\?\c:\\Users\Default User: JUNCTION
    Print Name : C:\Users\Default
    Substitute Name: C:\Users\Default

    \\?\c:\\Users\Administrator.TMoss-PC\Application Data: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming

    \\?\c:\\Users\Administrator.TMoss-PC\Cookies: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Cookies
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Cookies

    \\?\c:\\Users\Administrator.TMoss-PC\Local Settings: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Local
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Local

    \\?\c:\\Users\Administrator.TMoss-PC\My Documents: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\Documents
    Substitute Name: C:\Users\Administrator.TMoss-PC\Documents

    \\?\c:\\Users\Administrator.TMoss-PC\NetHood: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\Administrator.TMoss-PC\PrintHood: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\Administrator.TMoss-PC\Recent: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\Administrator.TMoss-PC\SendTo: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\Administrator.TMoss-PC\Start Menu: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\Administrator.TMoss-PC\Templates: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\Administrator.TMoss-PC\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Local
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Local

    \\?\c:\\Users\Administrator.TMoss-PC\AppData\Local\History: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\Administrator.TMoss-PC\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files

    ...\\?\c:\\Users\Administrator.TMoss-PC\Documents\My Music: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\Music
    Substitute Name: C:\Users\Administrator.TMoss-PC\Music

    \\?\c:\\Users\Administrator.TMoss-PC\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\Pictures
    Substitute Name: C:\Users\Administrator.TMoss-PC\Pictures

    \\?\c:\\Users\Administrator.TMoss-PC\Documents\My Videos: JUNCTION
    Print Name : C:\Users\Administrator.TMoss-PC\Videos
    Substitute Name: C:\Users\Administrator.TMoss-PC\Videos

    \\?\c:\\Users\All Users\Application Data: JUNCTION
    Print Name : C:\ProgramData
    Substitute Name: C:\ProgramData

    \\?\c:\\Users\All Users\Desktop: JUNCTION
    Print Name : C:\Users\Public\Desktop
    Substitute Name: C:\Users\Public\Desktop

    \\?\c:\\Users\All Users\Documents: JUNCTION
    Print Name : C:\Users\Public\Documents
    Substitute Name: C:\Users\Public\Documents

    \\?\c:\\Users\All Users\Favorites: JUNCTION
    Print Name : C:\Users\Public\Favorites
    Substitute Name: C:\Users\Public\Favorites

    \\?\c:\\Users\All Users\Start Menu: JUNCTION
    Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
    Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

    \\?\c:\\Users\All Users\Templates: JUNCTION
    Print Name : C:\ProgramData\Microsoft\Windows\Templates
    Substitute Name: C:\ProgramData\Microsoft\Windows\Templates




    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076cee386f8bd_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c0127fb4860_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce742900f488898ce_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.



    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_7bdb6517-028f-4c07-8a83-19fb585d6dc1: Access is denied.


    ..\\?\c:\\Users\Default\Application Data: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming
    Substitute Name: C:\Users\Default\AppData\Roaming

    \\?\c:\\Users\Default\Local Settings: JUNCTION
    Print Name : C:\Users\Default\AppData\Local
    Substitute Name: C:\Users\Default\AppData\Local

    \\?\c:\\Users\Default\My Documents: JUNCTION
    Print Name : C:\Users\Default\Documents
    Substitute Name: C:\Users\Default\Documents

    \\?\c:\\Users\Default\NetHood: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\Default\PrintHood: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\Default\Recent: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\Default\SendTo: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\Default\Start Menu: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\Default\Templates: JUNCTION
    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\Default\AppData\Local
    Substitute Name: C:\Users\Default\AppData\Local

    \\?\c:\\Users\Default\AppData\Local\History: JUNCTION
    Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

    \\?\c:\\Users\Default\Documents\My Music: JUNCTION
    Print Name : C:\Users\Default\Music
    Substitute Name: C:\Users\Default\Music

    \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\Default\Pictures
    Substitute Name: C:\Users\Default\Pictures

