TechSpot

Smart HDD scareware

Solved
By severedgein
Apr 6, 2012
  1. I'm back with yet another stupid employee's doings. :mad: Thank you in advance for you guys' help.
    ---------------------------------------------
    "Smart HDD" program popped up with "S.M.A.R.T Scan Results", removed all desktop items and start menu items.

    Started in Windows 7 safe mode.

    I tried to install MBAM, and got an error upon installation at the very end, access denied or something along those lines.

    Ran setup as admin, and installed to \mbam directory and renamed the shortcut and install completed. Updated database and ran scan:


    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.06.03

    Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    WS301 :: WS301 [administrator]

    4/6/2012 9:21:59 AM
    mbam-log-2012-04-06 (09-21-59).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213844
    Time elapsed: 8 minute(s), 24 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 3
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|FXoIuAOxAoT.exe (Backdoor.Agent.RCGen) -> Data: C:\ProgramData\FXoIuAOxAoT.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tbcfx (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\Windows\TEMP\tbcfx.dll",CreateRenderToEnvMap -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\ProgramData\FXoIuAOxAoT.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.
    C:\ProgramData\wLUs9jOMFUvdbB.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.
    C:\Windows\System32\ICAM5USB.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\mstdfrgs.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\pinnaclemarvinusb.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
    C:\Windows\System32\vusbbus.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

    (end)


    Note: after restart into normal startup, the scareware does not pop-up, and Microsoft Security Essentials is blocking "Trojan:Win32/Sirefef.AC". But networking seems to be blocked.



    ----------------------------------------------------------

    Gmer upon initial run gave this:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-06 09:11:25
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000019 ST325031 rev.3.AH
    Running: 7rlet47u.exe; Driver: C:\Users\WS301\AppData\Local\Temp\pgldqpog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 MBR read error
    Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

    ---- Devices - GMER 1.0.15 ----

    Device \Device\00000053 -> \??\SCSI#Disk&Ven_ST325031&Prod_0AS#4&ac26b09&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----



    Gmer stopped there, did nothing for minutes, so it seemed to be finished. I hit "scan", it started to run, brought up a bunch of items and it froze after a minute, then threw a memory dump, so no log was saved. Started GMER a second time and it just brought up the same log as above. I didn't hit "scan" this time. Just let me know if you need me to run it again.

