TechSpot

Rootkit redirect removal requested

By InfectedXP
Nov 17, 2011
  1. Another user here with redirected Google searches. I kindly request your help in removing this nasty. The requested logs are posted below:

    Malwarebytes' Anti-Malware 1.51.2.1300
    Database version: 8183

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/17/2011 10:19:17 AM
    mbam-log-2011-11-17 (10-19-17).txt

    Scan type: Quick scan
    Objects scanned: 185036
    Time elapsed: 6 minute(s), 20 second(s)

    ---------found nothing----------- all values = 0 / No malicious items detected

    GMER 1.0.15.15641
    Rootkit scan 2011-11-17 14:42:37
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500418AS rev.CC38
    Running: tx4lsntn.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awldipod.sys

    ---- System - GMER 1.0.15 ----

    SSDT B873E534 ZwClose
    SSDT B873E4EE ZwCreateKey
    SSDT B873E53E ZwCreateSection
    SSDT B873E4E4 ZwCreateThread
    SSDT B873E4F3 ZwDeleteKey
    SSDT B873E4FD ZwDeleteValueKey
    SSDT B873E52F ZwDuplicateObject
    SSDT B873E502 ZwLoadKey
    SSDT B873E4D0 ZwOpenProcess
    SSDT B873E4D5 ZwOpenThread
    SSDT B873E50C ZwReplaceKey
    SSDT B873E507 ZwRestoreKey
    SSDT B873E543 ZwSetContextThread
    SSDT B873E4F8 ZwSetValueKey
    SSDT B873E4DF ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB66D0380, 0x3DF545, 0xE8000020]
    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla\Firefox\firefox.exe[3556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla\Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla\Firefox\plugin-container.exe[6124] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10407D29 C:\Program Files\Mozilla\Firefox\xul.dll (Mozilla Foundation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.EXE[2764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C42F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[2764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C42C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[2764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C42CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[2764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C42CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

    ---- EOF - GMER 1.0.15 ----
    ----------------------------------------------------------------------------------------------------
    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Ownergx280 at 14:21:58 on 2011-11-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1311 [GMT -7:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe
    C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\theSkyNet\wrapper-windows-x86-32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ask.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.7\pdfforgeToolbarIE.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.7\pdfforgeToolbarIE.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.7\pdfforgeToolbarIE.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [F.lux] "c:\documents and settings\administrator\local settings\apps\f.lux\flux.exe" /noshow
    uRun: [winWIRpl] rundll32.exe
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
    mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
    mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Bonus.SSR.FR10] "c:\program files\abbyy finereader 10\Bonus.ScreenshotReader.exe" /autorun
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [<NO NAME>]
    mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    dRunOnce: [RunNarrator] Narrator.exe
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\quickcam\eReg.exe
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155752918890
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223411901546
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{2656D79E-3E2C-4C75-B793-DDFA38B8828D} : DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{B71CF50C-691D-4222-9E77-2AEA0074298B} : DhcpNameServer = 192.168.0.1 205.171.3.25
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - "c:\program files\windows sidebar\sidebar.exe" /RegServer
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\v0hxrgc7.default\
    FF - prefs.js: browser.startup.homepage - www.blip.fm
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
    FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla\firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla\firefox\plugins\npMozCouponPrinter.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.brc - BRI/1
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-9-18 57112]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-5 11608]
    R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-11-25 814344]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-5 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-5 269480]
    R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-5 66616]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
    R2 wrapper;theSkyNet;c:\program files\theskynet\wrapper-windows-x86-32.exe [2011-5-25 431896]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-9-18 56992]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-9-18 1684736]
    S3 FTEventService;FTEVTBDG;c:\program files\promise technology, inc\promise array management\FTEVTBDG.sys [2008-5-2 3873]
    S3 SQ931;USB 2.0 Video Camera;c:\windows\system32\drivers\capt931a.sys --> c:\windows\system32\drivers\Capt931a.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-11-17 17:10:36 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2011-11-17 17:10:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-11-17 17:10:26 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-17 17:10:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-14 07:08:41 -------- d-----w- c:\documents and settings\administrator\local settings\application data\DesktopMain32
    2011-11-11 00:36:49 -------- d-----w- c:\program files\Microsoft
    2011-11-11 00:36:44 -------- d-----w- c:\program files\MSN Toolbar
    2011-11-11 00:36:37 -------- d-----w- c:\program files\Bing Bar Installer
    2011-11-11 00:36:36 -------- d-----w- c:\program files\HP Photo Creations
    2011-11-11 00:36:36 -------- d-----w- c:\documents and settings\all users\application data\HP Photo Creations
    2011-11-11 00:36:22 -------- d-----w- c:\documents and settings\administrator\application data\HpUpdate
    2011-11-11 00:35:56 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
    2011-11-11 00:35:56 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
    2011-11-11 00:35:56 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
    2011-10-30 04:42:12 -------- d-----w- c:\documents and settings\administrator\application data\Search Settings
    2011-10-30 04:42:08 -------- d-----w- c:\program files\pdfforge Toolbar
    2011-10-30 04:42:08 -------- d-----w- c:\program files\Application Updater
    .
    ==================== Find3M ====================
    .
    2011-10-21 17:21:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 14:22:45.85 ===============
    Attach.txt
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/18/2011 2:00:28 AM
    System Uptime: 11/17/2011 2:16:42 PM (0 hours ago)
    .
    Motherboard: To be filled by O.E.M. | | To be filled by O.E.M.
    Processor: Intel Pentium III Xeon processor | CPU 1 | 2699/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 164.736 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 232 GiB total, 232.36 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 9/18/2011 2:06:50 AM - System Checkpoint
    RP2: 9/18/2011 2:11:49 AM - Installed Windows Installer KB893803v2.
    RP3: 9/18/2011 2:16:15 AM - Installed NVIDIA ForceWare Network Access Manager
    RP4: 9/18/2011 2:52:44 AM - Software Distribution Service 3.0
    RP5: 9/18/2011 10:26:51 AM - Software Distribution Service 3.0
    RP6: 9/18/2011 10:48:00 AM - Software Distribution Service 3.0
    RP7: 9/18/2011 11:34:43 AM - Software Distribution Service 3.0
    RP8: 9/18/2011 11:44:15 AM - Installed Paragon Backup & Recovery™ 2011 (Advanced) Free.
    RP9: 9/20/2011 1:38:28 AM - System Checkpoint
    RP10: 9/21/2011 1:51:07 AM - System Checkpoint
    RP11: 9/22/2011 2:33:17 AM - System Checkpoint
    RP12: 9/23/2011 3:32:12 AM - System Checkpoint
    RP13: 9/23/2011 9:00:48 PM - Software Distribution Service 3.0
    RP14: 9/25/2011 1:49:52 AM - System Checkpoint
    RP15: 9/26/2011 4:19:54 AM - System Checkpoint
    RP16: 9/28/2011 1:39:21 AM - System Checkpoint
    RP17: 9/29/2011 10:14:04 AM - System Checkpoint
    RP18: 9/30/2011 3:33:50 PM - System Checkpoint
    RP19: 10/1/2011 11:23:39 PM - System Checkpoint
    RP20: 10/3/2011 3:20:10 AM - System Checkpoint
    RP21: 10/4/2011 11:44:34 AM - System Checkpoint
    RP22: 10/5/2011 5:54:13 PM - System Checkpoint
    RP23: 10/6/2011 7:16:07 PM - Software Distribution Service 3.0
    RP24: 10/8/2011 1:09:11 PM - System Checkpoint
    RP25: 10/10/2011 2:36:21 AM - System Checkpoint
    RP26: 10/11/2011 4:10:54 AM - System Checkpoint
    RP27: 10/12/2011 5:08:02 AM - System Checkpoint
    RP28: 10/13/2011 5:25:15 AM - System Checkpoint
    RP29: 10/15/2011 7:33:58 PM - System Checkpoint
    RP30: 10/16/2011 8:03:09 PM - System Checkpoint
    RP31: 10/17/2011 10:41:25 AM - Software Distribution Service 3.0
    RP32: 10/18/2011 7:41:19 PM - System Checkpoint
    RP33: 10/20/2011 5:20:10 AM - System Checkpoint
    RP34: 10/21/2011 1:21:18 PM - System Checkpoint
    RP35: 10/22/2011 1:53:21 PM - System Checkpoint
    RP36: 10/24/2011 12:18:55 AM - System Checkpoint
    RP37: 10/25/2011 5:56:53 AM - System Checkpoint
    RP38: 10/26/2011 9:47:49 AM - System Checkpoint
    RP39: 10/27/2011 10:36:42 AM - System Checkpoint
    RP40: 10/29/2011 6:54:52 AM - System Checkpoint
    RP41: 10/30/2011 6:03:48 AM - System Checkpoint
    RP42: 10/31/2011 1:35:38 PM - System Checkpoint
    RP43: 11/2/2011 2:08:09 AM - System Checkpoint
    RP44: 11/3/2011 1:30:55 PM - System Checkpoint
    RP45: 11/5/2011 4:39:58 AM - System Checkpoint
    RP46: 11/6/2011 8:54:34 AM - System Checkpoint
    RP47: 11/7/2011 10:28:30 AM - System Checkpoint
    RP48: 11/10/2011 4:18:44 PM - System Checkpoint
    RP49: 11/10/2011 5:30:04 PM - Software Distribution Service 3.0
    RP50: 11/10/2011 5:36:29 PM - Removed HPSU306Stub
    RP51: 11/13/2011 9:32:41 AM - System Checkpoint
    RP52: 11/15/2011 2:43:10 PM - Software Distribution Service 3.0
    RP53: 11/16/2011 7:36:14 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    1-Click YouTube To MP3 Converter 2.2
    32 Bit HP CIO Components Installer
    ABBYY FineReader 10 Professional Edition
    Acrobat.com
    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.6
    Adobe Shockwave Player 11.6
    AIO_Scan
    Alky for Applications (Windows XP)
    Amazon MP3 Downloader 1.0.10
    Arthur's 1st Grade
    ATI Display Driver
    Avira AntiVir Personal - Free Antivirus
    Big Kahuna Words
    Bing Bar
    Bing Bar Platform
    Bing Rewards Client Installer
    BitComet 1.25
    Broadcom Gigabit Integrated Controller
    BufferChm
    C4200
    C4200_doccd
    c4200_Help
    Cartoon Network
    CCleaner
    Copy
    Coupon Printer for Windows
    Crystalize 2
    CustomerResearchQFolder
    dBpoweramp Music Converter
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Dropbox
    eSupportQFolder
    F.lux
    FreeRIP v3.42
    Gadget Extractor
    getPlus(R) for Adobe
    Hide and Secret
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    HP Customer Participation Program 9.0
    HP Deskjet 1000 J110 series Basic Device Software
    HP Deskjet 1000 J110 series Help
    HP Imaging Device Functions 9.0
    HP OCR Software 9.0
    HP Photo Creations
    HP Photosmart All-In-One Software 9.0
    HP Photosmart Essential
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Solution Center 9.0
    HP Update
    HPProductAssistant
    HPSSupply
    InfraRecorder
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7
    Jewel Quest (remove only)
    K-Lite Codec Pack 4.6.2 (Full)
    Lernout & Hauspie TruVoice American English TTS Engine
    LG CyberLink LabelPrint
    LG CyberLink Power2Go
    LG CyberLink PowerBackup
    LG CyberLink PowerDVD
    LG CyberLink PowerProducer
    LG CyberLink YouCam
    LG Power Tools
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    Lost Treasures of Alexandria
    magicJack
    MahJongg Game of Four Winds - Special Edition
    MahJongg Master 2 Special Edition
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Access database engine 2010 (English)
    Microsoft Default Manager
    Microsoft English TTS Engine
    Microsoft Office 2000 Premium
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Streets & Trips 2011
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mortimer Beckett and the Secrets of Spooky Manor
    Mortimer Beckett and the Time Paradox
    Mozilla Firefox (3.6.23)
    Mozilla Thunderbird (3.1.15)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    MyFonts Order M1507743
    Npust Email List Manager Version 1.0.1
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    NVIDIA nView Desktop Manager
    OpenOffice.org 3.0
    Panopreter
    Paragon Backup & Recovery™ 2011 (Advanced) Free
    PDF reDirect (remove only)
    PDFCreator
    pdfforge Toolbar v4.7
    PhoTags Express
    Promise Array Management (PAM)
    PS_AIO_ProductContext
    PS_AIO_Software
    PS_AIO_Software_min
    PSSWCORE
    Qwest Installer
    Qwest QuickAssist Desktop Tools
    RahJongg - The Curse of Ra Special Edition
    Realtek High Definition Audio Driver
    SAPI Wrapper
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Skype™ 5.5
    SolutionCenter
    Sothink SWF Decompiler
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    SpiceLogic Document 2 Text Converter 1.1
    Spybot - Search & Destroy
    Status
    swMSM
    SyncBack
    Text Master 1.50
    theSkyNet
    Toolbox
    TrayApp
    TRENDnet TEW-421PC or TEW-423PI
    TTS Wrapper
    TTSReader 1.30
    TurboTax 2010
    TurboTax 2010 wcoiper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wneiper
    TurboTax 2010 wrapper
    Uninstall Dual Mode Camera
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Outlook 2007 Junk Email Filter (KB2553110)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VideoLAN VLC media player 0.8.6f
    VideoToolkit01
    Warsow 0.61
    WebFldrs XP
    WebReg
    WIDI Recognition System Pro 3.3 (remove only)
    Windows Defender Signatures
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live installer
    Windows Live Mail
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Sidebar
    Windows XP Service Pack 3
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/17/2011 11:49:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k IntelIde
    11/17/2011 11:49:27 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    11/16/2011 1:01:50 AM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkNb because another computer on the network has the same name. The server could not start.
    11/16/2011 1:01:50 AM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkIpx because another computer on the network has the same name. The server could not start.
    11/14/2011 7:28:47 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
    11/14/2011 7:25:46 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/14/2011 7:22:46 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/10/2011 11:37:37 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    Broni, your assistance is greatly appreciated. I ran your suggested cleaning tools. Logs appear below. Of note, my machine refuses to do a cold reboot - gives me a black screen with blinking cursor in upper left corner. By repeatedly tapping the Delete key I am able to enter Setup, upon exiting a warm boot is initialized and this is successful. I was able to similarly enter safe-mode via F8 although it took several attempts. This was required to run Combofix. The first scan terminated with a BSOD Stop Error screen after about Stage 6a.