    \\?\c:\\Users\Default\Documents\My Videos: JUNCTION
    Print Name : C:\Users\Default\Videos
    Substitute Name: C:\Users\Default\Videos

    \\?\c:\\Users\Guest\Application Data: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming
    Substitute Name: C:\Users\Guest\AppData\Roaming

    \\?\c:\\Users\Guest\Cookies: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies

    \\?\c:\\Users\Guest\Local Settings: JUNCTION
    Print Name : C:\Users\Guest\AppData\Local
    Substitute Name: C:\Users\Guest\AppData\Local

    \\?\c:\\Users\Guest\My Documents: JUNCTION
    Print Name : C:\Users\Guest\Documents
    Substitute Name: C:\Users\Guest\Documents

    \\?\c:\\Users\Guest\NetHood: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\Guest\PrintHood: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\Guest\Recent: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\Guest\SendTo: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\Guest\Start Menu: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\Guest\Templates: JUNCTION
    Print Name : C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\Guest\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\Guest\AppData\Local
    Substitute Name: C:\Users\Guest\AppData\Local

    \\?\c:\\Users\Guest\AppData\Local\History: JUNCTION
    Print Name : C:\Users\Guest\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\Guest\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\Guest\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files

    .

    ...\\?\c:\\Users\Guest\Documents\My Music: JUNCTION
    Print Name : C:\Users\Guest\Music
    Substitute Name: C:\Users\Guest\Music

    \\?\c:\\Users\Guest\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\Guest\Pictures
    Substitute Name: C:\Users\Guest\Pictures

    \\?\c:\\Users\Guest\Documents\My Videos: JUNCTION
    Print Name : C:\Users\Guest\Videos
    Substitute Name: C:\Users\Guest\Videos

    \\?\c:\\Users\Public\Documents\My Music: JUNCTION
    Print Name : C:\Users\Public\Music
    Substitute Name: C:\Users\Public\Music

    \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\Public\Pictures
    Substitute Name: C:\Users\Public\Pictures

    \\?\c:\\Users\Public\Documents\My Videos: JUNCTION
    Print Name : C:\Users\Public\Videos
    Substitute Name: C:\Users\Public\Videos

    \\?\c:\\Users\TMoss\Application Data: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming
    Substitute Name: C:\Users\TMoss\AppData\Roaming

    \\?\c:\\Users\TMoss\Cookies: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Cookies
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Cookies

    \\?\c:\\Users\TMoss\Local Settings: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Local
    Substitute Name: C:\Users\TMoss\AppData\Local

    \\?\c:\\Users\TMoss\My Documents: JUNCTION
    Print Name : C:\Users\TMoss\Documents
    Substitute Name: C:\Users\TMoss\Documents

    \\?\c:\\Users\TMoss\NetHood: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\TMoss\PrintHood: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\TMoss\Recent: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\TMoss\SendTo: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\TMoss\Start Menu: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\TMoss\Templates: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\TMoss\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\TMoss\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Local
    Substitute Name: C:\Users\TMoss\AppData\Local

    \\?\c:\\Users\TMoss\AppData\Local\History: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\TMoss\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\TMoss\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\TMoss\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\TMoss\AppData\Local\Microsoft\Windows\Temporary Internet Files




    Failed to open \\?\c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.



    Failed to open \\?\c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.


    ...

    ...

    .\\?\c:\\Users\TMoss\Documents\My Music: JUNCTION
    Print Name : C:\Users\TMoss\Music
    Substitute Name: C:\Users\TMoss\Music

    \\?\c:\\Users\TMoss\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\TMoss\Pictures
    Substitute Name: C:\Users\TMoss\Pictures

    \\?\c:\\Users\TMoss\Documents\My Videos: JUNCTION
    Print Name : C:\Users\TMoss\Videos
    Substitute Name: C:\Users\TMoss\Videos

    ..\\?\c:\\Users\UpdatusUser.TMoss-PC\Application Data: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Cookies: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Cookies
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Cookies

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Local Settings: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Local
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Local

    \\?\c:\\Users\UpdatusUser.TMoss-PC\My Documents: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\Documents
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\Documents