    -------------------------------------------------------------------

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
    Run by WS301 at 9:44:39 on 2012-04-06
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1617 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\hp\support\hpsysdrv.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
    C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = Preserve
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
    mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: mswsock.dll
    DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{4D268137-E37D-415F-BCE5-95EFF1F7D50E} : DhcpNameServer = 192.168.1.254
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    Hosts: 94.63.147.17 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\ws301\appdata\roaming\mozilla\firefox\profiles\dto4vjea.default\
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 wsnm;VMware View Client;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2011-2-18 494192]
    R2 wsnm_usbctrl;VMware View USB Control;c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [2011-2-18 793200]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2011-12-27 39984]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
    S2 symantecantibotdriver;ZDPSp50;c:\windows\system32\svchost.exe -k netsvcs [2008-1-20 21504]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 253600]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-9-30 30192]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-5-20 30576]
    S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-9-9 20640]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-04-06 13:37:22 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b40fb554-fa1b-4eae-8382-bcaf2cb549f7}\offreg.dll
    2012-04-06 13:20:17 -------- d-----w- c:\program files\Mbam
    2012-04-05 20:43:01 780668 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-04-05 20:36:45 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-04-05 18:15:07 418464 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-05 06:10:04 6582328 ---ha-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b40fb554-fa1b-4eae-8382-bcaf2cb549f7}\mpengine.dll
    2012-03-14 06:56:04 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-03-14 06:55:36 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-03-14 06:55:36 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-03-14 06:55:36 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-03-14 06:55:36 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-03-14 06:55:36 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-14 06:55:08 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-03-14 06:53:27 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-03-14 06:53:27 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ==================== Find3M ====================
    .
    2012-04-05 18:34:21 70304 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-31 12:44:05 237072 ---h--w- c:\windows\system32\MpSigStub.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: ST325031 rev.3.AH -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87AF2FD0]<<
    _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
    1 ntkrnlpa!IofCallDriver[0x81E5F912] -> \Device\Harddisk0\DR0[0x858300D0]
    3 CLASSPNP[0x807398B3] -> ntkrnlpa!IofCallDriver[0x81E5F912] -> [0x87ADA720]
    \Driver\00002171[0x87ADA888] -> IRP_MJ_CREATE -> 0x87AF2FD0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
    detected disk devices:
    \Device\00000054 -> \??\SCSI#Disk&Ven_ST325031&Prod_0AS#4&ac26b09&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    sectors 488397166 (+7): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 9:45:48.01 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/7/2009 1:06:03 AM
    System Uptime: 4/6/2012 9:36:37 AM (0 hours ago)
    .
    Motherboard: ECS | | Iris8
    Processor: AMD Athlon(tm) Dual Core Processor 4450e | Socket AM2 | 2300/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 222 GiB total, 148.477 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.543 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_RASMAN\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_RASMAN\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    Acrobat.com
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.2)
    Advertising Center
    AIO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG PC Tuneup
    BufferChm
    C5200
    C5200_doccd
    Canon MP Navigator EX 1.0
    Canon MX310 series
    Canon MX310 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Solution Menu
    CaptureCAM-PLAYER
    Carbonite Online Backup Setup
    Compatibility Pack for the 2007 Office system
    Copy
    Crystal Reports 10 Support Files
    CyberLink DVD Suite Deluxe
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    EOS USB WIA Driver
    Fax
    Google Desktop
    Hardware Diagnostic Tools
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Advisor
    HP Customer Experience Enhancements
    HP Demo
    HP Imaging Device Functions 9.0
    HP LaserJet P2050 Series 6.0
    HP MediaSmart DVD
    HP OCR Software 9.0
    HP Photosmart All-In-One Software 9.0
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Recovery Manager RSS
    HP Smart Web Printing 4.60
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    hppFonts
    hppQFolderP2050
    iCloud
    iPhone Configuration Utility
    Java Auto Updater
    Java(TM) 6 Update 30
    Juno Preloader
    LabelPrint
    LightScribe System Software
    LightScribe Template Labeler
    Lytec 2011 Professional
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Corporation
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Home and Student 60 day trial
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Works
    MobileMe Control Panel
    Mozilla Firefox 8.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    muvee Reveal
    Nero BackItUp
    Nero ControlCenter
    Norton Internet Security
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    PanoStandAlone
    PictureMover
    PIXMA Extended Survey Program
    Power2Go
    PowerDirector
    Presto! PageManager 7.15.16
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_min
    PSSWCORE
    Python 2.5.2
    QuickBooks Pro 2009
    QuickTime
    Realtek High Definition Audio Driver
    Revenue Management
    Scan
    ScanSoft OmniPage SE 4
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    SmartWebPrinting
    Soft Data Fax Modem with SmartCP
    Status
    SupportSoft Assisted Service
    Toolbox
    TransferMy Music 2.0.4.0
    TrayApp
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VideoToolkit01
    Visual Studio 2005 Tools for Office Second Edition Runtime
    VMware View Client
    VZAccess Manager for RIM
    WebReg
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    13:36:37.0639 1632 TDSS rootkit removing tool 2.7.26.0 Apr 4 2012 19:52:02
    13:36:39.0057 1632 ============================================================
    13:36:39.0058 1632 Current date / time: 2012/04/06 13:36:39.0057
    13:36:39.0058 1632 SystemInfo:
    13:36:39.0058 1632
    13:36:39.0058 1632 OS Version: 6.0.6002 ServicePack: 2.0
    13:36:39.0058 1632 Product type: Workstation
    13:36:39.0058 1632 ComputerName: WS301
    13:36:39.0058 1632 UserName: WS301
    13:36:39.0058 1632 Windows directory: C:\Windows
    13:36:39.0058 1632 System windows directory: C:\Windows
    13:36:39.0058 1632 Processor architecture: Intel x86
    13:36:39.0058 1632 Number of processors: 2
    13:36:39.0058 1632 Page size: 0x1000
    13:36:39.0058 1632 Boot type: Safe boot with network
    13:36:39.0058 1632 ============================================================
    13:36:40.0054 1632 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    13:36:40.0056 1632 \Device\Harddisk0\DR0:
    13:36:40.0056 1632 MBR used
    13:36:40.0056 1632 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1BB42BC5
    13:36:40.0056 1632 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1BB42C04, BlocksNum 0x168197D
    13:36:40.0101 1632 Initialize success
    13:36:40.0101 1632 ============================================================
    13:36:55.0460 3692 ============================================================
    13:36:55.0460 3692 Scan started
    13:36:55.0460 3692 Mode: Manual;
    13:36:55.0460 3692 ============================================================
    13:36:59.0855 3692 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    13:36:59.0859 3692 ACPI - ok
    13:36:59.0946 3692 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    13:36:59.0949 3692 AdobeARMservice - ok
    13:37:00.0060 3692 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    13:37:00.0065 3692 AdobeFlashPlayerUpdateSvc - ok
    13:37:00.0238 3692 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    13:37:00.0245 3692 adp94xx - ok
    13:37:00.0290 3692 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    13:37:00.0295 3692 adpahci - ok
    13:37:00.0319 3692 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    13:37:00.0352 3692 adpu160m - ok
    13:37:00.0405 3692 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    13:37:00.0408 3692 adpu320 - ok
    13:37:00.0441 3692 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
    13:37:00.0442 3692 AeLookupSvc - ok
    13:37:00.0522 3692 AFD (c84212d2e365158bd085ce9254cc29ce) C:\Windows\system32\drivers\afd.sys
    13:37:00.0524 3692 Suspicious file (Forged): C:\Windows\system32\drivers\afd.sys. Real md5: c84212d2e365158bd085ce9254cc29ce, Fake md5: 3911b972b55fea0478476b2e777b29fa
    13:37:00.0526 3692 AFD ( Virus.Win32.ZAccess.k ) - infected
    13:37:00.0526 3692 AFD - detected Virus.Win32.ZAccess.k (0)
    13:37:00.0571 3692 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    13:37:00.0583 3692 agp440 - ok
    13:37:00.0735 3692 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    13:37:00.0738 3692 aic78xx - ok
    13:37:00.0773 3692 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
    13:37:00.0775 3692 ALG - ok
    13:37:00.0811 3692 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    13:37:00.0812 3692 aliide - ok
    13:37:00.0844 3692 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    13:37:00.0846 3692 amdagp - ok
    13:37:00.0858 3692 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    13:37:00.0859 3692 amdide - ok
    13:37:00.0883 3692 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    13:37:00.0885 3692 AmdK7 - ok
    13:37:00.0906 3692 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
    13:37:00.0908 3692 AmdK8 - ok
    13:37:00.0950 3692 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
    13:37:00.0951 3692 Appinfo - ok
    13:37:01.0126 3692 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    13:37:01.0131 3692 Apple Mobile Device - ok
    13:37:01.0216 3692 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    13:37:01.0218 3692 arc - ok
    13:37:01.0257 3692 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    13:37:01.0260 3692 arcsas - ok
    13:37:01.0426 3692 aspnet_state (40c145f12ff461a0220303bda134f598) C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    13:37:01.0465 3692 aspnet_state - ok
    13:37:01.0559 3692 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    13:37:01.0560 3692 AsyncMac - ok
    13:37:01.0593 3692 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    13:37:01.0594 3692 atapi - ok
    13:37:01.0648 3692 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
    13:37:01.0653 3692 AudioEndpointBuilder - ok
    13:37:01.0661 3692 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
    13:37:01.0664 3692 Audiosrv - ok
    13:37:01.0806 3692 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    13:37:01.0807 3692 Beep - ok
    13:37:01.0923 3692 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\System32\qmgr.dll
    13:37:02.0008 3692 BITS - ok
    13:37:02.0088 3692 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    13:37:02.0090 3692 blbdrive - ok
    13:37:02.0130 3692 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    13:37:02.0131 3692 bowser - ok
    13:37:02.0174 3692 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    13:37:02.0176 3692 BrFiltLo - ok
    13:37:02.0190 3692 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    13:37:02.0192 3692 BrFiltUp - ok
    13:37:02.0220 3692 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
    13:37:02.0222 3692 Browser - ok
    13:37:02.0261 3692 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    13:37:02.0266 3692 Brserid - ok
    13:37:02.0285 3692 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    13:37:02.0287 3692 BrSerWdm - ok
    13:37:02.0302 3692 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    13:37:02.0304 3692 BrUsbMdm - ok
    13:37:02.0318 3692 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    13:37:02.0322 3692 BrUsbSer - ok
    13:37:02.0381 3692 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    13:37:02.0382 3692 BTHMODEM - ok
    13:37:02.0407 3692 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    13:37:02.0409 3692 cdfs - ok
    13:37:02.0467 3692 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    13:37:02.0470 3692 cdrom - ok
    13:37:02.0536 3692 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
    13:37:02.0538 3692 CertPropSvc - ok
    13:37:02.0643 3692 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    13:37:02.0645 3692 circlass - ok
    13:37:02.0713 3692 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    13:37:02.0718 3692 CLFS - ok
    13:37:02.0793 3692 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    13:37:02.0797 3692 clr_optimization_v2.0.50727_32 - ok
    13:37:02.0933 3692 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    13:37:02.0966 3692 clr_optimization_v4.0.30319_32 - ok
    13:37:03.0047 3692 cmdagent - ok
    13:37:03.0087 3692 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    13:37:03.0089 3692 cmdide - ok
    13:37:03.0097 3692 compaq_rba - ok
    13:37:03.0116 3692 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
    13:37:03.0117 3692 Compbatt - ok
    13:37:03.0125 3692 COMSysApp - ok
    13:37:03.0151 3692 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    13:37:03.0152 3692 crcdisk - ok
    13:37:03.0172 3692 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    13:37:03.0174 3692 Crusoe - ok
    13:37:03.0274 3692 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
    13:37:03.0277 3692 CryptSvc - ok
    13:37:03.0338 3692 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
    13:37:03.0366 3692 DcomLaunch - ok
    13:37:03.0420 3692 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    13:37:03.0422 3692 DfsC - ok
    13:37:03.0521 3692 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
    13:37:03.0606 3692 DFSR - ok
    13:37:03.0685 3692 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
    13:37:03.0689 3692 Dhcp - ok
    13:37:03.0746 3692 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    13:37:03.0748 3692 disk - ok
    13:37:03.0788 3692 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
    13:37:03.0791 3692 Dnscache - ok
    13:37:03.0844 3692 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
    13:37:03.0848 3692 dot3svc - ok
    13:37:03.0891 3692 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
    13:37:03.0895 3692 Dot4 - ok
    13:37:03.0906 3692 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
    13:37:03.0908 3692 Dot4Print - ok
    13:37:03.0924 3692 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
    13:37:03.0925 3692 dot4usb - ok
    13:37:03.0966 3692 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
    13:37:03.0969 3692 DPS - ok
    13:37:04.0017 3692 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    13:37:04.0019 3692 drmkaud - ok
    13:37:04.0063 3692 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    13:37:04.0103 3692 DXGKrnl - ok
    13:37:04.0163 3692 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    13:37:04.0166 3692 E1G60 - ok
    13:37:04.0187 3692 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
    13:37:04.0190 3692 EapHost - ok
    13:37:04.0264 3692 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    13:37:04.0267 3692 Ecache - ok
    13:37:04.0304 3692 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
    13:37:04.0309 3692 ehRecvr - ok
    13:37:04.0349 3692 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
    13:37:04.0351 3692 ehSched - ok
    13:37:04.0380 3692 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
    13:37:04.0381 3692 ehstart - ok
    13:37:04.0459 3692 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    13:37:04.0464 3692 elxstor - ok
    13:37:04.0567 3692 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
    13:37:04.0580 3692 EMDMgmt - ok
    13:37:04.0648 3692 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    13:37:04.0649 3692 ErrDev - ok
    13:37:04.0710 3692 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
    13:37:04.0715 3692 EventSystem - ok
    13:37:04.0776 3692 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    13:37:04.0780 3692 exfat - ok
    13:37:04.0818 3692 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    13:37:04.0821 3692 fastfat - ok
    13:37:04.0873 3692 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    13:37:04.0874 3692 fdc - ok
    13:37:04.0908 3692 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
    13:37:04.0909 3692 fdPHost - ok
    13:37:04.0921 3692 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
    13:37:04.0922 3692 FDResPub - ok
    13:37:04.0963 3692 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    13:37:04.0965 3692 FileInfo - ok
    13:37:04.0985 3692 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    13:37:04.0987 3692 Filetrace - ok
    13:37:05.0002 3692 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    13:37:05.0004 3692 flpydisk - ok
    13:37:05.0059 3692 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    13:37:05.0063 3692 FltMgr - ok
    13:37:05.0272 3692 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
    13:37:05.0297 3692 FontCache - ok
    13:37:05.0394 3692 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    13:37:05.0397 3692 FontCache3.0.0.0 - ok
    13:37:05.0441 3692 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    13:37:05.0442 3692 Fs_Rec - ok
    13:37:05.0469 3692 ftsata2 - ok
    13:37:05.0502 3692 fuj02b1 - ok
    13:37:05.0540 3692 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    13:37:05.0542 3692 gagp30kx - ok
    13:37:05.0583 3692 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    13:37:05.0584 3692 GEARAspiWDM - ok
    13:37:05.0616 3692 giveio - ok
    13:37:05.0714 3692 GoogleDesktopManager-051210-111108 (9f5f2f0fb0a7f5aa9f16b9a7b6dad89f) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    13:37:05.0718 3692 GoogleDesktopManager-051210-111108 - ok
    13:37:05.0827 3692 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
    13:37:05.0836 3692 gpsvc - ok
    13:37:05.0896 3692 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    13:37:05.0904 3692 HDAudBus - ok
    13:37:05.0971 3692 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    13:37:05.0973 3692 HidBth - ok
    13:37:06.0012 3692 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    13:37:06.0013 3692 HidIr - ok
    13:37:06.0076 3692 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\system32\hidserv.dll