    The logs...

    aswMBR:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-17 17:52:09
    -----------------------------
    17:52:09.468 OS Version: Windows 5.1.2600 Service Pack 3
    17:52:09.468 Number of processors: 2 586 0x170A
    17:52:09.468 ComputerName: THING2 UserName:
    17:52:09.812 Initialize success
    17:55:36.375 AVAST engine defs: 11111703
    17:56:32.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    17:56:32.609 Disk 0 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 3
    17:56:34.625 Disk 0 MBR read successfully
    17:56:34.640 Disk 0 MBR scan
    17:56:34.656 Disk 0 Windows XP default MBR code
    17:56:34.656 Disk 0 scanning sectors +976768065
    17:56:34.734 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:56:47.187 Service scanning
    17:56:48.000 Modules scanning
    17:56:51.093 Disk 0 trace - called modules:
    17:56:51.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    17:56:51.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a670ab8]
    17:56:51.125 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a68df18]
    17:56:51.125 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a68b940]
    17:56:56.375 AVAST engine scan C:\WINDOWS
    17:57:02.359 AVAST engine scan C:\WINDOWS\system32
    17:59:08.203 AVAST engine scan C:\WINDOWS\system32\drivers
    17:59:31.937 AVAST engine scan C:\Documents and Settings\Administrator
    18:08:01.218 AVAST engine scan C:\Documents and Settings\All Users
    18:09:47.046 Scan finished successfully
    18:10:19.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    18:10:19.812 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

    -----------------------------------------------------------------------------------------------
    ComboFix:

    ComboFix 11-11-17.03 - Ownergx280 11/17/2011 18:27:14.2.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1626 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\Local
    c:\documents and settings\Administrator\Application Data\Local\ClipboardManager\Back.up
    c:\documents and settings\Administrator\Application Data\Local\ClipboardManager\Pers.ist
    c:\documents and settings\Administrator\Application Data\Local\ClipboardManager\Temp\0UdF1mGKkmiVf9aN.dll
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
    c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
    c:\windows\system32\%SYSTE~1
    c:\windows\system32\%SYSTE~1\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    c:\windows\system32\%SYSTE~1\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
    c:\windows\system32\%SYSTE~1\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    c:\windows\system32\%SYSTE~1\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\MrvGINA.dll
    c:\windows\system32\Thumbs.db
    c:\windows\winhelp.ini
    c:\windows\XSxS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-17 17:10 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-14 07:08 . 2011-11-17 14:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\DesktopMain32
    2011-11-11 00:36 . 2011-11-17 23:14 -------- d-----w- c:\program files\Microsoft
    2011-11-11 00:36 . 2011-11-17 23:14 -------- d-----w- c:\program files\Bing Bar Installer
    2011-11-11 00:36 . 2011-11-11 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
    2011-11-11 00:36 . 2011-11-11 00:36 -------- d-----w- c:\program files\HP Photo Creations
    2011-11-11 00:36 . 2011-11-11 00:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
    2011-11-11 00:35 . 2010-10-07 18:05 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
    2011-11-11 00:35 . 2010-10-07 18:05 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
    2011-11-11 00:35 . 2010-10-07 18:05 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Search Settings
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\program files\pdfforge Toolbar
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\program files\Application Updater
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-21 17:21 . 2011-07-21 22:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2006-08-16 15:43 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 17:41 . 2010-03-18 16:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 17:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 17:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
    "F.lux"="c:\documents and settings\Administrator\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
    "PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
    "UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216]
    "QwestTouchPointAgent"="c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe" [2010-07-06 45992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "Bonus.SSR.FR10"="c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" [2010-01-18 941320]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
    "RTHDCPL"="RTHDCPL.EXE" [2009-04-30 17881088]
    "SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-09-28 894304]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [N/A]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla\\Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitComet\\BitComet.exe"=
    "c:\\Program Files\\Warsow 0.6\\warsow_x86.exe"=
    "c:\\Program Files\\Warsow 0.5\\warsow_x86.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [9/18/2011 10:44 AM 57112]
    R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [11/25/2009 7:19 PM 814344]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 5:05 PM 136360]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [9/27/2011 7:08 PM 745880]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
    R2 wrapper;theSkyNet;c:\program files\theSkyNet\wrapper-windows-x86-32.exe [5/25/2011 9:21 AM 431896]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [9/18/2011 1:23 AM 56992]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/18/2011 1:16 AM 1684736]
    S3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [5/2/2008 12:07 PM 3873]
    S3 SQ931;USB 2.0 Video Camera;c:\windows\system32\Drivers\Capt931a.sys --> c:\windows\system32\Drivers\Capt931a.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
    2007-07-28 13:53 1230848 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{854E62C0-2DCA-48B9-AD21-B1B13F13B75B}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ask.com/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\
    FF - prefs.js: browser.startup.homepage - www.blip.fm
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: general.useragent.extra.brc -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-winWIRpl - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-17 18:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1547161642-484061587-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,9e,e4,e1,da,62,4c,41,a2,f5,ce,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,9e,e4,e1,da,62,4c,41,a2,f5,ce,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(776)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(5112)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\hnetcfg.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe
    c:\program files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
    c:\program files\CyberLink\Shared files\RichVideo.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    c:\windows\system32\java.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\RTHDCPL.EXE
    c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-11-17 18:38:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-18 01:38
    .
    Pre-Run: 176,776,376,320 bytes free
    Post-Run: 177,154,334,720 bytes free
    .
    - - End Of File - - 5BF0BF675A252168FD144D98CE60F137
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Could be some hardware issue, which would be a subject to a different forum.

    How are the other issues?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\program files\Common Files\Spigot
    
    DDS::
    Trusted Zone: intuit.com\ttlc
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchSettings"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    I find it a highly suspicious coincidence as I've never had boot issues previously. Anyhow, one problem at a time I guess. Pleased to report performance is much better and currently experiencing no search engine redirects or other unexpected behaviors.

    combofix.txt

    ComboFix 11-11-17.03 - Ownergx280 11/17/2011 21:16:35.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1114 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Common Files\Spigot
    c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml
    c:\program files\Common Files\Spigot\Search Settings\config.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini
    c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
    c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml
    c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml
    c:\program files\Common Files\Spigot\wtxpcom\chrome.manifest
    c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOHelperWidgiToolbar.xpt
    c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOWidgiToolbar.xpt
    c:\program files\Common Files\Spigot\wtxpcom\install.rdf
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-17 17:10 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-17 17:10 . 2011-11-17 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-14 07:08 . 2011-11-17 14:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\DesktopMain32
    2011-11-11 00:36 . 2011-11-17 23:14 -------- d-----w- c:\program files\Microsoft
    2011-11-11 00:36 . 2011-11-17 23:14 -------- d-----w- c:\program files\Bing Bar Installer
    2011-11-11 00:36 . 2011-11-11 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
    2011-11-11 00:36 . 2011-11-11 00:36 -------- d-----w- c:\program files\HP Photo Creations
    2011-11-11 00:36 . 2011-11-11 00:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
    2011-11-11 00:35 . 2010-10-07 18:05 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
    2011-11-11 00:35 . 2010-10-07 18:05 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
    2011-11-11 00:35 . 2010-10-07 18:05 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Search Settings
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\program files\pdfforge Toolbar
    2011-10-30 04:42 . 2011-10-30 04:42 -------- d-----w- c:\program files\Application Updater
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-21 17:21 . 2011-07-21 22:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2006-08-16 15:43 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 17:41 . 2010-03-18 16:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 17:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 17:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-18_01.35.09 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-18 04:21 . 2011-11-18 04:21 16384 c:\windows\temp\Perflib_Perfdata_63c.dat
    + 2004-08-04 12:00 . 2011-11-18 01:38 89564 c:\windows\system32\perfc009.dat
    - 2004-08-04 12:00 . 2011-11-18 01:36 89564 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2011-11-18 01:38 506226 c:\windows\system32\perfh009.dat
    - 2004-08-04 12:00 . 2011-11-18 01:36 506226 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
    "F.lux"="c:\documents and settings\Administrator\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
    "PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
    "UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216]
    "QwestTouchPointAgent"="c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe" [2010-07-06 45992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "Bonus.SSR.FR10"="c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" [2010-01-18 941320]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
    "RTHDCPL"="RTHDCPL.EXE" [2009-04-30 17881088]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [N/A]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla\\Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitComet\\BitComet.exe"=
    "c:\\Program Files\\Warsow 0.6\\warsow_x86.exe"=
    "c:\\Program Files\\Warsow 0.5\\warsow_x86.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [9/18/2011 10:44 AM 57112]
    R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [11/25/2009 7:19 PM 814344]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 5:05 PM 136360]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [9/27/2011 7:08 PM 745880]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
    R2 wrapper;theSkyNet;c:\program files\theSkyNet\wrapper-windows-x86-32.exe [5/25/2011 9:21 AM 431896]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [9/18/2011 1:23 AM 56992]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/18/2011 1:16 AM 1684736]
    S3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [5/2/2008 12:07 PM 3873]
    S3 SQ931;USB 2.0 Video Camera;c:\windows\system32\Drivers\Capt931a.sys --> c:\windows\system32\Drivers\Capt931a.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
    2007-07-28 13:53 1230848 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{854E62C0-2DCA-48B9-AD21-B1B13F13B75B}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ask.com/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\
    FF - prefs.js: browser.startup.homepage - www.blip.fm
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla\Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: general.useragent.extra.brc -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-17 21:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1547161642-484061587-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,9e,e4,e1,da,62,4c,41,a2,f5,ce,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,9e,e4,e1,da,62,4c,41,a2,f5,ce,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(776)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(4608)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\hnetcfg.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe
    c:\program files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
    c:\program files\CyberLink\Shared files\RichVideo.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    c:\windows\system32\java.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\RTHDCPL.EXE
    c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-11-17 21:26:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-18 04:26
    ComboFix2.txt 2011-11-18 01:38
    .
    Pre-Run: 177,135,140,864 bytes free
    Post-Run: 177,114,906,624 bytes free
    .
    - - End Of File - - A9912ECFAAD5C6F463B1FFE34A1C5759
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good news :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    otl.txt - part 1 of 2

    OTL logfile created on: 11/17/2011 10:54:06 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.87 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 58.79% Memory free
    3.60 Gb Paging File | 2.86 Gb Available in Paging File | 79.47% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 233.33 Gb Total Space | 164.98 Gb Free Space | 70.71% Space Free | Partition Type: NTFS
    Drive E: | 232.43 Gb Total Space | 232.36 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