    \\?\c:\\Users\UpdatusUser.TMoss-PC\NetHood: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\UpdatusUser.TMoss-PC\PrintHood: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Recent: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\UpdatusUser.TMoss-PC\SendTo: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Start Menu: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Templates: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\UpdatusUser.TMoss-PC\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Local
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Local

    \\?\c:\\Users\UpdatusUser.TMoss-PC\AppData\Local\History: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\UpdatusUser.TMoss-PC\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Documents\My Music: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\Music
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\Music

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\Pictures
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\Pictures

    \\?\c:\\Users\UpdatusUser.TMoss-PC\Documents\My Videos: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC\Videos
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC\Videos

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Application Data: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Cookies: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Cookies
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Cookies

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Local Settings: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\My Documents: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\Documents
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\Documents

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\NetHood: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\PrintHood: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Recent: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\SendTo: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Start Menu: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Templates: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\AppData\Local\History: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\AppData\Local\Microsoft\Windows\Temporary Internet Files

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Documents\My Music: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\Music
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\Music

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Documents\My Pictures: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\Pictures
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\Pictures

    \\?\c:\\Users\UpdatusUser.TMoss-PC.000\Documents\My Videos: JUNCTION
    Print Name : C:\Users\UpdatusUser.TMoss-PC.000\Videos
    Substitute Name: C:\Users\UpdatusUser.TMoss-PC.000\Videos



    ...
    Failed to open \\?\c:\\Windows\CSC\v2.0.6\pq: Access is denied.



    Failed to open \\?\c:\\Windows\CSC\v2.0.6\temp\ea-{a7af2b49-31c3-11de-9742-001de0739ea3}: Access is denied.




    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ..\\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming

    \\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Local
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local

    \\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\Documents
    Substitute Name: C:\Windows\system32\config\systemprofile\Documents

    \\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    \\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    \\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent

    \\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo

    \\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu

    \\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates

    \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Local
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local

    \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History

    \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
    Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files

    .\\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\Music
    Substitute Name: C:\Windows\system32\config\systemprofile\Music

    \\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\Pictures
    Substitute Name: C:\Windows\system32\config\systemprofile\Pictures

    \\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION
    Print Name : C:\Windows\system32\config\systemprofile\Videos
    Substitute Name: C:\Windows\system32\config\systemprofile\Videos



    ...

    ...

    ...

    ...

    ...

    ...

    ...
    Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.
     
  16. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    I know this is hard to read and not sure if you will find it useful but this is what shows up in process viewer every time I do anything...All of these are writing to disk...Seems everything gets rewritten but I could be wrong...





    Image PID File Read (B/min) Write (B/min) IO Priority Response Time (ms)
    System 4 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl 0 197120 - 2
    svchost.exe (LocalServiceNetworkRestricted) 1108 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat 0 512 - 1
    System 4 C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-44162447.pf 0 20480 - 1
    System 4 C:\Windows\Prefetch\MMC.EXE-BC0E8C7C.pf 0 86016 - 1
    System 4 C:\Windows\Prefetch\DLLHOST.EXE-4B6CB38A.pf 0 20480 - 1
    System 4 C:\Users\Administrator.TMoss-PC 0 8192 - 1
    System 4 - 0 4608 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows 0 4096 - 1
    System 4 C:\Windows\System32\config 0 4096 - 1
    System 4 C:\$Mft (NTFS Master File Table) 0 4096 - 1
    System 4 C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex 0 4096 - 1
    SearchIndexer.exe 2916 C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy7.gthr 0 4096 - 1
    System 4 C:\$BitMap (NTFS Free Space Map) 0 28672 - 1
    System 4 C:\Windows\System32\winevt\Logs\System.evtx 0 16384 - 1
    System 4 C:\$Mft (NTFS Master File Table) 0 81920 - 1
    System 4 C:\$LogFile (NTFS Volume Log) 0 159744 - 0
    System 4 C:\Windows\Prefetch 0 24576 - 0
    System 4 C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-69C456C3.pf 0 28672 - 0
    System 4 C:\Users\Administrator.TMoss-PC\ntuser.dat.LOG1 0 17920 - 0
    System 4 C:\Windows\System32\config\software 0 53248 - 0
    System 4 C:\Users\Administrator.TMoss-PC\ntuser.dat 0 69632 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\UsrClass.dat 0 57344 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 0 18432 - 0
    System 4 C:\Windows\System32\config\SOFTWARE.LOG1 0 24576 - 0
    SearchIndexer.exe 2916 C:\$LogFile (NTFS Volume Log) 0 12288 - 0
    System 4 C:\Windows\System32\LogFiles\WMI\RtBackup 0 4096 - 0
     