    13:37:06.0077 3692 hidserv - ok
    13:37:06.0103 3692 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    13:37:06.0104 3692 HidUsb - ok
    13:37:06.0136 3692 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
    13:37:06.0166 3692 hkmsvc - ok
    13:37:06.0299 3692 HP Health Check Service (a19b0bb5a7eb6df2dd4a0711d36955ee) c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    13:37:06.0316 3692 HP Health Check Service - ok
    13:37:06.0382 3692 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    13:37:06.0388 3692 HpCISSs - ok
    13:37:06.0414 3692 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\Windows\system32\drivers\hpfxbulk.sys
    13:37:06.0416 3692 HPFXBULK - ok
    13:37:06.0493 3692 hpqcxs08 (ce0fcec4d4d860f36d972759b11eaf0f) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
    13:37:06.0498 3692 hpqcxs08 - ok
    13:37:06.0515 3692 hpqddsvc (ee4c7a4cf2316701ffde90f404520265) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
    13:37:06.0518 3692 hpqddsvc - ok
    13:37:06.0622 3692 HSF_DP (78c88781fbd2fdd3bcba09f58897fe45) C:\Windows\system32\DRIVERS\HSX_DP.sys
    13:37:06.0672 3692 HSF_DP - ok
    13:37:06.0691 3692 HSXHWBS2 (1e289f978d1e6f11db88d4fcb2f9d92f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
    13:37:06.0696 3692 HSXHWBS2 - ok
    13:37:06.0753 3692 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    13:37:06.0766 3692 HTTP - ok
    13:37:06.0795 3692 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    13:37:06.0797 3692 i2omp - ok
    13:37:06.0832 3692 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    13:37:06.0834 3692 i8042prt - ok
    13:37:06.0853 3692 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    13:37:06.0858 3692 iaStorV - ok
    13:37:07.0048 3692 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    13:37:07.0092 3692 idsvc - ok
    13:37:07.0156 3692 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    13:37:07.0157 3692 iirsp - ok
    13:37:07.0226 3692 IJPLMSVC (2f95bef56aeeeb45de55ec44668e2695) C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    13:37:07.0230 3692 IJPLMSVC - ok
    13:37:07.0332 3692 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
    13:37:07.0339 3692 IKEEXT - ok
    13:37:07.0483 3692 IntcAzAudAddService (84ed2154239f9d013bbd3220755ada8b) C:\Windows\system32\drivers\RTKVHDA.sys
    13:37:07.0576 3692 IntcAzAudAddService - ok
    13:37:07.0635 3692 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    13:37:07.0636 3692 intelide - ok
    13:37:07.0665 3692 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    13:37:07.0667 3692 intelppm - ok
    13:37:07.0689 3692 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
    13:37:07.0692 3692 IPBusEnum - ok
    13:37:07.0714 3692 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    13:37:07.0716 3692 IpFilterDriver - ok
    13:37:07.0724 3692 IpInIp - ok
    13:37:07.0804 3692 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    13:37:07.0806 3692 IPMIDRV - ok
    13:37:07.0857 3692 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    13:37:07.0860 3692 IPNAT - ok
    13:37:07.0876 3692 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    13:37:07.0877 3692 IRENUM - ok
    13:37:07.0897 3692 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    13:37:07.0898 3692 isapnp - ok
    13:37:08.0018 3692 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    13:37:08.0019 3692 iScsiPrt - ok
    13:37:08.0035 3692 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    13:37:08.0037 3692 iteatapi - ok
    13:37:08.0054 3692 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    13:37:08.0055 3692 iteraid - ok
    13:37:08.0072 3692 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    13:37:08.0073 3692 kbdclass - ok
    13:37:08.0109 3692 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    13:37:08.0111 3692 kbdhid - ok
    13:37:08.0158 3692 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
    13:37:08.0160 3692 KeyIso - ok
    13:37:08.0198 3692 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    13:37:08.0212 3692 KSecDD - ok
    13:37:08.0273 3692 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
    13:37:08.0282 3692 KtmRm - ok
    13:37:08.0341 3692 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\system32\srvsvc.dll
    13:37:08.0394 3692 LanmanServer - ok
    13:37:08.0572 3692 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
    13:37:08.0578 3692 LanmanWorkstation - ok
    13:37:08.0644 3692 LightScribeService (dfeff67508d3a9aeb1a85d7b0f513b24) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    13:37:08.0647 3692 LightScribeService - ok
    13:37:08.0714 3692 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    13:37:08.0716 3692 lltdio - ok
    13:37:08.0764 3692 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
    13:37:08.0768 3692 lltdsvc - ok
    13:37:08.0809 3692 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
    13:37:08.0811 3692 lmhosts - ok
    13:37:08.0853 3692 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    13:37:08.0856 3692 LSI_FC - ok
    13:37:08.0890 3692 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    13:37:08.0893 3692 LSI_SAS - ok
    13:37:08.0923 3692 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    13:37:08.0925 3692 LSI_SCSI - ok
    13:37:09.0009 3692 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    13:37:09.0012 3692 luafv - ok
    13:37:09.0055 3692 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
    13:37:09.0058 3692 Mcx2Svc - ok
    13:37:09.0119 3692 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
    13:37:09.0120 3692 mdmxsdk - ok
    13:37:09.0156 3692 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    13:37:09.0157 3692 megasas - ok
    13:37:09.0197 3692 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    13:37:09.0207 3692 MegaSR - ok
    13:37:09.0272 3692 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
    13:37:09.0274 3692 MMCSS - ok
    13:37:09.0307 3692 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    13:37:09.0309 3692 Modem - ok
    13:37:09.0355 3692 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    13:37:09.0371 3692 monitor - ok
    13:37:09.0431 3692 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    13:37:09.0432 3692 mouclass - ok
    13:37:09.0452 3692 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    13:37:09.0453 3692 mouhid - ok
    13:37:09.0465 3692 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    13:37:09.0468 3692 MountMgr - ok
    13:37:09.0511 3692 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
    13:37:09.0514 3692 MpFilter - ok
    13:37:09.0540 3692 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    13:37:09.0543 3692 mpio - ok
    13:37:09.0557 3692 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
    13:37:09.0579 3692 MpNWMon - ok
    13:37:09.0620 3692 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    13:37:09.0622 3692 mpsdrv - ok
    13:37:09.0651 3692 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    13:37:09.0653 3692 Mraid35x - ok
    13:37:09.0695 3692 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    13:37:09.0698 3692 MRxDAV - ok
    13:37:09.0747 3692 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    13:37:09.0750 3692 mrxsmb - ok
    13:37:09.0802 3692 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    13:37:09.0806 3692 mrxsmb10 - ok
    13:37:09.0850 3692 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    13:37:09.0872 3692 mrxsmb20 - ok
    13:37:09.0926 3692 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
    13:37:09.0928 3692 msahci - ok
    13:37:09.0945 3692 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    13:37:09.0947 3692 msdsm - ok
    13:37:09.0990 3692 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
    13:37:10.0022 3692 MSDTC - ok
    13:37:10.0081 3692 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    13:37:10.0083 3692 Msfs - ok
    13:37:10.0129 3692 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\Windows\system32\Drivers\nx6000.sys
    13:37:10.0131 3692 MSHUSBVideo - ok
    13:37:10.0154 3692 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    13:37:10.0155 3692 msisadrv - ok
    13:37:10.0196 3692 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
    13:37:10.0199 3692 MSiSCSI - ok
    13:37:10.0206 3692 msiserver - ok
    13:37:10.0254 3692 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    13:37:10.0255 3692 MSKSSRV - ok
    13:37:10.0290 3692 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    13:37:10.0291 3692 MsMpSvc - ok
    13:37:10.0402 3692 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    13:37:10.0428 3692 MSPCLOCK - ok
    13:37:10.0470 3692 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    13:37:10.0471 3692 MSPQM - ok
    13:37:10.0552 3692 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    13:37:10.0556 3692 MsRPC - ok
    13:37:10.0611 3692 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    13:37:10.0612 3692 mssmbios - ok
    13:37:10.0639 3692 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    13:37:10.0640 3692 MSTEE - ok
    13:37:10.0687 3692 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    13:37:10.0693 3692 Mup - ok
    13:37:10.0776 3692 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
    13:37:10.0783 3692 napagent - ok
    13:37:10.0882 3692 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    13:37:10.0897 3692 NativeWifiP - ok
    13:37:10.0948 3692 NAVENG - ok
    13:37:10.0956 3692 NAVEX15 - ok
    13:37:11.0073 3692 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    13:37:11.0107 3692 NDIS - ok
    13:37:11.0173 3692 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    13:37:11.0174 3692 NdisTapi - ok
    13:37:11.0209 3692 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    13:37:11.0211 3692 Ndisuio - ok
    13:37:11.0267 3692 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    13:37:11.0270 3692 NdisWan - ok
    13:37:11.0280 3692 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    13:37:11.0282 3692 NDProxy - ok
    13:37:11.0496 3692 Nero BackItUp Scheduler 4.0 (c7f5c284b6f46fcaf6910ea4e644700b) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    13:37:11.0529 3692 Nero BackItUp Scheduler 4.0 - ok
    13:37:11.0600 3692 Net Driver HPZ12 (80b7a96f908da13617e7e6832c5c6a64) C:\Windows\system32\HPZinw12.dll
    13:37:11.0603 3692 Net Driver HPZ12 - ok
    13:37:11.0648 3692 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    13:37:11.0650 3692 NetBIOS - ok
    13:37:11.0801 3692 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    13:37:11.0804 3692 netbt - ok
    13:37:11.0873 3692 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
    13:37:11.0875 3692 Netlogon - ok
    13:37:11.0911 3692 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
    13:37:11.0917 3692 Netman - ok
    13:37:11.0941 3692 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
    13:37:11.0947 3692 netprofm - ok
    13:37:12.0025 3692 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    13:37:12.0028 3692 NetTcpPortSharing - ok
    13:37:12.0096 3692 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    13:37:12.0098 3692 nfrd960 - ok
    13:37:12.0150 3692 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    13:37:12.0152 3692 NisDrv - ok
    13:37:12.0234 3692 NisSrv (a5cb074f34bbd89948e34a630d459c0c) c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    13:37:12.0238 3692 NisSrv - ok
    13:37:12.0319 3692 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
    13:37:12.0323 3692 NlaSvc - ok
    13:37:12.0350 3692 nmap - ok
    13:37:12.0376 3692 Norton Internet Security - ok
    13:37:12.0458 3692 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    13:37:12.0460 3692 Npfs - ok
    13:37:12.0483 3692 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
    13:37:12.0485 3692 nsi - ok
    13:37:12.0515 3692 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    13:37:12.0516 3692 nsiproxy - ok
    13:37:12.0593 3692 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    13:37:12.0625 3692 Ntfs - ok
    13:37:12.0647 3692 NtMtlFax - ok
    13:37:12.0692 3692 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    13:37:12.0694 3692 ntrigdigi - ok
    13:37:12.0709 3692 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    13:37:12.0710 3692 Null - ok
    13:37:12.0811 3692 NVENETFD (d958a2b5f6ad5c3b8ccdc4d7da62466c) C:\Windows\system32\DRIVERS\nvmfdx32.sys
    13:37:12.0819 3692 NVENETFD - ok
    13:37:13.0094 3692 nvlddmkm (7bc6fb1f3aa696944ceb46d038fa90ed) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    13:37:13.0281 3692 nvlddmkm - ok
    13:37:13.0360 3692 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    13:37:13.0395 3692 nvraid - ok
    13:37:13.0474 3692 nvrd32 (085e88101d0d4b321abf9c7e2b6ee99d) C:\Windows\system32\drivers\nvrd32.sys
    13:37:13.0478 3692 nvrd32 - ok
    13:37:13.0508 3692 nvsmu (62754e376185eacbb73d06fea0ffc54a) C:\Windows\system32\drivers\nvsmu.sys
    13:37:13.0510 3692 nvsmu - ok
    13:37:13.0564 3692 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    13:37:13.0566 3692 nvstor - ok
    13:37:13.0611 3692 nvstor32 (1199b2052f7861c1d39c2318e70904c9) C:\Windows\system32\DRIVERS\nvstor32.sys
    13:37:13.0613 3692 nvstor32 - ok
    13:37:13.0660 3692 nvsvc (4d6cb78d8883d3ddab56d82a2c6d817d) C:\Windows\system32\nvvsvc.exe
    13:37:13.0664 3692 nvsvc - ok
    13:37:13.0734 3692 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    13:37:13.0754 3692 nv_agp - ok
    13:37:13.0909 3692 NwlnkFlt - ok
    13:37:13.0942 3692 NwlnkFwd - ok
    13:37:14.0076 3692 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    13:37:14.0084 3692 odserv - ok
    13:37:14.0144 3692 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    13:37:14.0145 3692 ohci1394 - ok
    13:37:14.0189 3692 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    13:37:14.0193 3692 ose - ok
    13:37:14.0225 3692 ovepstatusengine - ok
    13:37:14.0283 3692 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
    13:37:14.0293 3692 p2pimsvc - ok
    13:37:14.0310 3692 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
    13:37:14.0317 3692 p2psvc - ok
    13:37:14.0350 3692 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    13:37:14.0353 3692 Parport - ok
    13:37:14.0524 3692 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    13:37:14.0526 3692 partmgr - ok
    13:37:14.0603 3692 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    13:37:14.0604 3692 Parvdm - ok
    13:37:14.0614 3692 PCASp50 - ok
    13:37:14.0647 3692 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
    13:37:14.0650 3692 PcaSvc - ok
    13:37:14.0970 3692 PCD5SRVC{BD6912E3-AC9D80E8-05040000} (9489c4cf14126a06b061163d2b261c69) C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms
    13:37:15.0071 3692 PCD5SRVC{BD6912E3-AC9D80E8-05040000} - ok
    13:37:15.0151 3692 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    13:37:15.0155 3692 pci - ok
    13:37:15.0177 3692 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    13:37:15.0179 3692 pciide - ok
    13:37:15.0334 3692 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    13:37:15.0338 3692 pcmcia - ok
    13:37:15.0395 3692 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    13:37:15.0416 3692 PEAUTH - ok
    13:37:15.0514 3692 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
    13:37:15.0581 3692 pla - ok
    13:37:15.0694 3692 PLFlash DeviceIoControl Service (875e4e0661f3a5994df9e5e3a0a4f96b) C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
    13:37:15.0697 3692 PLFlash DeviceIoControl Service - ok
    13:37:15.0782 3692 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
    13:37:15.0788 3692 PlugPlay - ok
    13:37:15.0841 3692 Pml Driver HPZ12 (0c155c5d8942b3cbcf9506a9d376b9ad) C:\Windows\system32\HPZipm12.dll
    13:37:15.0843 3692 Pml Driver HPZ12 - ok
    13:37:15.0924 3692 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
    13:37:15.0930 3692 PNRPAutoReg - ok
    13:37:15.0948 3692 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
    13:37:15.0954 3692 PNRPsvc - ok
    13:37:16.0003 3692 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
    13:37:16.0011 3692 PolicyAgent - ok
    13:37:16.0078 3692 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    13:37:16.0080 3692 PptpMiniport - ok
    13:37:16.0121 3692 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    13:37:16.0123 3692 Processor - ok
    13:37:16.0187 3692 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
    13:37:16.0192 3692 ProfSvc - ok
    13:37:16.0238 3692 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
    13:37:16.0240 3692 ProtectedStorage - ok
    13:37:16.0298 3692 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    13:37:16.0300 3692 PSched - ok
    13:37:16.0396 3692 QBCFMonitorService (17996ca5c59259ae02ca95bd11d7beec) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    13:37:16.0400 3692 QBCFMonitorService - ok
    13:37:16.0456 3692 QBFCService (2241eaf40e472c471cb80cf6b97cca11) C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    13:37:16.0459 3692 QBFCService - ok
    13:37:16.0706 3692 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    13:37:16.0748 3692 ql2300 - ok
    13:37:16.0784 3692 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    13:37:16.0786 3692 ql40xx - ok
    13:37:16.0841 3692 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
    13:37:16.0848 3692 QWAVE - ok
    13:37:16.0905 3692 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    13:37:16.0906 3692 QWAVEdrv - ok
    13:37:16.0953 3692 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    13:37:16.0977 3692 RasAcd - ok
    13:37:17.0041 3692 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
    13:37:17.0045 3692 RasAuto - ok
    13:37:17.0081 3692 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    13:37:17.0083 3692 Rasl2tp - ok
    13:37:17.0149 3692 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
    13:37:17.0155 3692 RasMan - ok
    13:37:17.0196 3692 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    13:37:17.0197 3692 RasPppoe - ok
    13:37:17.0239 3692 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    13:37:17.0255 3692 RasSstp - ok
    13:37:17.0331 3692 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    13:37:17.0336 3692 rdbss - ok
    13:37:17.0374 3692 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    13:37:17.0376 3692 RDPCDD - ok
    13:37:17.0441 3692 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
    13:37:17.0451 3692 rdpdr - ok
    13:37:17.0460 3692 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    13:37:17.0461 3692 RDPENCDD - ok
    13:37:17.0510 3692 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
    13:37:17.0513 3692 RDPWD - ok
    13:37:17.0545 3692 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
    13:37:17.0547 3692 RemoteAccess - ok
    13:37:17.0599 3692 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
    13:37:17.0603 3692 RemoteRegistry - ok
    13:37:17.0682 3692 RimUsb (5ec6fa6386ab2580b5ae3cf39ac1dfaf) C:\Windows\system32\Drivers\RimUsb.sys
    13:37:17.0683 3692 RimUsb - ok
    13:37:17.0723 3692 RimVSerPort (12a2fd77e334b223531f1e2918480d49) C:\Windows\system32\DRIVERS\RimSerial.sys
    13:37:17.0725 3692 RimVSerPort - ok
    13:37:17.0757 3692 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
     
