TechSpot

Svchost.exe using inordinate amount of CPU and memory

By UThant
Feb 14, 2012
  1. Win vista Business SP 2. Followed 5 step program - logs follow. attach.txt in separate message - message too long. Thanks in advance for your time, help and consideration.
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.14.05

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 7.0.6002.18005
    dwozniak :: 1SR-PROG-IT [administrator]

    2/14/2012 3:06:13 PM
    mbam-log-2012-02-14 (15-06-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 368055
    Time elapsed: 12 minute(s), 50 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\dwozniak\AppData\Local\temp\A43B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-14 16:18:44
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort4 ST9120823AS rev.3.BHC
    Running: 4yvc7ogp.exe; Driver: C:\Users\dwozniak\AppData\Local\Temp\uftyrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 904F29C0 ZwAlertResumeThread
    SSDT 904F2AA0 ZwAlertThread
    SSDT 904CD678 ZwAllocateVirtualMemory
    SSDT 8E59EAA0 ZwConnectPort
    SSDT 904F2548 ZwCreateMutant
    SSDT 8691E6D0 ZwCreateThread
    SSDT 8682F5A8 ZwFreeVirtualMemory
    SSDT 904F2800 ZwImpersonateAnonymousToken
    SSDT 904F28E0 ZwImpersonateThread
    SSDT 904E5390 ZwMapViewOfSection
    SSDT 904F22A0 ZwOpenEvent
    SSDT 904DAC70 ZwOpenProcessToken
    SSDT 904F2F38 ZwOpenThreadToken
    SSDT 904DB088 ZwResumeThread
    SSDT 904F2E78 ZwSetContextThread
    SSDT 904F2008 ZwSetInformationProcess
    SSDT 904F2DA8 ZwSetInformationThread
    SSDT 904F21C0 ZwSuspendProcess
    SSDT 904F2BE8 ZwSuspendThread
    SSDT 904DB180 ZwTerminateProcess
    SSDT 904F2CC8 ZwTerminateThread
    SSDT 904C5050 ZwUnmapViewOfSection
    SSDT 904D9AE8 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 11D 82AE18A0 8 Bytes [C0, 29, 4F, 90, A0, 2A, 4F, ...]
    .text ntkrnlpa.exe!KeSetEvent + 131 82AE18B4 4 Bytes [78, D6, 4C, 90] {JS 0xffffffffffffffd8; DEC ESP; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1C1 82AE1944 4 Bytes [A0, EA, 59, 8E]
    .text ntkrnlpa.exe!KeSetEvent + 1F5 82AE1978 4 Bytes [48, 25, 4F, 90]
    .text ntkrnlpa.exe!KeSetEvent + 221 82AE19A4 4 Bytes [D0, E6, 91, 86]
    .text ...
    ? System32\drivers\pvighl.sys The system cannot find the path specified. !
    ? C:\Windows\System32\Drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CE02340, 0x3D6717, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 6E2AC00F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 6E3EBC22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 6E3EBBE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 6E3EBC5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 6E3EBBA3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 6E3EBB5F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 6E3EBB25 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 6E3EBAEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3228] ole32.dll!OleLoadFromStream 77471E80 5 Bytes JMP 6E3EBE1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 6E2AC00F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 6E3EBC22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 6E3EBBE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 6E3EBC5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 6E3EBBA3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 6E3EBB5F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 6E3EBB25 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 6E3EBAEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5432] ole32.dll!OleLoadFromStream 77471E80 5 Bytes JMP 6E3EBE1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[6952] kernel32.dll!WriteFile 7638ABE1 5 Bytes JMP 003B000C
    .text C:\Windows\System32\svchost.exe[6952] USER32.dll!WindowFromPoint 75F5884F 5 Bytes JMP 01B8000A
    .text C:\Windows\System32\svchost.exe[6952] USER32.dll!GetForegroundWindow 75F632C4 5 Bytes JMP 01B9000A
    .text C:\Windows\System32\svchost.exe[6952] USER32.dll!GetCursorPos 75F70B88 5 Bytes JMP 01AF000A
    .text C:\Windows\System32\svchost.exe[6952] ole32.dll!CoCreateInstance 774A9F3E 5 Bytes JMP 004B000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7494A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [748FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [748EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74928395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [748FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7497CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7491C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [748ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [748E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [748F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6bb1053f (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bb1053f (not active ControlSet)
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bb1053f
    Reg HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}
    Reg HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}
    Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}
    Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}
    Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}
    Reg HKLM\SOFTWARE\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}
    Reg HKLM\SOFTWARE\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB62280$\485945278 0 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\@ 2048 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\bckfg.tmp 862 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\cfg.ini 77 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\keywords 0 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\L 0 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\L\vhtmwbun 273408 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U 0 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\00000001.@ 2048 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\80000000.@ 11264 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB62280$\485945278\U\80000032.@ 77312 bytes
    File C:\Windows\$NtUninstallKB62280$\87212029 0 bytes