  17. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please download GrantPerms.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
    Copy and paste the following in the edit box:

    Code:
    c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076 cee386f8bd_7bdb6517-028f-4c07-8a83-19fb585d6dc1
    c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c 0127fb4860_7bdb6517-028f-4c07-8a83-19fb585d6dc1
    c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce74290 0f488898ce_7bdb6517-028f-4c07-8a83-19fb585d6dc1
    c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1 e01a5229f1_7bdb6517-028f-4c07-8a83-19fb585d6dc1
    c:\\Qoobox\BackEnv
    c:\\System Volume Information\{6945b9c9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9c1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b8e5-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{4d22f310-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{4d22f30b-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{33dd6e32-19fc-11e1-aed9-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{039d2d60-111f-11e1-8342-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba15-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba0d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba05-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9fd-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9f1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9e9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9e1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9d9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945b9d1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba5d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba55-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba4d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba45-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba3d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba35-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba2d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba25-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba1d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{cec22018-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{cec21ffe-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{cec21ff6-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945bbde-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945bbd7-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945bba2-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945bb89-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba7f-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{6945ba65-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\SystemRestore\System Volume Information
    c:\\System Volume Information\{eb28178b-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\System Volume Information\{eb28177d-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}
    c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_7bd b6517-028f-4c07-8a83-19fb585d6dc1
    c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce742900f488898ce_7bd b6517-028f-4c07-8a83-19fb585d6dc1
    c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c0127fb4860_7bd b6517-028f-4c07-8a83-19fb585d6dc1
    c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076cee386f8bd_7bd b6517-028f-4c07-8a83-19fb585d6dc1
    c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db
    c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db.shadow
    c:\\Windows\CSC\v2.0.6\pq
    c:\\Windows\CSC\v2.0.6\temp\ea-{a7af2b49-31c3-11de-9742-001de0739ea3}
    c:\\Windows\System32\LogFiles\WMI\RtBackup
    
    Click Unlock. When it is done click "OK".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.

    ============================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (seclogon)
      SRV - File not found [On_Demand | Stopped] -- -- (QWAVE)
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Value error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
      @Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:1CE11B51
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  18. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    More logs

    Wow,you should have seen process viewer after running these...I saved it if you want to see.....Anyway ESET came up clean so no log there......Here are the rest....

    GrantPerms by Farbar
    Ran by Administrator (administrator) at 2011-12-05 20:06:55

    ===============================================
    ERROR: Parsing the SD of <\\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076 cee386f8bd_7bdb6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c 0127fb4860_7bdb6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce74290 0f488898ce_7bdb6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1 e01a5229f1_7bdb6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    \\?\c:\\Qoobox\BackEnv

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Administrators FULL ALLOW (I)
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    NT AUTHORITY\Authenticated Users change ALLOW (I)
    NT AUTHORITY\Authenticated Users change ALLOW (CI)(OI)(IO)(I)


    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9c9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9c1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b8e5-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{4d22f310-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{4d22f30b-1783-11e1-b03d-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{33dd6e32-19fc-11e1-aed9-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{039d2d60-111f-11e1-8342-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba15-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba0d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba05-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9fd-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9f1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9e9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9e1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9d9-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945b9d1-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba5d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba55-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba4d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba45-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba3d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba35-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba2d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba25-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba1d-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{cec22018-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{cec21ffe-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{cec21ff6-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945bbde-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945bbd7-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945bba2-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945bb89-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba7f-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{6945ba65-11bf-11e1-b442-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    \\?\c:\\System Volume Information\SystemRestore\System Volume Information