  4. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    13:37:17.0758 3692 ROOTMODEM - ok
    13:37:17.0778 3692 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
    13:37:17.0780 3692 RpcLocator - ok
    13:37:17.0835 3692 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
    13:37:17.0841 3692 RpcSs - ok
    13:37:17.0879 3692 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    13:37:17.0882 3692 rspndr - ok
    13:37:17.0930 3692 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
    13:37:17.0931 3692 SamSs - ok
    13:37:17.0949 3692 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    13:37:17.0951 3692 sbp2port - ok
    13:37:17.0999 3692 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
    13:37:18.0003 3692 SCardSvr - ok
    13:37:18.0047 3692 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
    13:37:18.0080 3692 Schedule - ok
    13:37:18.0129 3692 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
    13:37:18.0130 3692 SCPolicySvc - ok
    13:37:18.0214 3692 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
    13:37:18.0218 3692 SDRSVC - ok
    13:37:18.0248 3692 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    13:37:18.0250 3692 secdrv - ok
    13:37:18.0266 3692 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
    13:37:18.0269 3692 seclogon - ok
    13:37:18.0284 3692 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\System32\sens.dll
    13:37:18.0286 3692 SENS - ok
    13:37:18.0312 3692 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    13:37:18.0313 3692 Serenum - ok
    13:37:18.0331 3692 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    13:37:18.0333 3692 Serial - ok
    13:37:18.0353 3692 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    13:37:18.0354 3692 sermouse - ok
    13:37:18.0394 3692 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
    13:37:18.0398 3692 SessionEnv - ok
    13:37:18.0633 3692 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    13:37:18.0634 3692 sffdisk - ok
    13:37:18.0650 3692 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    13:37:18.0652 3692 sffp_mmc - ok
    13:37:18.0660 3692 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    13:37:18.0662 3692 sffp_sd - ok
    13:37:18.0682 3692 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    13:37:18.0683 3692 sfloppy - ok
    13:37:18.0715 3692 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
    13:37:18.0720 3692 SharedAccess - ok
    13:37:18.0759 3692 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
    13:37:18.0765 3692 ShellHWDetection - ok
    13:37:18.0803 3692 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    13:37:18.0805 3692 sisagp - ok
    13:37:18.0820 3692 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    13:37:18.0822 3692 SiSRaid2 - ok
    13:37:18.0841 3692 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    13:37:18.0844 3692 SiSRaid4 - ok
    13:37:19.0017 3692 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
    13:37:19.0121 3692 slsvc - ok
    13:37:19.0189 3692 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
    13:37:19.0192 3692 SLUINotify - ok
    13:37:19.0242 3692 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    13:37:19.0244 3692 Smb - ok
    13:37:19.0277 3692 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
    13:37:19.0280 3692 SNMPTRAP - ok
    13:37:19.0310 3692 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    13:37:19.0311 3692 spldr - ok
    13:37:19.0341 3692 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
    13:37:19.0346 3692 Spooler - ok
    13:37:19.0368 3692 SRTSP - ok
    13:37:19.0389 3692 SRTSPX - ok
    13:37:19.0480 3692 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    13:37:19.0486 3692 srv - ok
    13:37:19.0543 3692 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    13:37:19.0547 3692 srv2 - ok
    13:37:19.0566 3692 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    13:37:19.0569 3692 srvnet - ok
    13:37:19.0599 3692 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
    13:37:19.0605 3692 SSDPSRV - ok
    13:37:19.0633 3692 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
    13:37:19.0639 3692 SstpSvc - ok
    13:37:19.0697 3692 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
    13:37:19.0705 3692 stisvc - ok
    13:37:19.0741 3692 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    13:37:19.0742 3692 swenum - ok
    13:37:19.0796 3692 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
    13:37:19.0805 3692 swprv - ok
    13:37:19.0814 3692 symantecantibotdriver - ok
    13:37:19.0840 3692 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    13:37:19.0842 3692 Symc8xx - ok
    13:37:19.0866 3692 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    13:37:19.0867 3692 Sym_hi - ok
    13:37:19.0887 3692 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    13:37:19.0889 3692 Sym_u3 - ok
    13:37:19.0943 3692 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
    13:37:19.0961 3692 SysMain - ok
    13:37:20.0003 3692 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
    13:37:20.0006 3692 TabletInputService - ok
    13:37:20.0055 3692 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
    13:37:20.0062 3692 TapiSrv - ok
    13:37:20.0093 3692 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
    13:37:20.0096 3692 TBS - ok
    13:37:20.0205 3692 Tcpip (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\drivers\tcpip.sys
    13:37:20.0265 3692 Tcpip - ok
    13:37:20.0298 3692 Tcpip6 (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\DRIVERS\tcpip.sys
    13:37:20.0304 3692 Tcpip6 - ok
    13:37:20.0331 3692 tcpipreg (3fc13f09af9be487c7b4fac4070a036c) C:\Windows\system32\drivers\tcpipreg.sys
    13:37:20.0332 3692 tcpipreg - ok
    13:37:20.0364 3692 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    13:37:20.0365 3692 TDPIPE - ok
    13:37:20.0400 3692 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    13:37:20.0401 3692 TDTCP - ok
    13:37:20.0449 3692 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    13:37:20.0451 3692 tdx - ok
    13:37:20.0543 3692 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    13:37:20.0544 3692 TermDD - ok
    13:37:20.0605 3692 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
    13:37:20.0618 3692 TermService - ok
    13:37:20.0658 3692 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
    13:37:20.0662 3692 Themes - ok
    13:37:20.0691 3692 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
    13:37:20.0693 3692 THREADORDER - ok
    13:37:20.0725 3692 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
    13:37:20.0728 3692 TrkWks - ok
    13:37:20.0778 3692 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
    13:37:20.0780 3692 TrustedInstaller - ok
    13:37:20.0822 3692 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    13:37:20.0824 3692 tssecsrv - ok
    13:37:20.0840 3692 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    13:37:20.0841 3692 tunmp - ok
    13:37:20.0864 3692 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    13:37:20.0865 3692 tunnel - ok
    13:37:20.0885 3692 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    13:37:20.0887 3692 uagp35 - ok
    13:37:20.0933 3692 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    13:37:20.0939 3692 udfs - ok
    13:37:20.0976 3692 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
    13:37:20.0979 3692 UI0Detect - ok
    13:37:21.0002 3692 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    13:37:21.0005 3692 uliagpkx - ok
    13:37:21.0022 3692 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    13:37:21.0028 3692 uliahci - ok
    13:37:21.0054 3692 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    13:37:21.0057 3692 UlSata - ok
    13:37:21.0074 3692 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    13:37:21.0078 3692 ulsata2 - ok
    13:37:21.0102 3692 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    13:37:21.0103 3692 umbus - ok
    13:37:21.0134 3692 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
    13:37:21.0141 3692 upnphost - ok
    13:37:21.0198 3692 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
    13:37:21.0200 3692 USBAAPL - ok
    13:37:21.0236 3692 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    13:37:21.0239 3692 usbaudio - ok
    13:37:21.0261 3692 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    13:37:21.0263 3692 usbccgp - ok
    13:37:21.0292 3692 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    13:37:21.0297 3692 usbcir - ok
    13:37:21.0333 3692 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    13:37:21.0335 3692 usbehci - ok
    13:37:21.0388 3692 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    13:37:21.0393 3692 usbhub - ok
    13:37:21.0407 3692 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
    13:37:21.0408 3692 usbohci - ok
    13:37:21.0439 3692 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    13:37:21.0441 3692 usbprint - ok
    13:37:21.0513 3692 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    13:37:21.0514 3692 usbscan - ok
    13:37:21.0549 3692 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    13:37:21.0551 3692 USBSTOR - ok
    13:37:21.0571 3692 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    13:37:21.0573 3692 usbuhci - ok
    13:37:21.0613 3692 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    13:37:21.0616 3692 usbvideo - ok
    13:37:21.0663 3692 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
    13:37:21.0666 3692 UxSms - ok
    13:37:21.0717 3692 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
    13:37:21.0726 3692 vds - ok
    13:37:21.0767 3692 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    13:37:21.0769 3692 vga - ok
    13:37:21.0787 3692 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    13:37:21.0788 3692 VgaSave - ok
    13:37:21.0820 3692 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    13:37:21.0833 3692 viaagp - ok
    13:37:21.0852 3692 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    13:37:21.0854 3692 ViaC7 - ok
    13:37:21.0876 3692 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    13:37:21.0877 3692 viaide - ok
    13:37:21.0935 3692 vmwvusb (6ba3ed102ab24310a0259c8f9e29d5b8) C:\Windows\system32\Drivers\vmwvusb.sys
    13:37:21.0936 3692 vmwvusb - ok
    13:37:22.0041 3692 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    13:37:22.0043 3692 volmgr - ok
    13:37:22.0098 3692 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    13:37:22.0104 3692 volmgrx - ok
    13:37:22.0139 3692 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    13:37:22.0145 3692 volsnap - ok
    13:37:22.0154 3692 vpnva - ok
    13:37:22.0210 3692 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    13:37:22.0214 3692 vsmraid - ok
    13:37:22.0310 3692 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
    13:37:22.0366 3692 VSS - ok
    13:37:22.0417 3692 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
    13:37:22.0426 3692 W32Time - ok
    13:37:22.0575 3692 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    13:37:22.0576 3692 WacomPen - ok
    13:37:22.0596 3692 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    13:37:22.0599 3692 Wanarp - ok
    13:37:22.0621 3692 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    13:37:22.0622 3692 Wanarpv6 - ok
    13:37:22.0677 3692 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
    13:37:22.0685 3692 wcncsvc - ok
    13:37:22.0711 3692 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
    13:37:22.0714 3692 WcsPlugInService - ok
    13:37:22.0746 3692 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    13:37:22.0758 3692 Wd - ok
    13:37:22.0875 3692 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    13:37:22.0925 3692 Wdf01000 - ok
    13:37:22.0950 3692 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
    13:37:22.0953 3692 WdiServiceHost - ok
    13:37:22.0960 3692 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
    13:37:22.0962 3692 WdiSystemHost - ok
    13:37:23.0010 3692 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
    13:37:23.0016 3692 WebClient - ok
    13:37:23.0054 3692 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
    13:37:23.0060 3692 Wecsvc - ok
    13:37:23.0078 3692 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
    13:37:23.0087 3692 wercplsupport - ok
    13:37:23.0134 3692 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
    13:37:23.0139 3692 WerSvc - ok
    13:37:23.0196 3692 winachsf (0869c31e0ff995bf00628af8c1658e26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
    13:37:23.0212 3692 winachsf - ok
    13:37:23.0220 3692 WinHttpAutoProxySvc - ok
    13:37:23.0301 3692 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
    13:37:23.0304 3692 Winmgmt - ok
    13:37:23.0363 3692 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
    13:37:23.0404 3692 WinRM - ok
    13:37:23.0479 3692 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
    13:37:23.0489 3692 Wlansvc - ok
    13:37:23.0522 3692 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
    13:37:23.0523 3692 WmiAcpi - ok
    13:37:23.0599 3692 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
    13:37:23.0603 3692 wmiApSrv - ok
    13:37:23.0684 3692 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
    13:37:23.0800 3692 WMPNetworkSvc - ok
    13:37:23.0868 3692 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
    13:37:23.0874 3692 WPCSvc - ok
    13:37:23.0967 3692 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
    13:37:23.0971 3692 WPDBusEnum - ok
    13:37:24.0040 3692 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    13:37:24.0071 3692 WpdUsb - ok
    13:37:24.0221 3692 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    13:37:24.0262 3692 WPFFontCache_v0400 - ok
    13:37:24.0345 3692 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    13:37:24.0346 3692 ws2ifsl - ok
    13:37:24.0369 3692 WSearch - ok
    13:37:24.0527 3692 wsnm (3cf81f104137457a7f32c274709635be) C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
    13:37:24.0603 3692 wsnm - ok
    13:37:24.0682 3692 wsnm_usbctrl (930762671268b7754ffadccbf1d1bb95) C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
    13:37:24.0724 3692 wsnm_usbctrl - ok
    13:37:25.0049 3692 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
    13:37:25.0122 3692 wuauserv - ok
    13:37:25.0287 3692 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    13:37:25.0294 3692 WUDFRd - ok
    13:37:25.0332 3692 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
    13:37:25.0335 3692 wudfsvc - ok
    13:37:25.0404 3692 XAudio (bfcc507eca58f11c5fed96e192b878cb) C:\Windows\system32\DRIVERS\xaudio.sys
    13:37:25.0405 3692 XAudio - ok
    13:37:25.0424 3692 XAudioService - ok
    13:37:25.0451 3692 MBR (0x1B8) (d6ba8bd1e351710a091ac298ef15c30f) \Device\Harddisk0\DR0
    13:37:25.0477 3692 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    13:37:25.0477 3692 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    13:37:25.0505 3692 Boot (0x1200) (78b88920aa912c3ebd2e84bc239cdccf) \Device\Harddisk0\DR0\Partition0
    13:37:25.0534 3692 \Device\Harddisk0\DR0\Partition0 - ok
    13:37:25.0566 3692 Boot (0x1200) (d43ccaf72370bcbe4b2a438fd63b8ec9) \Device\Harddisk0\DR0\Partition1
    13:37:25.0568 3692 \Device\Harddisk0\DR0\Partition1 - ok
    13:37:25.0568 3692 ============================================================
    13:37:25.0568 3692 Scan finished
    13:37:25.0568 3692 ============================================================
    13:37:25.0584 3680 Detected object count: 2
    13:37:25.0585 3680 Actual detected object count: 2
    13:38:18.0662 3680 C:\Windows\system32\drivers\afd.sys - copied to quarantine
    13:38:18.0665 3680 C:\Windows\$NtUninstallKB50607$\2458081068\@ - copied to quarantine
    13:38:18.0666 3680 C:\Windows\$NtUninstallKB50607$\2458081068\cfg.ini - copied to quarantine
    13:38:18.0667 3680 C:\Windows\$NtUninstallKB50607$\2458081068\Desktop.ini - copied to quarantine
    13:38:18.0703 3680 C:\Windows\$NtUninstallKB50607$\2458081068\L\qnbwvoto - copied to quarantine
    13:38:18.0704 3680 C:\Windows\$NtUninstallKB50607$\2458081068\oemid - copied to quarantine
    13:38:18.0716 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000001.@ - copied to quarantine
    13:38:18.0752 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000002.@ - copied to quarantine
    13:38:18.0765 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000004.@ - copied to quarantine
    13:38:18.0781 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000000.@ - copied to quarantine
    13:38:18.0783 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000004.@ - copied to quarantine
    13:38:18.0812 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000032.@ - copied to quarantine
    13:38:18.0813 3680 C:\Windows\$NtUninstallKB50607$\2458081068\version - copied to quarantine
    13:38:26.0546 3680 Backup copy found, using it..
    13:38:26.0560 3680 C:\Windows\system32\drivers\afd.sys - will be cured on reboot
    13:38:29.0186 3680 C:\Windows\$NtUninstallKB50607$\1793089775 - will be deleted on reboot
    13:38:29.0187 3680 C:\Windows\$NtUninstallKB50607$\2458081068\@ - will be deleted on reboot
    13:38:29.0187 3680 C:\Windows\$NtUninstallKB50607$\2458081068\cfg.ini - will be deleted on reboot
    13:38:29.0187 3680 C:\Windows\$NtUninstallKB50607$\2458081068\Desktop.ini - will be deleted on reboot
    13:38:29.0201 3680 C:\Windows\$NtUninstallKB50607$\2458081068\oemid - will be deleted on reboot
    13:38:29.0219 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000001.@ - will be deleted on reboot
    13:38:29.0220 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000002.@ - will be deleted on reboot
    13:38:29.0220 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\00000004.@ - will be deleted on reboot
    13:38:29.0220 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000000.@ - will be deleted on reboot
    13:38:29.0220 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000004.@ - will be deleted on reboot
    13:38:29.0221 3680 C:\Windows\$NtUninstallKB50607$\2458081068\U\80000032.@ - will be deleted on reboot
    13:38:29.0221 3680 C:\Windows\$NtUninstallKB50607$\2458081068\version - will be deleted on reboot
    13:38:29.0222 3680 AFD ( Virus.Win32.ZAccess.k ) - User select action: Cure
    13:38:29.0910 3680 \Device\Harddisk0\DR0\# - copied to quarantine
    13:38:29.0911 3680 \Device\Harddisk0\DR0 - copied to quarantine
    13:38:29.0933 3680 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
    13:38:29.0941 3680 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
    13:38:29.0943 3680 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
    13:38:29.0946 3680 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    13:38:29.0950 3680 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    13:38:29.0957 3680 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
    13:38:29.0963 3680 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
    13:38:29.0964 3680 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
    13:38:29.0965 3680 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
    13:38:29.0969 3680 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
    13:38:29.0972 3680 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
    13:38:29.0975 3680 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
    13:38:30.0006 3680 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    13:38:30.0007 3680 \Device\Harddisk0\DR0 - ok
    13:38:30.0190 3680 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    13:38:35.0600 0896 Deinitialize success
     