    Computer Name: THING2 | User Name: Ownergx280 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/11/17 22:51:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    PRC - [2011/09/27 19:08:40 | 000,745,880 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
    PRC - [2011/06/28 23:42:43 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2011/05/25 13:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
    PRC - [2011/05/25 09:21:10 | 000,431,896 | ---- | M] (Tanuki Software, Ltd.) -- C:\Program Files\theSkyNet\wrapper-windows-x86-32.exe
    PRC - [2011/05/04 03:52:32 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
    PRC - [2011/04/27 23:24:59 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/11/02 23:26:02 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/08/23 19:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2010/07/06 13:14:43 | 000,045,992 | ---- | M] (Qwest Communications) -- C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
    PRC - [2010/01/14 19:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2009/11/25 19:19:11 | 000,814,344 | ---- | M] (ABBYY) -- C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
    PRC - [2009/10/14 12:36:56 | 002,793,304 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    PRC - [2009/10/14 12:34:18 | 000,560,472 | ---- | M] () -- C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
    PRC - [2009/10/07 00:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
    PRC - [2009/08/28 23:00:12 | 000,966,656 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Apps\F.lux\flux.exe
    PRC - [2009/07/23 16:23:56 | 000,178,720 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    PRC - [2009/07/23 16:23:54 | 000,387,616 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    PRC - [2009/06/03 18:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    PRC - [2009/04/15 21:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
    PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/01/08 11:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
    PRC - [2003/08/20 12:01:56 | 000,679,936 | ---- | M] (Promise Technology, Inc.) -- C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe
    PRC - [2003/07/17 12:59:58 | 000,323,584 | ---- | M] () -- C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/17 10:07:46 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll
    MOD - [2011/10/17 10:06:48 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
    MOD - [2011/10/17 10:06:43 | 000,311,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\81096bfe85eb0da5f05e8a127ffa43b2\System.Runtime.Serialization.Formatters.Soap.ni.dll
    MOD - [2011/10/17 10:06:42 | 001,840,640 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\6303e256d2ac0843c3e4c24172c90544\System.Web.Services.ni.dll
    MOD - [2011/10/17 09:57:05 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
    MOD - [2011/10/17 09:55:12 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
    MOD - [2011/10/17 09:55:08 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
    MOD - [2011/10/17 09:54:58 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
    MOD - [2011/10/17 09:53:59 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
    MOD - [2011/10/17 09:53:52 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
    MOD - [2011/10/17 09:52:47 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
    MOD - [2011/10/17 09:52:46 | 003,182,592 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
    MOD - [2011/10/17 09:52:45 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2011/10/17 09:52:45 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
    MOD - [2011/10/17 09:52:41 | 000,626,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
    MOD - [2011/10/17 09:52:41 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    MOD - [2011/10/17 09:52:40 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    MOD - [2011/10/17 09:52:39 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    MOD - [2011/10/17 09:52:37 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    MOD - [2011/10/17 09:52:32 | 005,025,792 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
    MOD - [2011/05/25 18:21:41 | 000,854,016 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
    MOD - [2011/05/25 18:21:39 | 000,270,336 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll
    MOD - [2011/05/25 18:21:38 | 000,476,520 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
    MOD - [2011/05/25 18:21:38 | 000,409,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
    MOD - [2011/05/25 18:21:35 | 000,046,952 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll
    MOD - [2011/05/25 18:21:34 | 000,421,224 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll
    MOD - [2011/05/25 18:21:34 | 000,269,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll
    MOD - [2011/05/25 18:21:34 | 000,023,912 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll
    MOD - [2011/05/25 18:21:34 | 000,018,792 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll
    MOD - [2011/05/25 18:21:34 | 000,012,136 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll
    MOD - [2011/05/25 18:21:33 | 000,121,704 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll
    MOD - [2011/05/25 18:21:33 | 000,120,168 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll
    MOD - [2011/05/25 18:21:33 | 000,070,504 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll
    MOD - [2010/02/05 11:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
    MOD - [2010/01/28 10:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
    MOD - [2009/10/14 12:36:56 | 002,793,304 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    MOD - [2009/10/14 12:34:18 | 000,560,472 | ---- | M] () -- C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
    MOD - [2009/08/28 23:00:12 | 000,966,656 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Apps\F.lux\flux.exe
    MOD - [2009/07/23 16:23:56 | 000,178,720 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    MOD - [2009/07/23 16:23:54 | 000,387,616 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    MOD - [2009/07/23 16:23:48 | 000,436,768 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\SpecialCase.dll
    MOD - [2009/07/23 16:23:08 | 000,068,128 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nv_common.dll
    MOD - [2009/06/03 18:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
    MOD - [2009/06/03 18:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
    MOD - [2008/08/04 23:07:20 | 000,065,216 | ---- | M] () -- C:\WINDOWS\system32\PDFreDirectMonNT.dll
    MOD - [2008/04/13 17:12:03 | 000,192,512 | ---- | M] () -- C:\WINDOWS\system32\qcap.dll
    MOD - [2008/04/13 17:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
    MOD - [2008/04/13 17:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
    MOD - [2003/07/17 12:59:58 | 000,323,584 | ---- | M] () -- C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
    MOD - [2001/10/28 14:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/09/27 19:08:40 | 000,745,880 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
    SRV - [2011/06/28 23:42:43 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/05/25 09:21:10 | 000,431,896 | ---- | M] (Tanuki Software, Ltd.) [Auto | Running] -- C:\Program Files\theSkyNet\wrapper-windows-x86-32.exe -- (wrapper)
    SRV - [2011/04/27 23:24:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010/08/23 19:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2009/11/25 19:19:11 | 000,814,344 | ---- | M] (ABBYY) [Auto | Running] -- C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Professional.10.0)
    SRV - [2009/10/07 00:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
    SRV - [2009/07/23 16:23:56 | 000,178,720 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
    SRV - [2009/07/23 16:23:54 | 000,387,616 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
    SRV - [2008/12/01 08:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
    SRV - [2008/01/08 11:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)
    SRV - [2008/01/08 11:02:12 | 000,394,608 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
    SRV - [2005/10/06 15:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)
    SRV - [2003/08/20 12:01:56 | 000,679,936 | ---- | M] (Promise Technology, Inc.) [Auto | Running] -- C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe -- (RAIDmAgt)
    SRV - [2003/07/17 12:59:58 | 000,323,584 | ---- | M] () [Auto | Running] -- C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe -- (RAIDmSvr)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/06/28 23:42:44 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2011/06/28 23:42:44 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2011/01/21 13:52:18 | 000,381,032 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Uim_IM.sys -- (Uim_IM)
    DRV - [2011/01/21 13:52:18 | 000,057,112 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hotcore3.sys -- (hotcore3)
    DRV - [2011/01/21 13:52:18 | 000,040,824 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UimBus.sys -- (UimBus)
    DRV - [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2009/10/07 00:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2009/08/30 07:13:26 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
    DRV - [2009/08/11 00:19:20 | 000,056,992 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
    DRV - [2009/07/01 10:53:34 | 000,013,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
    DRV - [2009/07/01 10:53:30 | 000,066,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
    DRV - [2009/06/28 23:36:36 | 000,017,920 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
    DRV - [2009/05/11 09:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 07:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2009/05/04 16:22:54 | 005,075,968 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2009/04/30 16:01:34 | 000,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
    DRV - [2009/04/30 15:55:56 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
    DRV - [2009/04/30 15:55:32 | 000,013,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
    DRV - [2008/08/05 19:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2008/05/02 12:07:33 | 000,003,873 | ---- | M] (Promise Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys -- (FTEventService)
    DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
    DRV - [2008/03/07 18:31:52 | 000,062,570 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jl2005c.sys -- (JL2005C)
    DRV - [2006/02/23 12:52:50 | 000,280,576 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MRV8335XP.sys -- (W8335XP)
    DRV - [2006/01/04 20:46:40 | 001,420,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006/01/04 14:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
    DRV - [2004/09/17 06:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2004/08/23 11:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2004/08/04 05:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
    DRV - [2004/08/04 05:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
    DRV - [2003/08/06 07:44:40 | 000,159,744 | R--- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ask.com/
    IE - HKU\S-1-5-21-1547161642-484061587-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=971163"
    FF - prefs.js..browser.startup.homepage: "www.blip.fm"
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: pdfforge@mybrowserbar.com:4.7
    FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p="


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla\Firefox\components [2011/10/12 23:44:03 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla\Firefox\plugins [2011/10/01 02:21:58 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.15\extensions\\Components: C:\Program Files\Mozilla\Thunderbird\components [2011/09/27 18:40:00 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.15\extensions\\Plugins: C:\Program Files\Mozilla\Thunderbird\plugins