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{eb28178b-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{eb28177d-17a1-11e1-856e-0015c5867e59}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


    Operating system error message: Access is denied.
    ERROR: Parsing the SD of <\\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_7bd b6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\77d2c16eaff4a61ce742900f488898ce_7bd b6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3d9b0622dfb157085bce3c0127fb4860_7bd b6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\07f3d2b5f37a91d9f84076cee386f8bd_7bd b6517-028f-4c07-8a83-19fb585d6dc1> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    \\?\c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Users\TMoss\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db.shadow

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Windows\CSC\v2.0.6\pq

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    NT AUTHORITY\SYSTEM FULL ALLOW (I)
    BUILTIN\Administrators FULL ALLOW (I)
    BUILTIN\Users READ/EXECUTE ALLOW (I)


    \\?\c:\\Windows\CSC\v2.0.6\temp\ea-{a7af2b49-31c3-11de-9742-001de0739ea3}

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    NT AUTHORITY\SYSTEM FULL ALLOW (I)
    BUILTIN\Administrators FULL ALLOW (I)
    BUILTIN\Users READ/EXECUTE ALLOW (I)


    \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    __________________________________________________________________________

    All processes killed
    ========== OTL ==========
    Service seclogon stopped successfully!
    Service seclogon deleted successfully!
    Service QWAVE stopped successfully!
    Service QWAVE deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\Windows\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    ADS C:\ProgramData\TEMP:1CE11B51 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.TMoss-PC
    ->Temp folder emptied: 213252 bytes
    ->Temporary Internet Files folder emptied: 5325514 bytes
    ->Java cache emptied: 182135 bytes
    ->FireFox cache emptied: 42484480 bytes
    ->Flash cache emptied: 599 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 25016788 bytes
    ->FireFox cache emptied: 13664649 bytes
    ->Flash cache emptied: 456 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TMoss
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 7799020 bytes
    ->Java cache emptied: 349047 bytes
    ->FireFox cache emptied: 42963717 bytes
    ->Google Chrome cache emptied: 8867460 bytes
    ->Flash cache emptied: 511 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: UpdatusUser.TMoss-PC
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: UpdatusUser.TMoss-PC.000
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 6496256 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 219253 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 15613 bytes

    Total Files Cleaned = 146.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: Administrator.TMoss-PC
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: Public

    User: TMoss
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    User: UpdatusUser.TMoss-PC

    User: UpdatusUser.TMoss-PC.000

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 12052011_202642

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  19. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    And more logs

    Results of screen317's Security Check version 0.99.24
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 29
    Adobe Flash Player ( 10.3.181.34) Flash Player Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    ``````````End of Log````````````


    __________________________________________________________________
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  21. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    It may be clean but I still have the same problems.....Do I still need to create a restore point with issues...
     
  22. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Yes, please do.

    Then....

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
     
  23. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Here is what is happening everytime I try to run programs or make changes....Looks like a lot of auto rewrites....