  5. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    update on behavior:
    No change, still missing everything on my desktop as well as the start menu.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  7. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    Icons and start menu are back to normal, can also adjust network settings (don't know if that was part of unhide or not) now.
    there is a start menu directory as well as a quick launch icon and desktop icon for the Smart HDD program though.

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-06 14:06:59
    -----------------------------
    14:06:59.322 OS Version: Windows 6.0.6002 Service Pack 2
    14:06:59.322 Number of processors: 2 586 0x6B02
    14:06:59.322 ComputerName: WS301 UserName: WS301
    14:07:09.649 Initialize success
    14:09:36.351 AVAST engine defs: 12040600
    14:11:23.976 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000053
    14:11:23.992 Disk 0 Vendor: ST325031 3.AH Size: 238475MB BusType: 3
    14:11:24.023 Disk 0 MBR read successfully
    14:11:24.023 Disk 0 MBR scan
    14:11:24.039 Disk 0 unknown MBR code
    14:11:24.039 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 226949 MB offset 63
    14:11:24.086 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11523 MB offset 464792580
    14:11:24.117 Disk 0 scanning sectors +488392065
    14:11:24.195 Disk 0 scanning C:\Windows\system32\drivers
    14:11:50.325 Service scanning
    14:12:05.862 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
    14:12:33.552 Modules scanning
    14:12:41.944 Disk 0 trace - called modules:
    14:12:41.959 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    14:12:41.975 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x859f26e8]
    14:12:41.975 3 CLASSPNP.SYS[807388b3] -> nt!IofCallDriver -> [0x8528a700]
    14:12:41.975 5 acpi.sys[806156bc] -> nt!IofCallDriver -> \Device\00000053[0x84e68928]
    14:12:43.550 AVAST engine scan C:\Windows
    14:12:49.385 AVAST engine scan C:\Windows\system32
    14:19:43.174 AVAST engine scan C:\Windows\system32\drivers
    14:20:18.371 AVAST engine scan C:\Users\WS301
    14:34:29.260 AVAST engine scan C:\ProgramData
    14:37:50.568 Scan finished successfully
    14:41:30.639 Disk 0 MBR has been saved successfully to "C:\Users\WS301\Desktop\MBR.dat"
    14:41:30.732 The log file has been saved successfully to "C:\Users\WS301\Desktop\aswMBR.txt"

    ------------------------------------------------------------------
    bootcleaner threw an i/o error code when it first ran, produced a debug.log, let me know if you want me to post that as well.


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 306a70bb88e51c06c67244ab8a2237bf

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  8. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    Oh, also Mic. Sec. Ess. picked up an "Exploit:Java/CVE-2012-0507.D!ldr" during the askMBR scan and quarantined it. Should I disable MSE for the time being?
     
  9. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Good news :)

    Only when clearly indicated.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    Despite the log, I did disable real-time protection for MSE and also killed the process from task manager, because it popped up that I should exit it.


    ComboFix 12-04-06.03 - WS301 04/06/2012 15:12:54.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2270 [GMT -4:00]
    Running from: c:\users\WS301\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Microsoft
    c:\microsoft\Internet Explorer\Quick Launch\Malware Protection.lnk
    c:\programdata\wLUs9jOMFUvdbB
    c:\users\debbie\AppData\Local\{80283EA3-C225-4C6B-9320-C1025AED0BD6}
    c:\users\debbie\AppData\Local\{80283EA3-C225-4C6B-9320-C1025AED0BD6}\chrome.manifest
    c:\users\debbie\AppData\Local\{80283EA3-C225-4C6B-9320-C1025AED0BD6}\chrome\content\overlay.xul
    c:\users\debbie\AppData\Local\{80283EA3-C225-4C6B-9320-C1025AED0BD6}\install.rdf
    c:\users\debbie\AppData\Roaming\avbase.dat
    c:\users\WS301\AppData\Local\.#
    c:\windows\$NtUninstallKB50607$
    c:\windows\$NtUninstallKB50607$\2458081068\L\qnbwvoto
    c:\windows\iun6002.exe
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-06 to 2012-04-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-06 19:20 . 2012-04-06 19:20 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{872F984A-98DB-4DD2-A81F-B011599E53A8}\offreg.dll
    2012-04-06 17:53 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{872F984A-98DB-4DD2-A81F-B011599E53A8}\mpengine.dll
    2012-04-06 17:38 . 2012-04-06 17:38 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-06 13:20 . 2012-04-06 13:20 -------- d-----w- c:\program files\Mbam
    2012-04-05 19:41 . 2012-04-05 19:41 -------- d-----w- c:\windows\Sun
    2012-04-05 19:31 . 2012-04-05 19:31 -------- d-----w- c:\programdata\WindowsSearch
    2012-04-05 18:15 . 2012-04-05 18:34 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-14 06:56 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-03-14 06:55 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-03-14 06:55 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-03-14 06:55 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-03-14 06:55 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-03-14 06:55 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-14 06:55 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-03-14 06:53 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-03-14 06:53 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-06 17:39 . 2011-06-15 09:18 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-05 18:34 . 2012-01-24 14:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-14 02:15 . 2011-12-20 18:43 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-10 14:35 . 2012-02-10 14:36 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AD19C8B-2A0B-414E-B130-E2E4F3A393DF}\gapaengine.dll
    2012-01-31 12:44 . 2009-10-03 06:57 237072 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-09 02:13 . 2011-05-14 11:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-07-27 19:35 . 2009-09-30 21:09 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-27 30192]
    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-05-03 283792]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg wsauth
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
    backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    2008-09-24 20:57 2254120 ----a-w- c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 253600]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    nmap
    vpnva
    giveio
    compaq_rba
    point32
    sandradatasrv
    ovepstatusengine
    ftsata2
    SilverLink
    hsfhwbs2
    symantecantibotdriver
    fuj02b1
    NtMtlFax
    cmdagent
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 18:34]
    .
    2011-12-01 c:\windows\Tasks\HPCeeScheduleFordebbie.job
    - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-11-22 19:12]
    .
    2011-12-05 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} - hxxps://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab
    FF - ProfilePath - c:\users\WS301\AppData\Roaming\Mozilla\Firefox\Profiles\dto4vjea.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-86329660.sys
    MSConfigStartUp-LifeCam - c:\program files\Microsoft LifeCam\LifeExp.exe
    AddRemove-CaptureCAM-PLAYER - c:\windows\iun6002.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
    "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(716)
    c:\windows\system32\wsauth.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files\Nero\Nero BackItUp 4\IoctlSvc.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\VMware\VMware View\Client\bin\wsnm.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
    c:\windows\System32\rundll32.exe
    c:\program files\Windows Media Player\wmpnscfg.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-04-06 15:28:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-06 19:27
    .
    Pre-Run: 160,826,003,456 bytes free
    Post-Run: 162,042,368,000 bytes free
    .
    - - End Of File - - E607942FA3DD1B96706764EC4D06B8D1
     
  11. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
     
  12. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    Computer seems to be ok, the Smart HDD shortcuts are still there though.