    [2011/04/09 23:44:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
    [2011/04/09 23:44:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
    [2011/11/17 18:50:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions
    [2010/06/22 10:23:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/04/27 22:18:49 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
    [2011/04/27 22:18:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash
    [2011/08/18 06:02:24 | 000,000,000 | ---D | M] (Sothink Flash Downloader) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions\{BAEBEF65-9289-47c5-8524-C345CC5D860D}
    [2011/10/02 12:07:57 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v0hxrgc7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    [2010/04/22 10:23:12 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2009/06/14 06:07:38 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    [2009/11/27 03:52:07 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    [2010/04/22 10:23:26 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/09/22 01:20:32 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010/11/26 21:22:22 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011/04/04 01:16:03 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    [2011/06/28 17:00:33 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    [2011/10/29 21:42:09 | 000,000,000 | ---D | M] (pdfforge Toolbar) -- C:\PROGRAM FILES\PDFFORGE TOOLBAR\FF

    O1 HOSTS File: ([2011/11/17 21:21:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll (BitComet)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [Bonus.SSR.FR10] C:\Program Files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe (ABBYY.)
    O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
    O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
    O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [Ptipbmf] C:\WINDOWS\System32\ptipbmf.dll (Promise Technology, Inc.)
    O4 - HKLM..\Run: [QwestTouchPointAgent] C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe (Qwest Communications)
    O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePPShortCut] C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKU\S-1-5-21-1547161642-484061587-725345543-500..\Run: [F.lux] C:\Documents and Settings\Administrator\Local Settings\Apps\F.lux\flux.exe ()
    O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1547161642-484061587-725345543-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
    O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
    O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll (BitComet)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
    O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155752918890 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223411901546 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2656D79E-3E2C-4C75-B793-DDFA38B8828D}: DhcpNameServer = 192.168.0.1 205.171.3.25
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B71CF50C-691D-4222-9E77-2AEA0074298B}: DhcpNameServer = 192.168.0.1 205.171.3.25
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/08/16 08:46:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: VIDC.I420 - C:\WINDOWS\System32\LVCodec2.dll (Logitech Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.JDCT - C:\WINDOWS\System32\jl_jdct.drv (JEILIN Tech.)
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point
     
  8. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    otl.txt - part 2 of 2

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/11/17 22:51:54 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2011/11/17 18:32:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/11/17 18:14:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/11/17 18:13:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/11/17 18:13:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/11/17 18:13:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/11/17 18:13:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/11/17 18:13:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/11/17 18:13:27 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/11/17 17:48:40 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
    [2011/11/17 16:10:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
    [2011/11/17 10:10:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    [2011/11/17 10:10:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/11/17 10:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/11/17 10:10:26 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/11/17 10:10:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/11/17 09:17:58 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2011/11/17 09:15:19 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/17 08:53:10 | 004,299,372 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2011/11/16 05:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\csstooltips
    [2011/11/16 05:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\RoundTwo2011
    [2011/11/16 05:55:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\LegoRoboArm
    [2011/11/14 00:08:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DesktopMain32
    [2011/11/13 20:49:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\eddiemachado-bones-html-181e250
    [2011/11/13 20:48:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\eddiemachado-bones-responsive-9600fda
    [2011/11/13 20:45:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\eddiemachado-bones-v1.06-97-g38a5cea
    [2011/11/10 17:36:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
    [2011/11/10 17:36:37 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
    [2011/11/10 17:36:36 | 000,000,000 | ---D | C] -- C:\Program Files\HP Photo Creations
    [2011/11/10 17:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Photo Creations
    [2011/11/10 17:36:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\HpUpdate
    [2011/11/09 09:15:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\RoundThreeApps2011
    [2011/10/31 15:22:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Flux
    [2011/10/29 21:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Search Settings
    [2011/10/29 21:42:08 | 000,000,000 | ---D | C] -- C:\Program Files\pdfforge Toolbar
    [2011/10/29 21:42:08 | 000,000,000 | ---D | C] -- C:\Program Files\Application Updater
    [2011/10/28 19:07:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Color Blender_files
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/11/17 22:51:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2011/11/17 21:33:55 | 000,506,226 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/11/17 21:33:55 | 000,089,564 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/11/17 21:29:42 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
    [2011/11/17 21:29:39 | 000,000,129 | ---- | M] () -- C:\WINDOWS\MsgAgt.INI
    [2011/11/17 21:29:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/11/17 21:21:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/11/17 18:24:56 | 2012,459,008 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
    [2011/11/17 18:14:40 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/11/17 18:10:19 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
    [2011/11/17 17:48:46 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
    [2011/11/17 14:49:11 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{854E62C0-2DCA-48B9-AD21-B1B13F13B75B}.job
    [2011/11/17 10:10:30 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/17 09:40:36 | 001,545,858 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
    [2011/11/17 09:21:23 | 001,008,092 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
    [2011/11/17 09:17:58 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2011/11/17 09:17:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tx4lsntn.exe
    [2011/11/17 09:15:38 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/17 08:57:45 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/11/17 08:53:22 | 004,299,372 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2011/11/17 07:45:15 | 000,385,928 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DailyResponseReport.csv
    [2011/11/17 07:42:45 | 001,430,488 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\report_2011-11-17.csv
    [2011/11/16 14:10:18 | 001,242,383 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\bookmarks.html
    [2011/11/16 07:42:38 | 000,053,009 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\YouthTouch_Grant_Rndthree11_Letter.pdf
    [2011/11/16 06:03:30 | 001,424,706 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\report_2011-11-16.csv
    [2011/11/16 01:01:42 | 000,001,789 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
    [2011/11/15 14:32:43 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
    [2011/11/15 14:27:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/11/14 21:26:09 | 000,418,725 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WVstatequarter.pdf
    [2011/11/14 21:14:51 | 006,608,933 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\WVirginiaTourismMap.pdf
    [2011/11/13 18:24:09 | 000,001,617 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\contacts_from_MagicJack.csv
    [2011/11/12 00:45:50 | 000,003,698 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\csstooltips.zip
    [2011/11/05 04:13:09 | 004,977,662 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RingCentralManual.pdf
    [2011/10/28 19:07:46 | 000,039,528 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Color Blender.htm
    [2011/10/20 23:41:59 | 000,337,653 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Caiou'sGarden.pdf
    [2011/10/19 02:50:07 | 007,344,340 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\waterstory.pdf
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/11/17 18:14:40 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/11/17 18:14:36 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/11/17 18:13:36 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/11/17 18:13:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/11/17 18:13:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/11/17 18:13:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/11/17 18:13:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/11/17 18:10:19 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
    [2011/11/17 10:10:30 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/17 09:40:30 | 001,545,858 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
    [2011/11/17 09:21:22 | 001,008,092 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
    [2011/11/17 09:17:13 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tx4lsntn.exe
    [2011/11/17 07:42:44 | 001,430,488 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\report_2011-11-17.csv
    [2011/11/16 14:10:17 | 001,242,383 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\bookmarks.html
    [2011/11/16 07:44:30 | 000,053,009 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\YouthTouch_Grant_Rndthree11_Letter.pdf
    [2011/11/16 06:03:30 | 001,424,706 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\report_2011-11-16.csv
    [2011/11/15 17:50:59 | 2012,459,008 | ---- | C] () -- C:\WINDOWS\MEMORY.DMP
    [2011/11/15 14:32:43 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
    [2011/11/14 21:26:09 | 000,418,725 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WVstatequarter.pdf
    [2011/11/14 21:14:51 | 006,608,933 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\WVirginiaTourismMap.pdf
    [2011/11/12 00:45:49 | 000,003,698 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\csstooltips.zip
    [2011/11/09 10:13:29 | 000,001,617 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\contacts_from_MagicJack.csv
    [2011/11/05 04:13:09 | 004,977,662 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RingCentralManual.pdf
    [2011/10/28 19:07:46 | 000,039,528 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Color Blender.htm
    [2011/10/27 23:25:43 | 001,654,771 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\spokhallcrfeb33.pdf
    [2011/10/20 23:41:59 | 000,337,653 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Caiou'sGarden.pdf
    [2011/10/19 02:50:04 | 007,344,340 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\waterstory.pdf
    [2011/09/18 01:16:41 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\drivers\rtkhdaud.dat
    [2011/09/18 01:10:06 | 000,006,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
    [2011/09/18 01:09:30 | 001,597,690 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
    [2011/09/18 01:07:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/05/31 14:23:51 | 001,755,224 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/12/14 15:23:06 | 000,139,620 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
    [2010/12/14 15:23:06 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
    [2010/09/01 09:23:17 | 000,000,161 | ---- | C] () -- C:\WINDOWS\youtube2mp3.ini
    [2010/08/30 12:46:40 | 000,000,637 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2010/08/30 12:45:21 | 000,001,302 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
    [2010/06/26 14:47:57 | 005,653,224 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
    [2010/06/26 14:47:57 | 000,015,341 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Music Converter.dat
    [2009/12/25 20:08:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
    [2009/12/20 18:36:39 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/11/27 13:01:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
    [2009/11/27 12:57:09 | 000,000,091 | ---- | C] () -- C:\WINDOWS\WSIMFARM.INI
    [2009/11/27 12:56:59 | 000,136,448 | ---- | C] () -- C:\WINDOWS\RMTOOLS.DLL
    [2009/11/09 13:17:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/11/06 22:45:12 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
    [2009/10/07 00:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
    [2009/10/07 00:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
    [2009/10/04 11:21:15 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Pt.dll
    [2009/04/23 07:59:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
    [2009/04/15 10:46:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2009/02/25 15:12:23 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
    [2009/02/25 14:55:17 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2009/02/25 14:55:15 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2009/02/25 14:55:15 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009/02/25 14:55:15 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009/02/25 14:55:13 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2008/08/04 23:07:20 | 000,065,216 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
    [2008/05/02 12:03:07 | 000,000,129 | ---- | C] () -- C:\WINDOWS\MsgAgt.INI
    [2007/12/11 07:18:54 | 000,112,425 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2006/08/16 08:49:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/08/16 08:42:55 | 000,023,348 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/08/16 04:35:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/08/16 04:34:02 | 000,319,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/04 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 05:00:00 | 000,506,226 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 05:00:00 | 000,089,564 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [1999/01/22 06:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