    Image PID File Read (B/min) Write (B/min) IO Priority Response Time (ms)
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\hpqDTSS.exe 4096 0 - 105
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.ci 4096 0 - 65
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Windows\winsxs\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms 16384 0 - 57
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm 32768 0 - 39
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Users\Administrator.TMoss-PC\Desktop\aswMBR.exe 8192 0 - 37
    OnlineCmdLineScanner.exe 4824 C:\Netgear\Monitor.bin 512 0 - 27
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeStudentrWW.xml 11776 0 - 26
    OnlineCmdLineScanner.exe 4824 C:\Netgear\MDM_Util.js 24064 0 - 26
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\AVAST Software\Avast\defs\11120501\db_pe2.dat 8192 0 - 25
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\Office64WW.xml 2560 0 - 23
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvaa.inf 32768 0 - 23
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml 10240 0 - 22
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml 1024 0 - 19
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvd3dum.dl_ 32768 0 - 19
    OnlineCmdLineScanner.exe 4824 C:\Netgear\language.txt 32768 0 - 18
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvd3d9wrap.dl_ 32768 0 - 17
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe 4096 0 - 16
    OnlineCmdLineScanner.exe 4824 C:\Netgear\InitialNetgear(1).html 4608 0 - 16
    OnlineCmdLineScanner.exe 4824 C:\Netgear\Template.htm 10752 0 - 16
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\DisplayDriver.nvi 30720 0 - 16
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvao.inf 32768 0 - 16
    OnlineCmdLineScanner.exe 4824 C:\Netgear\MDM_Progress.js 4608 0 - 15
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Windows\Installer 4096 0 - 15
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll 32768 0 - 15
    OnlineCmdLineScanner.exe 4824 C:\$Mft (NTFS Master File Table) 4096 0 - 15
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\$Mft (NTFS Master File Table) 5160960 0 - 15
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\AVAST Software\Avast\defs\11120501\certs.map 12288 0 - 15
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\EULA.txt 8192 0 - 14
    OnlineCmdLineScanner.exe 4824 C:\Netgear 4096 0 - 14
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Users\Administrator.TMoss-PC\Desktop\Junction.zip 12288 0 - 14
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\Nvcuvid.dl_ 32768 0 - 14
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi 43520 0 - 14
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\license.txt 15872 0 - 14
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\Setup.xml 22016 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvct.inf 32768 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvam.inf 32768 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST 32768 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvbl.inf 32768 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\ListDevices.txt 32768 0 - 13
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcompiler.dl_ 32768 0 - 12
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvdet.dl_ 1536 0 - 12
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml 6144 0 - 12
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Setup.cfg 7168 0 - 12
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir 20480 0 - 12
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvar.inf 32768 0 - 11
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\IObit\Advanced SystemCare 5 24576 0 - 11
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcuda.dl_ 32768 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvdecodemft.dl_ 32768 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\setup.exe 74240 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcv.inf 32768 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvapi.dl_ 32768 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\ID_1002F.DPC 2048 0 - 10
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm 27136 0 - 9
    System 4 - 158196 589643 - 8
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvac.inf 32768 0 - 8
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C 8192 0 - 8
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\ose.exe 43008 0 - 8
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\license.txt 15872 0 - 8
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi 39424 0 - 6
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcuvenc.dl_ 32768 0 - 6
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll 95232 0 - 6
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeStudentrWW.msi 3608576 0 - 6
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\dbInstaller.exe 101376 0 - 6
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\osetup.dll 233472 0 - 6
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\setup.exe 146432 0 - 6
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\HP Deskjet 1000 J110 series.exe 4096 0 - 6
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Windows\Web\Wallpaper 4096 0 - 5
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin 4096 0 - 5
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\CCleaner\CCleaner.exe 71680 0 - 5
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\Common Files\microsoft shared\ink 12288 0 - 5
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver 12288 0 - 5
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcompiler.dl_ 98304 0 - 4
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\DisplayDriverExt.dll 825344 0 - 4
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\ESET\ESET Online Scanner\OnlineScanner64.ocx 680960 0 - 4
    System 4 C:\$LogFile (NTFS Volume Log) 0 23040815 - 4
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\Office64WW.msi 761856 0 - 3
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvct.inf 24064 0 - 3
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe 53248 0 - 3
    OnlineCmdLineScanner.exe 4824 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvdispco32.dll 828416 0 - 3