    OTL logfile created on: 4/6/2012 3:44:17 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\WS301\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 1.89 Gb Available Physical Memory | 65.88% Memory free
    5.95 Gb Paging File | 5.02 Gb Available in Paging File | 84.42% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.63 Gb Total Space | 150.87 Gb Free Space | 68.07% Space Free | Partition Type: NTFS
    Drive D: | 11.25 Gb Total Space | 1.54 Gb Free Space | 13.71% Space Free | Partition Type: NTFS

    Computer Name: WS301 | User Name: WS301 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/04/06 15:43:40 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\WS301\Desktop\OTL.exe
    PRC - [2012/04/05 14:34:20 | 000,353,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe
    PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/06/15 16:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2011/04/27 16:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    PRC - [2011/04/27 16:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2011/02/18 19:38:24 | 000,793,200 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
    PRC - [2011/02/18 19:37:56 | 000,494,192 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
    PRC - [2009/09/09 18:26:36 | 001,148,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/09/24 16:57:34 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    PRC - [2008/09/24 16:57:14 | 000,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
    PRC - [2008/09/11 01:37:36 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
    PRC - [2007/04/13 12:20:22 | 000,097,432 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
    PRC - [2007/02/04 15:02:14 | 000,079,400 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    PRC - [2006/10/30 19:59:34 | 000,024,576 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    PRC - [2006/09/20 11:35:26 | 000,020,480 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe


    ========== Modules (No Company Name) ==========

    MOD - [2006/10/30 19:59:34 | 000,024,576 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    MOD - [2006/09/20 11:35:26 | 000,020,480 | ---- | M] () -- C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\PSSdk23.dll -- (vpnva)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\p1110vid.dll -- (symantecantibotdriver)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cicssfs.scmmc223.dll -- (ovepstatusengine)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\statusagent.dll -- (NtMtlFax)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll /prefetch:1 -- (Norton Internet Security)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SE2Dobex.dll -- (nmap)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\fsaa.dll -- (giveio)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\efs.dll -- (fuj02b1)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\w800obex.dll -- (ftsata2)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\fltmgr.dll -- (compaq_rba)
    SRV - File not found [Auto | Stopped] -- %systemroot%\system32\acprfmgrsvc.dll -- (cmdagent)
    SRV - [2012/04/05 14:34:21 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/04/27 16:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
    SRV - [2011/04/27 16:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/02/18 19:38:24 | 000,793,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe -- (wsnm_usbctrl)
    SRV - [2011/02/18 19:37:56 | 000,494,192 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe -- (wsnm)
    SRV - [2008/09/24 16:57:34 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
    SRV - [2008/09/24 16:57:14 | 000,081,920 | ---- | M] (Prolific Technology Inc.) [Auto | Running] -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe -- (PLFlash DeviceIoControl Service)
    SRV - [2008/09/11 01:37:36 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2008/08/09 00:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2007/04/13 12:20:22 | 000,097,432 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
    DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\PCASp50.sys -- (PCASp50)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS -- (NAVEX15)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS -- (NAVENG)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2011/04/27 16:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2011/04/18 14:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
    DRV - [2011/02/18 19:38:24 | 000,039,984 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vmwvusb.sys -- (vmwvusb)
    DRV - [2010/05/20 18:27:24 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)
    DRV - [2008/09/27 02:51:00 | 007,478,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/09/10 08:48:20 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
    DRV - [2008/09/10 08:46:22 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2008/09/09 20:58:08 | 000,020,640 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\PC-Doctor for Windows\pcd5srvc.pkms -- (PCD5SRVC{BD6912E3-AC9D80E8-05040000})
    DRV - [2008/09/04 07:34:34 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2008/08/01 08:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2008/07/21 12:12:50 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvrd32.sys -- (nvrd32)
    DRV - [2008/07/21 12:12:22 | 000,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2008/05/22 05:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
    DRV - [2007/07/16 17:29:33 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hpfxbulk.sys -- (HPFXBULK)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
    IE - HKLM\..\SearchScopes,DefaultScope = {0ED26115-6639-4D15-9D92-2EB2A4E20FE6}
    IE - HKLM\..\SearchScopes\{0ED26115-6639-4D15-9D92-2EB2A4E20FE6}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
    IE - HKLM\..\SearchScopes\{906B07A0-4D8B-4FB3-A37D-4B3E5E393243}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..\SearchScopes\{0ED26115-6639-4D15-9D92-2EB2A4E20FE6}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF&src=IE-SearchBox
    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7GGLD_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=D8B75hlZAuvOHfwQlU_2q7H-9xg?q={searchTerms}
    IE - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_228.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/27 00:04:46 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/08 22:13:35 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/13 11:06:16 | 000,000,000 | ---D | M]

    [2012/02/21 10:51:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\WS301\AppData\Roaming\Mozilla\Extensions
    [2011/12/19 11:02:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/12/19 11:02:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
    [2011/11/08 22:13:35 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/11/10 06:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/10/05 04:49:39 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/11/08 22:13:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/04/06 15:22:26 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
    O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
    O4 - HKLM..\Run: [DVDAgent] c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
    O4 - HKLM..\Run: [UpdateP2GoShortCut] c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePDIRShortCut] c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePSTShortCut] c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O7 - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..Trusted Domains: localhost ([]http in Local intranet)
    O16 - DPF: {4912ED81-BD9F-485E-86CA-BD62EC957435} https://ecospda.bethesdahealthcare.com/SOARIANWEBPROD2_020551029_M0K0_p_htm_28//sframe/IETools.cab (Soarian Frame Tools for Internet Explorer)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4D268137-E37D-415F-BCE5-95EFF1F7D50E}: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O30 - LSA: Security Packages - (wsauth) - C:\Windows\System32\wsauth.dll (VMware, Inc.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: nmap - %systemroot%\system32\SE2Dobex.dll File not found
    NetSvcs: vpnva - %systemroot%\system32\PSSdk23.dll File not found
    NetSvcs: giveio - %systemroot%\system32\fsaa.dll File not found
    NetSvcs: compaq_rba - %systemroot%\system32\fltmgr.dll File not found
    NetSvcs: point32 - File not found
    NetSvcs: sandradatasrv - File not found
    NetSvcs: ovepstatusengine - %systemroot%\system32\cicssfs.scmmc223.dll File not found
    NetSvcs: ftsata2 - %systemroot%\system32\w800obex.dll File not found
    NetSvcs: SilverLink - File not found
    NetSvcs: hsfhwbs2 - File not found
    NetSvcs: symantecantibotdriver - %systemroot%\system32\p1110vid.dll File not found
    NetSvcs: fuj02b1 - %systemroot%\system32\efs.dll File not found
    NetSvcs: NtMtlFax - %systemroot%\system32\statusagent.dll File not found
    NetSvcs: cmdagent - %systemroot%\system32\acprfmgrsvc.dll File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv50 - C:\Windows\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/04/06 15:43:33 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\WS301\Desktop\OTL.exe
    [2012/04/06 15:28:12 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/04/06 15:28:11 | 000,000,000 | ---D | C] -- C:\Users\WS301\AppData\Local\temp
    [2012/04/06 15:22:33 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/04/06 15:22:33 | 000,000,000 | -HSD | C] -- \$RECYCLE.BIN
    [2012/04/06 15:03:03 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/04/06 15:03:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/04/06 15:03:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/04/06 15:03:00 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/04/06 15:02:59 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/04/06 15:02:59 | 000,000,000 | ---D | C] -- \ComboFix
    [2012/04/06 15:00:52 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/04/06 15:00:52 | 000,000,000 | ---D | C] -- \Qoobox
    [2012/04/06 14:59:06 | 004,450,572 | R--- | C] (Swearware) -- C:\Users\WS301\Desktop\ComboFix.exe
    [2012/04/06 14:42:37 | 000,000,000 | ---D | C] -- C:\Users\WS301\Desktop\bootkit_remover
    [2012/04/06 14:06:19 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\WS301\Desktop\aswMBR.exe
    [2012/04/06 14:03:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/04/06 13:38:18 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/04/06 13:38:18 | 000,000,000 | ---D | C] -- \TDSSKiller_Quarantine
    [2012/04/06 13:36:22 | 000,000,000 | ---D | C] -- C:\Users\WS301\Desktop\tdsskiller
    [2012/04/06 09:20:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mbam
    [2012/04/06 09:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\Mbam
    [2012/04/06 08:50:04 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\WS301\Desktop\dds.scr
    [2012/04/06 08:49:14 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\WS301\Desktop\yessir.exe
    [2012/04/05 17:15:34 | 000,000,000 | ---D | C] -- C:\Users\WS301\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD
    [2012/04/05 15:41:16 | 000,000,000 | ---D | C] -- C:\Windows\Sun
    [2012/04/05 15:31:40 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch

    ========== Files - Modified Within 30 Days ==========

    [2012/04/06 15:43:40 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\WS301\Desktop\OTL.exe
    [2012/04/06 15:35:04 | 000,657,844 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/04/06 15:35:04 | 000,125,368 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/04/06 15:30:38 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/04/06 15:30:38 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/04/06 15:30:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/04/06 15:30:29 | 3085,361,152 | -HS- | M] () -- C:\hiberfil.sys
    [2012/04/06 15:22:26 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/04/06 14:59:13 | 004,450,572 | R--- | M] (Swearware) -- C:\Users\WS301\Desktop\ComboFix.exe
    [2012/04/06 14:42:28 | 000,044,607 | ---- | M] () -- C:\Users\WS301\Desktop\bootkit_remover.zip
    [2012/04/06 14:41:30 | 000,000,512 | ---- | M] () -- C:\Users\WS301\Desktop\MBR.dat
    [2012/04/06 14:06:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\WS301\Desktop\aswMBR.exe
    [2012/04/06 13:35:16 | 002,053,661 | ---- | M] () -- C:\Users\WS301\Desktop\tdsskiller.zip
    [2012/04/06 09:20:18 | 000,000,714 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/04/06 09:18:16 | 177,070,869 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/04/06 08:50:04 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\WS301\Desktop\dds.scr
    [2012/04/06 08:49:48 | 000,302,592 | ---- | M] () -- C:\Users\WS301\Desktop\7rlet47u.exe
    [2012/04/06 08:49:32 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\WS301\Desktop\yessir.exe
    [2012/04/05 17:20:07 | 000,000,168 | ---- | M] () -- C:\ProgramData\-wLUs9jOMFUvdbBr
    [2012/04/05 17:20:07 | 000,000,000 | ---- | M] () -- C:\ProgramData\-wLUs9jOMFUvdbB
    [2012/04/05 17:15:34 | 000,000,629 | ---- | M] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
    [2012/04/05 17:15:34 | 000,000,605 | ---- | M] () -- C:\Users\WS301\Desktop\SMART_HDD.lnk
    [2012/04/05 15:36:42 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/03/14 03:20:54 | 000,402,504 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

    ========== Files Created - No Company Name ==========

    [2012/04/06 15:03:03 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/04/06 15:03:02 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/04/06 15:03:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/04/06 15:03:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/04/06 15:03:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/04/06 14:42:28 | 000,044,607 | ---- | C] () -- C:\Users\WS301\Desktop\bootkit_remover.zip
    [2012/04/06 14:41:30 | 000,000,512 | ---- | C] () -- C:\Users\WS301\Desktop\MBR.dat
    [2012/04/06 14:03:31 | 000,000,909 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/04/06 14:03:31 | 000,000,904 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2012/04/06 14:03:31 | 000,000,896 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2012/04/06 14:03:31 | 000,000,258 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
    [2012/04/06 14:03:31 | 000,000,240 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
    [2012/04/06 13:39:25 | 3085,361,152 | -HS- | C] () -- C:\hiberfil.sys
    [2012/04/06 13:39:25 | 3085,361,152 | -HS- | C] () -- \hiberfil.sys
    [2012/04/06 13:35:12 | 002,053,661 | ---- | C] () -- C:\Users\WS301\Desktop\tdsskiller.zip
    [2012/04/06 09:20:18 | 000,000,714 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/04/06 08:49:47 | 000,302,592 | ---- | C] () -- C:\Users\WS301\Desktop\7rlet47u.exe
    [2012/04/05 17:15:36 | 000,000,168 | ---- | C] () -- C:\ProgramData\-wLUs9jOMFUvdbBr
    [2012/04/05 17:15:36 | 000,000,000 | ---- | C] () -- C:\ProgramData\-wLUs9jOMFUvdbB
    [2012/04/05 17:15:34 | 000,000,629 | ---- | C] () -- C:\Users\WS301\Application Data\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
    [2012/04/05 17:15:34 | 000,000,605 | ---- | C] () -- C:\Users\WS301\Desktop\SMART_HDD.lnk
    [2012/04/05 14:15:08 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2011/12/19 11:32:13 | 000,172,945 | ---- | C] () -- C:\Windows\hppins13.dat
    [2011/12/19 11:32:12 | 000,006,760 | ---- | C] () -- C:\Windows\hppmdl13.dat
    [2011/12/19 11:31:57 | 000,000,619 | ---- | C] () -- C:\Windows\System32\hppapr13.dat
    [2011/12/19 10:52:30 | 000,000,680 | ---- | C] () -- C:\Users\WS301\AppData\Local\d3d9caps.dat
    [2011/08/10 03:02:23 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
    [2010/06/30 03:12:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL

    ========== LOP Check ==========

    [2011/12/13 22:41:44 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\829F552B
    [2009/08/11 16:50:20 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\CallingID
    [2009/04/23 13:30:40 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\Canon
    [2011/12/19 12:57:01 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\FUJIFILM
    [2009/09/14 18:43:15 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\NewSoft
    [2009/03/27 18:37:56 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\PictureMover
    [2009/08/24 15:09:25 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\Purple Ghost Software, Inc
    [2009/03/27 21:41:57 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\ScanSoft
    [2009/05/11 14:21:46 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\WinBatch
    [2012/02/24 10:15:43 | 000,000,000 | ---D | M] -- C:\Users\WS301\AppData\Roaming\AVG
    [2011/12/19 10:52:51 | 000,000,000 | ---D | M] -- C:\Users\WS301\AppData\Roaming\PictureMover
    [2011/12/04 20:12:08 | 000,000,456 | ---- | M] () -- C:\Windows\Tasks\PCDRScheduledMaintenance.job
    [2012/04/06 15:29:42 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/04/11 02:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2008/11/22 17:43:02 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2009/03/27 19:17:41 | 000,055,414 | ---- | M] () -- C:\caavsetupLog.txt
    [2009/08/24 19:09:17 | 001,916,818 | ---- | M] () -- C:\caisslog.txt
    [2012/04/06 15:28:10 | 000,011,928 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2010/10/07 17:27:12 | 000,000,500 | ---- | M] () -- C:\FINIS_IT.TXT
    [2012/04/06 15:30:29 | 3085,361,152 | -HS- | M] () -- C:\hiberfil.sys
    [2012/04/06 15:30:27 | 3399,233,536 | -HS- | M] () -- C:\pagefile.sys
    [2008/11/22 18:30:40 | 000,000,349 | ---- | M] () -- C:\updatedatfix.log
    [2008/08/26 08:37:52 | 000,000,458 | ---- | M] () -- C:\Windows Sidebar

    < %systemroot%\Fonts\*.com >
    [2006/11/02 08:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 08:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 08:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2011/12/19 12:06:03 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 17:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2007/04/15 23:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPD8Z.DLL
    [2007/04/15 23:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPP8Z.DLL
    [2010/04/15 18:33:02 | 000,281,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\hpcpp093.DLL
    [2007/03/15 18:32:10 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
    [2008/01/20 22:23:14 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
    [2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
    [2006/10/26 22:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/20 22:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012/02/02 11:12:53 | 000,000,286 | -HS- | M] () -- C:\Users\WS301\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/04/06 08:49:48 | 000,302,592 | ---- | M] () -- C:\Users\WS301\Desktop\7rlet47u.exe
    [2012/04/06 14:06:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\WS301\Desktop\aswMBR.exe
    [2012/04/06 14:59:13 | 004,450,572 | R--- | M] (Swearware) -- C:\Users\WS301\Desktop\ComboFix.exe
    [2012/04/06 15:43:40 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\WS301\Desktop\OTL.exe
    [2012/04/06 08:49:32 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\WS301\Desktop\yessir.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/04/05 15:36:42 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2011/12/01 15:26:03 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleFordebbie.job
    [2011/12/04 20:12:08 | 000,000,456 | ---- | M] () -- C:\Windows\tasks\PCDRScheduledMaintenance.job
    [2012/04/06 15:30:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2012/04/06 15:29:42 | 000,032,582 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/12/19 10:52:13 | 000,000,402 | -HS- | M] () -- C:\Users\WS301\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/04/05 17:20:07 | 000,000,000 | ---- | M] () -- C:\ProgramData\-wLUs9jOMFUvdbB
    [2012/04/05 17:20:07 | 000,000,168 | ---- | M] () -- C:\ProgramData\-wLUs9jOMFUvdbBr
    [2011/05/15 21:25:39 | 000,010,916 | -HS- | M] () -- C:\ProgramData\edl3w23oj3p
    [2011/05/21 01:28:53 | 000,010,818 | -HS- | M] () -- C:\ProgramData\hk67n73apv1
    [2011/12/19 13:14:13 | 000,005,480 | ---- | M] () -- C:\ProgramData\hpzinstall.log
    [2011/12/23 10:25:55 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:0B4227B4

    < End of report >
     
  13. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    OTL Extras logfile created on: 4/6/2012 3:44:17 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\WS301\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 1.89 Gb Available Physical Memory | 65.88% Memory free
    5.95 Gb Paging File | 5.02 Gb Available in Paging File | 84.42% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.63 Gb Total Space | 150.87 Gb Free Space | 68.07% Space Free | Partition Type: NTFS
    Drive D: | 11.25 Gb Total Space | 1.54 Gb Free Space | 13.71% Space Free | Partition Type: NTFS

    Computer Name: WS301 | User Name: WS301 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0632F3AE-FDEC-41A8-8B54-A2F06DEA9D97}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2D1FA720-96A2-4471-BF0C-2D384BEF6E25}" = rport=445 | protocol=6 | dir=out | app=system |
    "{4EF3E28B-864F-451C-A348-8C730ACF59AE}" = rport=138 | protocol=17 | dir=out | app=system |
    "{585AB984-C3AD-48CA-94DE-74E018D1CD7C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5DFD0D96-D422-4B44-A4FF-A09566C3C1B3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{5F5554B3-378F-468D-8130-DD4E9D319D97}" = lport=137 | protocol=17 | dir=in | app=system |
    "{69079CE2-9B94-4E0D-8C0C-ED19EA7F8E7E}" = rport=139 | protocol=6 | dir=out | app=system |
    "{946A6496-4D38-4F1F-87DA-097ADC515783}" = rport=137 | protocol=17 | dir=out | app=system |
    "{988CE96E-6F62-413C-8055-5587EB8FC9DB}" = lport=138 | protocol=17 | dir=in | app=system |
    "{B1A4AAE4-3AA4-4397-A52D-C9FA11C4ED12}" = lport=139 | protocol=6 | dir=in | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{19763876-7F2A-4E66-9AC7-BCF44C7E5974}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
    "{1C987232-B779-4270-B28C-147F44E0DA51}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
    "{211C372F-0743-49EE-AD6F-68EE9C8D8874}" = protocol=17 | dir=in | app=c:\program files\vmware\vmware view\client\bin\wswc.exe |
    "{21453D3B-9BDA-42D9-B7E8-884D30FCFFDE}" = protocol=17 | dir=in | app=c:\program files\vmware\vmware view\client\bin\vmware-remotemks.exe |
    "{4DEC923A-730D-44D6-B259-2E74A8EBBAC9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |
    "{5307AA04-D6D6-4AAE-85B4-AD73B98F6A78}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{58239D97-038C-40E7-9285-453C588735F8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{5AD0F84B-2B5F-4842-BFF0-A05FD5D22C62}" = protocol=17 | dir=in | app=c:\program files\vmware\vmware view\client\bin\vmware-remotemks.exe |
    "{5C69C3EB-CB7B-468D-BAEC-458B1B6379B7}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{5CD7C81C-7023-4A52-8E05-68A1BBBB8761}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |
    "{62E8FAF7-DADA-4292-8AAD-71317BDFEC52}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe |
    "{6A361923-3436-40EB-BA2F-D568CBC14F4B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{79C78FE0-8586-48AA-8C45-434DFEBA12A9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqscnvw.exe |
    "{7C7178B8-B1D0-4856-BFED-2FDAA6BE1D23}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
    "{7F7102FA-D7E5-48C9-B6D8-A85A633677D3}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqfxt08.exe |
    "{831F001D-1344-40C3-BA49-878678A4EB0A}" = protocol=6 | dir=in | app=c:\program files\vmware\vmware view\client\bin\wswc.exe |
    "{87BE6957-C32B-4A68-B82B-38662ED5F33C}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxs08.exe |
    "{886F9348-B415-4932-922C-E417331F170C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{9484048D-2D90-47D4-8A19-D01608DA4635}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{9AEF19B6-CBB4-48CE-831C-7434D2A47DCE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
    "{9F6F3C81-F759-4E7A-A983-0338FF6D0B76}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqnrs08.exe |
    "{A64E55AD-A77C-4E22-8E1E-D2818B0F2376}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe |
    "{AA37E076-ADEE-4CA7-99E3-1CE21BC45051}" = protocol=6 | dir=in | app=c:\program files\vmware\vmware view\client\bin\vmware-remotemks.exe |
    "{ADF44E68-D983-4EAC-A168-38DC32EB9336}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
    "{B72F86E3-E921-4FD6-80C1-C3C2DAA0C4B8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposfx08.exe |
    "{B7F080BE-F53D-4340-B9AF-87EBE42FFF85}" = protocol=6 | dir=in | app=c:\program files\vmware\vmware view\client\bin\wswc.exe |
    "{BD180B37-5F7E-4D54-A18C-063285498E7B}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
    "{BDDB921A-2A6A-48F3-8F51-7A20C9EF3F34}" = protocol=17 | dir=in | app=c:\program files\vmware\vmware view\client\bin\wswc.exe |
    "{D15AF349-A769-462E-BB9D-2A7AAE3B3076}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqcopy2.exe |
    "{D5D03957-B5F0-473F-8E32-A9AA48926D9F}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
    "{DEE1CAEF-A3FA-4287-BBEB-9CC36BDE4F00}" = protocol=6 | dir=in | app=c:\program files\vmware\vmware view\client\bin\vmware-remotemks.exe |
    "{E4554D11-C123-4015-B435-D70DDA5E513E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxm08.exe |
    "{E6A13D51-D595-4CB1-AEFD-3B842459F775}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpzwiz01.exe |
    "{F9E614FA-B783-4461-9D3C-72F11D50F32B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
    "{0360D8F0-626A-4E87-8A16-938BD0BEBCC5}" = 32 Bit HP CIO Components Installer
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series" = Canon MX310 series
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
    "{1896E712-2B3D-45eb-BCE9-542742A51032}" = PictureMover
    "{19506BDB-4EA7-491F-E8AB-E97109FDB296}" = muvee Reveal
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
    "{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
    "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 30
    "{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{38058455-8C21-4C2F-B2F6-14ED166039CB}" = HP Total Care Setup
    "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
    "{48BF4489-0C58-4E80-BB17-94A673CE310A}" = HP Demo
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup
    "{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
    "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
    "{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
    "{5BD0CB24-11AF-4BA8-A198-38D25257C656}" = LightScribe Template Labeler
    "{5C1A8800-9D79-43FF-9432-921ACB7AA69D}" = VZAccess Manager for RIM
    "{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader
    "{64B9E2F5-558E-4C56-B419-A1679518F6E7}" = HP Customer Experience Enhancements
    "{65883ddf-2152-4cb7-8e13-b99194b13498}" = Nero BackItUp
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
    "{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
    "{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
    "{6F801026-6AF0-4520-9153-4C9B4CAAB361}" = HP LaserJet P2050 Series 6.0
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
    "{75c53f52-398b-4d66-b28a-f9ef170b3b34}" = Nero BackItUp
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
    "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
    "{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
    "{89B6F63A-7E0C-424A-9D39-C4EF59E96D78}" = hppQFolderP2050
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{995F2783-8311-49BF-833E-DB659774B4F6}" = hppFonts
    "{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
    "{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3AE0EFB-C8C2-4AF5-9841-459DB1C138CF}" = Crystal Reports 10 Support Files
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
    "{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
    "{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}" = ScanSoft OmniPage SE 4
    "{B34E4B72-37C6-4f79-A5B3-008EEFC6EA8B}" = PS_AIO_02_Software_min
    "{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
    "{B46AC30C-22D2-4610-B041-1DA7BB29EB57}" = HP Photosmart All-In-One Software 9.0
    "{B7E5D642-E74E-40a4-B5C7-6AB6EE916814}" = PS_AIO_02_ProductContext
    "{BC10649A-983B-494e-AD1F-DE0BF717D701}" = PS_AIO_02_Software
    "{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C708333C-B1B9-43be-B797-49FEC7A8D15B}" = C5200
    "{CA78EE0D-B198-46BF-80E6-89EE4D49101D}" = VMware View Client
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
    "{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
    "{D1E03284-66FD-4292-8239-504CEC5B0CC3}" = C5200_doccd
    "{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.16
    "{d6937b6b-6573-4ad2-bd7a-4ae8f235be98}" = Revenue Management
    "{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
    "{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
    "{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
    "{ED01C034-09A6-4C4F-A7B5-A1B5ADBA4542}" = Lytec 2011 Professional
    "{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
    "{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
    "{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
    "{FDB5E0F3-86EA-4379-8A2F-1BC2436543E9}" = iCloud
    "{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Canon MX310 series User Registration" = Canon MX310 series User Registration
    "CANONIJPLM100" = PIXMA Extended Survey Program
    "CanonSolutionMenu" = Canon Utilities Solution Menu
    "Carbonite Setup Lite" = Carbonite Online Backup Setup
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
    "EOS USB WIA Driver" = EOS USB WIA Driver
    "Google Desktop" = Google Desktop
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "HP Imaging Device Functions" = HP Imaging Device Functions 9.0
    "HP Photosmart Essential" = HP Photosmart Essential 2.01
    "HP Smart Web Printing" = HP Smart Web Printing 4.60
    "HPOCR" = HP OCR Software 9.0
    "InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
    "Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
    "MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
    "NVIDIA Drivers" = NVIDIA Drivers
    "OfficeTrial" = Microsoft Office Home and Student 60 day trial
    "PC-Doctor for Windows" = Hardware Diagnostic Tools
    "TransferMy Music_is1" = TransferMy Music 2.0.4.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 4/6/2012 1:33:19 PM | Computer Name = WS301 | Source = EventSystem | ID = 4609
    Description =