    ========== LOP Check ==========

    [2010/09/20 08:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Amazon
    [2010/04/14 16:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ashampoo
    [2011/07/17 14:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitComet
    [2011/11/17 21:30:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Dropbox
    [2009/05/13 22:04:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Elluminate
    [2011/03/03 16:40:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
    [2009/06/05 17:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InfraRecorder
    [2009/12/02 21:41:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LTOA
    [2011/08/10 19:51:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mjusbsp
    [2010/12/15 20:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Music Recognition
    [2009/02/25 15:02:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
    [2010/04/20 08:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PDF reDirect
    [2010/05/19 12:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\pdfforge
    [2011/10/29 21:42:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Search Settings
    [2011/09/27 18:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird
    [2010/05/16 09:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Warsow 0.5
    [2010/12/25 18:22:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Warsow 0.6
    [2010/04/14 16:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
    [2010/08/30 12:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
    [2011/09/18 10:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\launcher
    [2010/08/28 16:40:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
    [2010/08/28 12:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Qwest
    [2011/11/17 14:49:11 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{854E62C0-2DCA-48B9-AD21-B1B13F13B75B}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2011/02/11 15:41:21 | 000,063,333 | ---- | M] () -- C:\11secrets.html
    [2006/08/16 08:46:44 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011/01/14 19:31:22 | 000,149,631 | ---- | M] () -- C:\bkpVirginiaEMAILS.txt
    [2011/09/18 06:09:05 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/11/17 18:14:40 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/11/17 21:26:05 | 000,018,881 | ---- | M] () -- C:\ComboFix.txt
    [2006/08/16 08:46:44 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2011/11/17 21:29:52 | 000,008,522 | ---- | M] () -- C:\Facilitator.log
    [2006/08/16 08:46:44 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2006/08/16 08:46:44 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/05/09 08:20:23 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/11/17 21:29:15 | 2012,459,008 | -HS- | M] () -- C:\pagefile.sys
    [2007/08/11 22:59:28 | 000,375,054 | ---- | M] () -- C:\Splash.bmp
    [2011/01/27 16:41:42 | 000,115,795 | ---- | M] () -- C:\Virginia2EMAILS.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 13:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 12:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 13:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 12:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2011/09/18 00:57:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/03/28 13:57:34 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
    [2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2008/07/18 11:34:32 | 000,586,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2011/01/07 12:03:33 | 000,001,642 | -H-- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2011/09/17 18:46:39 | 000,524,288 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2011/09/17 11:38:49 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\config\security.sav
    [2011/09/17 18:46:39 | 042,729,472 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2011/09/17 18:46:39 | 007,077,888 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2011/09/18 10:01:59 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2006/11/30 13:04:17 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006/11/30 13:04:08 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/11/17 17:48:46 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
    [2011/11/17 09:46:44 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Administrator\Desktop\ATF-Cleaner.exe
    [2011/11/17 08:53:22 | 004,299,372 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2011/11/17 09:15:38 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/17 22:51:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
    [2011/11/17 09:21:23 | 001,008,092 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe
    [2011/11/17 09:17:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tx4lsntn.exe
    [2011/11/17 09:53:32 | 015,134,664 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\Desktop\windows-kb890830-v4.2.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2009/03/10 12:52:29 | 022,058,104 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\antivir_workstation_winu_en_h.exe
    [2010/04/14 16:00:50 | 008,669,936 | ---- | M] (ashampoo GmbH & Co. KG ) -- C:\Documents and Settings\Administrator\My Documents\ashampoo_burning_studio_6_free_6.77_4280.exe
    [2010/03/06 14:13:25 | 008,999,072 | ---- | M] (Neevia Technology ) -- C:\Documents and Settings\Administrator\My Documents\dppro.exe
    [2010/04/20 07:40:45 | 006,409,944 | ---- | M] (EXP Systems LLC) -- C:\Documents and Settings\Administrator\My Documents\Install_PDFR_v228.exe
    [2010/02/28 10:26:01 | 003,751,529 | ---- | M] (panopreter company ) -- C:\Documents and Settings\Administrator\My Documents\PanopreterEng Setup.exe
    [2010/04/14 16:02:02 | 006,267,659 | ---- | M] (Koyote Soft ) -- C:\Documents and Settings\Administrator\My Documents\Setup_FreeFlvConverterN.exe
    [2010/03/06 14:13:37 | 000,573,767 | ---- | M] (NonTube Software ) -- C:\Documents and Settings\Administrator\My Documents\textmaster.exe
    [2011/09/13 10:19:31 | 000,719,905 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\theSkyNet_Install_32.exe
    [2011/09/27 18:35:38 | 009,485,728 | ---- | M] (Mozilla) -- C:\Documents and Settings\Administrator\My Documents\Thunderbird Setup 3.1.11.exe
    [2010/03/06 14:08:38 | 005,378,099 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\trialEmailManager.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2006/11/30 13:04:09 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/11/17 21:30:51 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2004/09/22 15:46:10 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 02:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/03 22:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/03 22:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 07:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 20:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 02:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 20:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 20:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 20:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/03 22:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/03 22:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\Administrator\My Documents\YouthTouch_Grant_Canada11_Letter.pdf:SummaryInformation

    < End of report >
     
  9. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    A small section of Extras.Txt. Forum is kicking post back due to a claimed 9 images. See if I can find where the problem is. I don't see any images or image tags in this text file.