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll 98304 0 - 3
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeStudentrWW.msi 6104576 0 - 3
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab 25287680 0 - 2
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\OWOW64WW.cab 425984 0 - 2
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\DisplayDriverExt.dll 163840 0 - 2
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\osetup.dll 6303744 0 - 2
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\Fingerprint Reader Suite\enrollbtn.exe 30720 0 - 2
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeSrWW.cab 132852224 0 - 2
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeSrWW.cab 8032256 0 - 2
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvapi.dl_ 98304 0 - 2
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi 98304 0 - 2
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\Nvcuvid.dl_ 98304 0 - 2
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcv.inf 97792 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcuvenc.dl_ 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvcuda.dl_ 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvd3dum.dl_ 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\dbInstaller.exe 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvd3d9wrap.dl_ 98304 0 - 1
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\Office64WW.msi 98304 0 - 1
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvdecodemft.dl_ 98304 0 - 1
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\setup.exe 98304 0 - 1
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\ose.exe 98304 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvam.inf 186368 0 - 1
    System 4 C:\System Volume Information\{cec22018-1ccc-11e1-b6f5-001de0739ea3}{3808876b-c176-4e48-b7ae-04046e6cc752} 0 175510 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvac.inf 154112 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvdispco32.dll 151552 0 - 1
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll 76288 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\setup.exe 204800 0 - 1
    System 4 C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\OWOW64WW.cab 3725312 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\ListDevices.txt 59904 0 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD402.tmp 0 4096 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD1F49.tmp 0 4096 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODE216.tmp 0 4096 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD185D.tmp 0 4096 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODD817.tmp 0 4096 - 1
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD3431.tmp 0 4096 - 1
    OnlineCmdLineScanner.exe 4824 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab 1404928 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvao.inf 53248 0 - 1
    System 4 C:\Netgear\language.txt 49664 0 - 1
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvbl.inf 39936 0 - 1
    System 4 C:\$Mft (NTFS Master File Table) 0 4096 - 0
    svchost.exe (LocalServiceNetworkRestricted) 1096 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat 0 512 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp 0 4096 - 0
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST 29184 0 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local 0 4096 - 0
    System 4 C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm 20480 0 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD3A79.tmp 0 8192 - 0
    OnlineCmdLineScanner.exe 4824 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODBD00.tmp 4096 0 - 0
    System 4 C:\$Mft (NTFS Master File Table) 0 11967 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD415B.tmp 0 8192 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NOD4A12.tmp 0 4096 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODBD00.tmp 0 4096 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODD03A.tmp 0 4096 - 0
    System 4 C:\$BitMap (NTFS Free Space Map) 0 12031 - 0
    System 4 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODB9AD.tmp 0 4096 - 0
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvaa.inf 6656 0 - 0
    OnlineCmdLineScanner.exe 4824 C:\Netgear\InitialNetgear.html 4608 0 - 0
    OnlineCmdLineScanner.exe 4824 C:\Users\Administrator.TMoss-PC\AppData\Local\Temp\NODB9AD.tmp 4096 0 - 0
    SearchIndexer.exe 2660 - 90112 0 - 0
    svchost.exe (LocalSystemNetworkRestricted) 1176 C:\Program Files\Kodak\Kodak EasyShare software\bin 4096 0 - 0
    System 4 C:\NVIDIA\DisplayDriver\280.26\WinVista_Win7\International\Display.Driver\nvar.inf 8192 0 - 0
     
  24. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.TMoss-PC
    ->Temp folder emptied: 187311 bytes
    ->Temporary Internet Files folder emptied: 7245999 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 5610035 bytes
    ->Flash cache emptied: 456 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TMoss
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: UpdatusUser.TMoss-PC
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: UpdatusUser.TMoss-PC.000
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: Administrator.TMoss-PC
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: Public

    User: TMoss
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    User: UpdatusUser.TMoss-PC

    User: UpdatusUser.TMoss-PC.000

    Total Flash Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.31.0 log created on 12062011_004348

    Files\Folders moved on Reboot...
    C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

    \PIRRSBLE\topic174093[2].htm moved successfully.
    C:\Users\Administrator.TMoss-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

    \80822YQK\search[2].htm moved successfully.

    Registry entries deleted on Reboot...
     
  25. tmoss

    tmoss TS Rookie Topic Starter Posts: 23

    Thank you so much for your help....A few older restore points are still there... Also I am not comfortable creating a new one with present issues such as everything we did pretty much got wrote back, firewall won't let me change settings, and modem/router is not secure....Not sure where to go from here....
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...