    Error - 4/6/2012 1:37:35 PM | Computer Name = WS301 | Source = LoadPerf | ID = 3013
    Description =

    Error - 4/6/2012 1:37:35 PM | Computer Name = WS301 | Source = LoadPerf | ID = 3009
    Description =

    Error - 4/6/2012 1:41:06 PM | Computer Name = WS301 | Source = WinMgmt | ID = 10
    Description =

    Error - 4/6/2012 1:43:55 PM | Computer Name = WS301 | Source = WinMgmt | ID = 10
    Description =

    Error - 4/6/2012 1:49:37 PM | Computer Name = WS301 | Source = LoadPerf | ID = 3013
    Description =

    Error - 4/6/2012 1:49:37 PM | Computer Name = WS301 | Source = LoadPerf | ID = 3009
    Description =

    Error - 4/6/2012 3:11:53 PM | Computer Name = WS301 | Source = WinMgmt | ID = 10
    Description =

    Error - 4/6/2012 3:22:21 PM | Computer Name = WS301 | Source = WinMgmt | ID = 10
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = WinMgmt | ID = 10
    Description =

    [ Media Center Events ]
    Error - 4/7/2011 3:11:14 PM | Computer Name = debbie-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    [ OSession Events ]
    Error - 9/14/2010 1:58:57 PM | Computer Name = debbie-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 40
    seconds with 0 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7023
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7022
    Description =

    Error - 4/6/2012 3:32:13 PM | Computer Name = WS301 | Source = Service Control Manager | ID = 7026
    Description =


    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Good news :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\PSSdk23.dll -- (vpnva)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\p1110vid.dll -- (symantecantibotdriver)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cicssfs.scmmc223.dll -- (ovepstatusengine)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\statusagent.dll -- (NtMtlFax)
      SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll /prefetch:1 -- (Norton Internet Security)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SE2Dobex.dll -- (nmap)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\fsaa.dll -- (giveio)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\efs.dll -- (fuj02b1)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\w800obex.dll -- (ftsata2)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\fltmgr.dll -- (compaq_rba)
      SRV - File not found [Auto | Stopped] -- %systemroot%\system32\acprfmgrsvc.dll -- (cmdagent)
      DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
      DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
      DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\PCASp50.sys -- (PCASp50)
      DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
      DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS -- (NAVEX15)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS -- (NAVENG)
      DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
      O15 - HKU\S-1-5-21-1652149106-3131603526-267303755-1003\..Trusted Domains: localhost ([]http in Local intranet)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2012/04/05 17:15:34 | 000,000,000 | ---D | C] -- C:\Users\WS301\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD
      [2012/04/05 17:15:34 | 000,000,605 | ---- | M] () -- C:\Users\WS301\Desktop\SMART_HDD.lnk
      [2011/12/13 22:41:44 | 000,000,000 | ---D | M] -- C:\Users\debbie\AppData\Roaming\829F552B
      @Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:0B4227B4
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  15. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    I"m really not sure what happened to the OTL log... I thought I saved it, but i can't seem to find it. SORRY! Should I run it again? :(

    Here are the others in the mean time.


    Results of screen317's Security Check version 0.99.24
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG PC Tuneup
    Norton Internet Security
    Microsoft Security Essentials
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    AVG PC Tuneup
    Java(TM) 6 Update 31
    Adobe Flash Player 11.2.202.228
    Adobe Reader X (10.1.2)
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    Microsoft Security Client Antimalware NisSrv.exe
    ``````````End of Log````````````
    ---------------------------------------------------------------

    Farbar Service Scanner Version: 01-03-2012
    Ran by WS301 (administrator) on 06-04-2012 at 16:38:19
    Running from "C:\Users\WS301\Desktop"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2011-12-19 17:57] - [2011-09-20 17:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
    ----------------------------------------------------------

    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AF trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\rtkt0000\zafs0000\tsk0002.dta Win32/Sirefef.DN trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\rtkt0000\zafs0000\tsk0008.dta Win32/Sirefef.ES trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\06.04.2012_13.36.39\rtkt0000\zafs0000\tsk0010.dta a variant of Win32/Sirefef.EU trojan cleaned by deleting - quarantined
     
  16. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    I'll be back on Monday to follow up with this thread since it's a business computer and it's already 9pm. Sorry about the log Broni, thanks very much for your help (again)!!
     
  17. Broni

    Broni Malware Annihilator Posts: 47,641   +267

  18. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    The Norton tool took forever to actually begin after extraction, but it ran successfully.

    I found the first log for OTL after this second run. however, it doesn't look complete:


    Files\Folders moved on Reboot...
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YFQBKOD5\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YFQBKOD5\dpsync[2].htm moved successfully.
    File\Folder C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XG6I1EKW\PugTracker[1].htm not found!
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V04K0PN8\follow_button[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PPDULUE1\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NSHLJ6E5\topic179588[1].htm moved successfully.

    Registry entries deleted on Reboot...

    ----------------------------------------------------------------

    here's the second log.



    All processes killed
    ========== OTL ==========
    Error: No service named vpnva was found to stop!
    Service\Driver key vpnva not found.
    File %systemroot%\system32\PSSdk23.dll not found.
    Error: No service named symantecantibotdriver was found to stop!
    Service\Driver key symantecantibotdriver not found.
    File %systemroot%\system32\p1110vid.dll not found.
    Error: No service named ovepstatusengine was found to stop!
    Service\Driver key ovepstatusengine not found.
    File %systemroot%\system32\cicssfs.scmmc223.dll not found.
    Error: No service named NtMtlFax was found to stop!
    Service\Driver key NtMtlFax not found.
    File %systemroot%\system32\statusagent.dll not found.
    Error: No service named Norton Internet Security was found to stop!
    Service\Driver key Norton Internet Security not found.
    File C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll /prefetch:1 not found.
    Error: No service named nmap was found to stop!
    Service\Driver key nmap not found.
    File %systemroot%\system32\SE2Dobex.dll not found.
    Error: No service named giveio was found to stop!
    Service\Driver key giveio not found.
    File %systemroot%\system32\fsaa.dll not found.
    Error: No service named fuj02b1 was found to stop!
    Service\Driver key fuj02b1 not found.
    File %systemroot%\system32\efs.dll not found.
    Error: No service named ftsata2 was found to stop!
    Service\Driver key ftsata2 not found.
    File %systemroot%\system32\w800obex.dll not found.
    Error: No service named compaq_rba was found to stop!
    Service\Driver key compaq_rba not found.
    File %systemroot%\system32\fltmgr.dll not found.
    Error: No service named cmdagent was found to stop!
    Service\Driver key cmdagent not found.
    File %systemroot%\system32\acprfmgrsvc.dll not found.
    Error: No service named SRTSPX was found to stop!
    Service\Driver key SRTSPX not found.
    File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS not found.
    Error: No service named SRTSP was found to stop!
    Service\Driver key SRTSP not found.
    File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS not found.
    Error: No service named PCASp50 was found to stop!
    Service\Driver key PCASp50 not found.
    File System32\drivers\PCASp50.sys not found.
    Error: No service named NwlnkFwd was found to stop!
    Service\Driver key NwlnkFwd not found.
    File system32\DRIVERS\nwlnkfwd.sys not found.
    Error: No service named NwlnkFlt was found to stop!
    Service\Driver key NwlnkFlt not found.
    File system32\DRIVERS\nwlnkflt.sys not found.
    Error: No service named NAVEX15 was found to stop!
    Service\Driver key NAVEX15 not found.
    File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVEX15.SYS not found.
    Error: No service named NAVENG was found to stop!
    Service\Driver key NAVENG not found.
    File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081022.006\NAVENG.SYS not found.
    Error: No service named IpInIp was found to stop!
    Service\Driver key IpInIp not found.
    File system32\DRIVERS\ipinip.sys not found.
    Registry key HKEY_USERS\S-1-5-21-1652149106-3131603526-267303755-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Folder C:\Users\WS301\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD\ not found.
    File C:\Users\WS301\Desktop\SMART_HDD.lnk not found.
    Folder C:\Users\debbie\AppData\Roaming\829F552B\ not found.
    Unable to delete ADS C:\ProgramData\Temp:0B4227B4 .
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: debbie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: WS301
    ->Temp folder emptied: 646480 bytes
    ->Temporary Internet Files folder emptied: 8424530 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5181 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 9.00 mb


    [EMPTYJAVA]

    User: All Users

    User: debbie
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    User: WS301
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: debbie
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: WS301
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.39.2 log created on 04092012_091542

    Files\Folders moved on Reboot...
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI91YXV0\follow_button[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI91YXV0\PugTracker[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI91YXV0\topic179588[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QL4U0N2I\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QL4U0N2I\up[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AH6UFBI0\Artemis[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AH6UFBI0\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AH6UFBI0\dpsync[2].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  20. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: debbie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: WS301
    ->Temp folder emptied: 25372094 bytes
    ->Temporary Internet Files folder emptied: 4941018 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21657 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 29.00 mb


    [EMPTYFLASH]

    User: All Users

    User: debbie
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: WS301
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: debbie
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    User: WS301
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.39.2 log created on 04092012_131724

    Files\Folders moved on Reboot...
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TY1O89QY\918[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TY1O89QY\topic179588[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TY1O89QY\up[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P85GF61B\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OLICCH1Q\dpsync[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OLICCH1Q\dpsync[2].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OLICCH1Q\partner[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6A6BVNHF\follow_button[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6A6BVNHF\PugTracker[1].htm moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
    C:\Users\WS301\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

    Registry entries deleted on Reboot...


    ------------------------------------------------------

    Broni, there is still a taskbar quick launch icon for the Smart HDD, but all the folders and other icons are gone. Is it safe to just delete that manually? The computer seems clean aside from that. I haven't noticed any other issues. :)

    also, since this is a networked computer, how should I go about making sure the other computers were not affected by this?
     
  21. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    If you didn't exchange any files between those computers and the other computers don't show any ill effects you should be fine.

    Good luck and stay safe :)
     
  22. severedgein

    severedgein TS Rookie Topic Starter Posts: 62

    Thanks for your help Broni, sure I'll be back again soon next time an employee goes somewhere stupid.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,641   +267

    You're very welcome [​IMG]
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.