    OTL Extras logfile created on: 11/17/2011 10:54:06 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.87 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 58.79% Memory free
    3.60 Gb Paging File | 2.86 Gb Available in Paging File | 79.47% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 233.33 Gb Total Space | 164.98 Gb Free Space | 70.71% Space Free | Partition Type: NTFS
    Drive E: | 232.43 Gb Total Space | 232.36 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

    Computer Name: THING2 | User Name: Ownergx280 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla\Firefox\firefox.exe (Mozilla Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla\Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- "C:\Program Files\Mozilla\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [mplayerc.enqueue] -- "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" /add "%1" (mpc-hc@Sourceforge)
    Directory [mplayerc.play] -- "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" "%1" (mpc-hc@Sourceforge)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
     
  10. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    ...missing portion omitted due to image tag errors.

    final section - extras.txt

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
    "{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
    "{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
    "{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{0E794924-17AC-4565-96C7-960D40F8B61E}" = TurboTax 2010 wcoiper
    "{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
    "{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
    "{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
    "{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
    "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
    "{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
    "{22CFB202-3D2D-44E2-BB7C-6F703B99919B}" = pdfforge Toolbar v4.7
    "{24508D50-EB8F-4FE6-B69D-B4935D8745EF}_is1" = Warsow 0.61
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
    "{29F15D3F-5B37-44DB-BB89-390B3AD1404E}" = TRENDnet TEW-421PC or TEW-423PI
    "{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
    "{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
    "{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
    "{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
    "{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
    "{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4AE43B07-C452-4EE9-B5D8-0FD1F3396D30}" = Cartoon Network
    "{4AE43B07-C452-4EE9-B5D8-0FD1F3396D31}" = Cartoon Network
    "{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
    "{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.42
    "{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
    "{6DCB9F1F-3BCC-4078-B90C-439017F1806C}" = Crystalize 2
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
    "{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
    "{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
    "{8DCC4911-EC3D-41E9-85C9-168CA356EFE1}" = Lost Treasures of Alexandria
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90140000-00D1-0409-0000-0000000FF1CE}" = Microsoft Access database engine 2010 (English)
    "{9021848E-F315-44C7-8D45-3B16162AA73A}" = TurboTax 2010 wneiper
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
    "{96172E04-BB14-45F6-A77B-8EE7A421B903}" = SAPI Wrapper
    "{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
    "{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
    "{A63E18AC-B504-4045-AFE6-A279BBABB988}" = Qwest QuickAssist Desktop Tools
    "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{ACA85783-8EEA-4f0a-B2A3-A8173F30209F}" = C4200_doccd
    "{ADD5DB49-72CF-11D8-9D75-000129760D75}" = LG CyberLink PowerBackup
    "{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
    "{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
    "{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
    "{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
    "{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)
    "{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
    "{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1" = Sothink SWF Decompiler
    "{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
    "{BFDE4176-5DFE-4db9-AA00-8F30CB001BDA}" = c4200_Help
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C268B5E1-A5DA-11DF-A289-005056C00008}" = Paragon Backup & Recovery™ 2011 (Advanced) Free
    "{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
    "{C39E671D-0528-4c5e-A034-8470C5BC393A}" = C4200
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LG CyberLink LabelPrint
    "{C82185E8-C27B-4EF4-2011-4444BC2C2B6D}" = Microsoft Streets & Trips 2011
    "{C8838D06-D7DB-4CB0-BF13-7191D2D84C42}" = Gadget Extractor
    "{C96FF998-45BD-411E-9253-B7F2660FE280}" = Qwest Installer
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
    "{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
    "{DDDFCC77-7F9C-45E9-B38E-721BA599BA0C}" = HP Deskjet 1000 J110 series Help
    "{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
    "{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
    "{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F1000000-0001-0000-0000-074957833700}" = ABBYY FineReader 10 Professional Edition
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
    "{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
    "{F4B1B985-F308-4DBA-BFD7-CCCB8839234B}" = HP Deskjet 1000 J110 series Basic Device Software
    "{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
    "{F81292A0-272B-5EAC-57F1-2B33C25B360D}" = MyFonts Order M1507743
    "{FC9D4665-8553-4EBB-9456-31FD98D8C62D}" = Promise Array Management (PAM)
    "{FD7F242B-9AA0-40c3-941E-3A9821D19C09}" = PS_AIO_ProductContext
    "{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "1-Click YouTube To MP3 Converter_is1" = 1-Click YouTube To MP3 Converter 2.2
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
    "Arthur's 1st Grade" = Arthur's 1st Grade
    "ATI Display Driver" = ATI Display Driver
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Big Kahuna Words_is1" = Big Kahuna Words
    "BitComet" = BitComet 1.25
    "CCleaner" = CCleaner
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
    "dBpoweramp Music Converter" = dBpoweramp Music Converter
    "Digital Editions" = Adobe Digital Editions
    "Dual Mode Camera_is1" = Uninstall Dual Mode Camera
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "Hide and Secret" = Hide and Secret
    "HP Imaging Device Functions" = HP Imaging Device Functions 9.0
    "HP Photo Creations" = HP Photo Creations
    "HP Photosmart Essential" = HP Photosmart Essential 2.01
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
    "HPExtendedCapabilities" = HP Customer Participation Program 9.0
    "HPOCR" = HP OCR Software 9.0
    "ie8" = Windows Internet Explorer 8
    "InfraRecorder" = InfraRecorder
    "InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
    "InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
    "InstallShield_{29F15D3F-5B37-44DB-BB89-390B3AD1404E}" = TRENDnet TEW-421PC or TEW-423PI
    "InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
    "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
    "InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
    "InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
    "InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
    "InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LG CyberLink LabelPrint
    "Jewel Quest" = Jewel Quest (remove only)
    "KLiteCodecPack_is1" = K-Lite Codec Pack 4.6.2 (Full)
    "lvdrivers_12.10" = Logitech Webcam Software Driver Package
    "MahJongg Game of Four Winds - Special Edition" = MahJongg Game of Four Winds - Special Edition
    "MahJongg Master 2 Special Edition" = MahJongg Master 2 Special Edition
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Mortimer Beckett and the Secrets of Spooky Manor" = Mortimer Beckett and the Secrets of Spooky Manor
    "Mortimer Beckett and the Time Paradox1.0.1" = Mortimer Beckett and the Time Paradox
    "Mozilla Firefox (3.6.23)" = Mozilla Firefox (3.6.23)
    "Mozilla Thunderbird (3.1.15)" = Mozilla Thunderbird (3.1.15)
    "Npust Email List Manager_is1" = Npust Email List Manager Version 1.0.1
    "NVIDIA Drivers" = NVIDIA Drivers
    "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
    "Panopreter_is1" = Panopreter
    "PDF reDirect" = PDF reDirect (remove only)
    "PhoTagsExpress" = PhoTags Express
    "RahJongg - The Curse of Ra Special Edition" = RahJongg - The Curse of Ra Special Edition
    "SpiceLogic Document 2 Text Converter" = SpiceLogic Document 2 Text Converter 1.1
    "SyncBack_is1" = SyncBack
    "Text Master_is1" = Text Master 1.50
    "theSkyNet" = theSkyNet
    "TTSReader" = TTSReader 1.30
    "TurboTax 2010" = TurboTax 2010
    "tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
    "VLC media player" = VideoLAN VLC media player 0.8.6f
    "WIDI Recognition System Pro 3.3" = WIDI Recognition System Pro 3.3 (remove only)
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows Media Player" = Windows Media Player 10
    "Windows Sidebar" = Windows Sidebar
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Dropbox" = Dropbox
    "Flux" = F.lux
    "magicJack" = magicJack

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 6/10/2011 6:50:01 PM | Computer Name = THING2 | Source = Microsoft Office 12 | ID = 5000
    Description = EventType offdiag12, P1 ed26396f-cf4d-4c66-9cd2-c97209f66a331c95fb0f-7b2b-47fc-bddc-2156e59293c5,
    P2 NIL, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

    Error - 6/28/2011 6:45:44 PM | Computer Name = THING2 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The server name or address could not be resolved

    Error - 7/21/2011 6:13:27 PM | Computer Name = THING2 | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    Error - 7/21/2011 6:45:47 PM | Computer Name = THING2 | Source = MsiInstaller | ID = 11704
    Description = Product: Skype™ 5.3 -- Error 1704. An installation for Microsoft .NET
    Framework 4 Client Profile is currently suspended. You must undo the changes made
    by that installation to continue. Do you want to undo those changes?

    Error - 7/21/2011 7:00:04 PM | Computer Name = THING2 | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    Error - 8/11/2011 9:30:58 PM | Computer Name = THING2 | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    Error - 8/18/2011 3:44:28 PM | Computer Name = THING2 | Source = VSS | ID = 12292
    Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
    COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x8007041d].

    Error - 9/10/2011 2:24:17 PM | Computer Name = THING2 | Source = VSS | ID = 8193
    Description = Volume Shadow Copy Service error: Unexpected error calling routine
    CoCreateInstance. hr = 0x80080005.

    Error - 9/26/2011 10:06:02 AM | Computer Name = THING2 | Source = Microsoft Office 12 | ID = 5000
    Description = EventType officelifeboathang, P1 excel.exe, P2 12.0.6565.5003, P3
    msvcr80.dll, P4 8.0.50727.6195, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

    Error - 10/18/2011 11:57:39 AM | Computer Name = THING2 | Source = .NET Runtime Optimization Service | ID = 1103
    Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
    - Tried to start a service that wasn't the latest version of CLR Optimization service.
    Will shutdown

    [ OSession Events ]
    Error - 6/7/2011 5:46:16 PM | Computer Name = THING2 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 13870
    seconds with 60 seconds of active time. This session ended with a crash.

    Error - 6/7/2011 11:10:34 PM | Computer Name = THING2 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 19439
    seconds with 60 seconds of active time. This session ended with a crash.

    Error - 6/8/2011 1:36:15 AM | Computer Name = THING2 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7672
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 6/10/2011 5:38:42 PM | Computer Name = THING2 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 17609
    seconds with 10200 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 11/17/2011 9:26:45 PM | Computer Name = THING2 | Source = Service Control Manager | ID = 7001
    Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
    failed to start because of the following error: %%31

    Error - 11/17/2011 9:26:45 PM | Computer Name = THING2 | Source = Service Control Manager | ID = 7001
    Description = The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol
    Driver service which failed to start because of the following error: %%31

    Error - 11/17/2011 9:26:45 PM | Computer Name = THING2 | Source = Service Control Manager | ID = 7001
    Description = The IPSEC Services service depends on the IPSEC driver service which
    failed to start because of the following error: %%31

    Error - 11/17/2011 9:26:45 PM | Computer Name = THING2 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip Tcpip6 UimBus
    Uim_IM

    Error - 11/17/2011 9:33:34 PM | Computer Name = THING2 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 11/17/2011 9:34:44 PM | Computer Name = THING2 | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 11/18/2011 12:15:42 AM | Computer Name = THING2 | Source = Service Control Manager | ID = 7034
    Description = The Process Monitor service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 11/18/2011 12:22:05 AM | Computer Name = THING2 | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 11/18/2011 12:29:52 AM | Computer Name = THING2 | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 11/18/2011 12:30:36 AM | Computer Name = THING2 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the nvsvc service.


    < End of report >
     
  11. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    I just attached the part of "extras" log that would not post.
    Have a nice night and a beautiful morning.
    Thanks for your help so far.
    I am a girl.
    :wave:
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      PRC - [2011/09/27 19:08:40 | 000,745,880 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
      SRV - [2011/09/27 19:08:40 | 000,745,880 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
      IE - HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ask.com/
      O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = File not found
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\Administrator\My Documents\YouthTouch_Grant_Canada11_Letter.pdf:SummaryInformation
      
      :Files
      C:\Program Files\Application Updater\ApplicationUpdater.exe
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ===============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  13. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    OTL Fix Log

    All processes killed
    ========== OTL ==========
    No active process named ApplicationUpdater.exe was found!
    Service Application Updater stopped successfully!
    Service Application Updater deleted successfully!
    C:\Program Files\Application Updater\ApplicationUpdater.exe moved successfully.
    HKU\S-1-5-21-1547161642-484061587-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Logitech . Product Registration.lnk moved successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    C:\WINDOWS\003240_.tmp deleted successfully.
    C:\WINDOWS\003418_.tmp deleted successfully.
    C:\WINDOWS\SET137.tmp deleted successfully.
    C:\WINDOWS\SET13A.tmp deleted successfully.
    C:\WINDOWS\SET146.tmp deleted successfully.
    C:\WINDOWS\SET3.tmp deleted successfully.
    C:\WINDOWS\SET4.tmp deleted successfully.
    C:\WINDOWS\SET8.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\WINDOWS\System32\SET57B.tmp deleted successfully.
    C:\WINDOWS\System32\SET580.tmp deleted successfully.
    C:\WINDOWS\System32\SET587.tmp deleted successfully.
    ADS C:\Documents and Settings\Administrator\My Documents\YouthTouch_Grant_Canada11_Letter.pdf:SummaryInformation deleted successfully.
    ========== FILES ==========
    File\Folder C:\Program Files\Application Updater\ApplicationUpdater.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 1497524 bytes
    ->Temporary Internet Files folder emptied: 1050616 bytes
    ->Java cache emptied: 28716887 bytes
    ->FireFox cache emptied: 129416405 bytes
    ->Flash cache emptied: 15787606 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: gx280
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 175624 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34046 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 169.00 mb

    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users
    User: Default User
    User: gx280
    User: LocalService
    User: NetworkService
    Total Flash Files Cleaned = 0.00 mb

    OTL by OldTimer - Version 3.2.31.0 log created on 11182011_192215
    Files\Folders moved on Reboot...
    Registry entries deleted on Reboot...
    ----------------------------------------------------------------------------------------------------
    JavaRa 1.16 Removal Log.

    I have updated my Java and run JavaRa to remove old versions.
    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Fri Nov 18 19:34:00 2011

    Found and removed: C:\Program Files\Java\jre1.6.0_04

    Found and removed: C:\Program Files\Java\jre1.6.0_07

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_04

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_11

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_12

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_13

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_14

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_17

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_18

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_20

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_21

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_22

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_24

    Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_26

    Found and removed: Applications\java.exe

    Found and removed: Applications\javaw.exe

    Found and removed: JavaPlugin.FamilyVersionSupport

    Found and removed: Installer\Products\8A0F842331866D117AB7000B0D610007

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}

    Found and removed: JavaScript

    Found and removed: JavaScript Author

    Found and removed: JavaScript1.1

    Found and removed: JavaScript1.1 Author

    Found and removed: JavaScript1.2

    Found and removed: JavaScript1.2 Author

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}

    Found and removed: Software\Classes\JavaPlugin.160_04

    Found and removed: Software\Classes\JavaPlugin.160_07

    Found and removed: Software\JavaSoft\Java Update

    Found and removed: SOFTWARE\Classes\JavaPlugin

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_04

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_07

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_04

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_07

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_04.b12\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\JRE\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3412062B02

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3412062F00

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3612062B02

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0357E4991DA5FF14F9615B3612062F00

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.2

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.3

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4.2

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.5

    JavaRa 1.16 Removal Log.

    Report follows after line.
    ------------------------------------

    The JavaRa removal process was started on Fri Nov 18 21:36:25 2011

    Found and removed: CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}

    Found and removed: Software\JavaSoft\Java Update

    ------------------------------------
    Finished reporting.
    ------------------------------------------------------------------------------------------------------
    SecurityCheck Log - checkup.txt

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 29
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player 11.0.1.152
    Mozilla Firefox (3.6.23) Firefox Out of Date!
    Mozilla Thunderbird (3.1.15) Thunderbird Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````
    -------------------------------------------------------------------------------------------------------
    Results of ESET Scan:

    C:\Documents and Settings\Administrator\My Documents\Setup_FreeFlvConverterN.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
    C:\Qoobox\Quarantine\C\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe.vir a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP21\A0011770.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP40\A0015505.rbf a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP40\A0015510.rbf a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP40\A0015511.rbf probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP54\A0025149.exe a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{4E811858-D6AA-46DA-B885-89ADBA310E1A}\RP8\A0007483.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
    C:\_OTL\MovedFiles\11182011_192215\C_Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
    ------------------------------------------------------------------------------------------------------

    I remembered step 2 - temp files have been cleared.
    Everything is pretty good here. :approve:
     
  14. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Uninstall:
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7



    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  15. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    I removed Java 6, update 4

    However, I update 7 did not show up in the Add/Remove programs population.

    How should I go about finding and uninstalling it?
     
  16. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    If it doesn't show you're fine there.
     
  17. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    Confirmed OTL Restore Point Set

    User: NetworkService
    Total Flash Files Cleaned = 0.00 mb
    Restore points cleared and new OTL Restore Point set!
    OTL by OldTimer - Version 3.2.31.0 log created on 11182011_221843
    Files\Folders moved on Reboot...
    Registry entries deleted on Reboot...
    ------------------------------------------------------------------------------------------------
    I'm going to run that OTL Cleanup now and download a few of the tools you suggested. I'm thinking about a sandbox for excel files (and others). I must open many of these found on the web for job related research. One more question, do you recommend Comodo firewall?

    Thanks again for your expertise and effort.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You're very welcome [​IMG]

    I use Comodo firewall myself.

    Good luck!
     
  19. InfectedXP

    InfectedXP TS Rookie Topic Starter Posts: 30

    One final comment. The boot issues I mentioned were just fixed by using Windows Utilities and writing a new MBR. I have deleted the old desktop copy created during one of our many steps. It wasn't a hardware issue after all. Just thought you'd like to know.

    Have a great weekend, annihilator man.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Same to you :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...