    ---- EOF - GMER 1.0.15 ----
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005
    Run by dwozniak at 16:21:01 on 2012-02-14
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.711 [GMT -5:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\AEADISRV.EXE
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Windows\CWBRXD.EXE
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\System32\svchost.exe -k netsvcs
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = hxxp://www.hp.com
    mDefault_Page_URL = hxxp://www.hp.com
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    uPolicies-system: HideLogonScripts = 0 (0x0)
    uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-system: HideLogonScripts = 0 (0x0)
    dPolicies-system: HideLegacyLogonScripts = 1 (0x1)
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qliktech.webex.com/client/WBXclient-T27L10NSP30-13034/webex/ieatgpc1.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 10.10.10.7
    TCP: Interfaces\{86CF2016-AF6D-490E-95EB-27B628A2391E} : DhcpNameServer = 10.10.10.7
    TCP: Interfaces\{D01079DF-00B7-44C1-9D05-C9DB55A46D35} : DhcpNameServer = 10.10.10.7
    Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\qvp.dll
    Notify: DeviceNP - DeviceNP.dll
    LSA: Notification Packages = SbHpNp scecli
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\dwozniak\appdata\roaming\mozilla\firefox\profiles\gqz8wxik.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\users\dwozniak\appdata\roaming\mozilla\plugins\npatgpc.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
    R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-29 13696]
    R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-4-26 5808]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-23 21504]
    R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-4-27 221184]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-8-8 540448]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]
    R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2006-12-19 47616]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2007-1-5 18944]
    S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-4-23 30008]
    S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-4-30 172131]
    S3 LcAgent;LC Remote Agent;c:\windows\temp\lcagent.exe [2010-6-1 308736]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-5-23 21504]
    S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2011-5-24 58240]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-02-03 15:50:14 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-01-18 16:46:55 -------- d-----w- c:\program files\HTML Help Workshop
    2012-01-18 14:49:08 -------- d-----w- c:\program files\IBE Software
    .
    ==================== Find3M ====================
    .
    2012-02-10 13:41:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-09 21:42:19 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-22 18:39:08 220336 ----a-w- c:\windows\lp.exe
    2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 06:48:37 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    .
    ============= FINISH: 16:21:59.30 ===============
    .
     
  2. UThant

    UThant TS Rookie Topic Starter Posts: 55

    attach.txt followup original msg too large

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/11/2008 7:27:23 PM
    System Uptime: 2/14/2012 3:21:44 PM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30C5
    Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | U10 | 2001/200mhz
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    2007 Microsoft Office system
    AccessToCSV
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Ad-Aware
    Adobe Acrobat 8 Standard
    Adobe Acrobat 8.3.1 - CPSID_83708
    Adobe Acrobat 8.3.1 Standard
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9
    Application Installer 4.00.B14
    ASDM on 10.10.10.11
    AVS DVDMenu Editor 1.2.1.20
    AVS Video ReMaker 2.4
    AVS4YOU Software Navigator 1.2
    BIOS Configuration for HP ProtectTools
    CCleaner (remove only)
    Centra Client
    Cisco ASDM Launcher
    Cisco Systems VPN Client 5.0.02.0090
    Crystal Reports XI Release 2 .NET 2005 Server
    DBU
    Device Access Manager for HP ProtectTools
    Drive Encryption for HP ProtectTools
    ESU for Microsoft Vista
    filehippo.com Update Checker
    Google Web Accelerator
    GoToMeeting 5.0.0.799
    HelpNDoc 3.3.0.123 Personal Edition
    Hewlett-Packard Active Check for Health Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Active Support Library 32 bit components
    HP Backup & Recovery Manager Installer
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP Help and Support
    HP Notebook Accessories Product Tour
    HP ProtectTools Security Manager
    HP Quick Launch Buttons 6.40 B2
    HP Update
    HP User Guides 0061
    HP Wireless Assistant
    HTML Help Workshop
    IBM iSeries Access for Windows
    IBM iSeries Access for Windows SI29771
    Intel(R) Network Connections Drivers
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Ipswitch WS_FTP 12
    Java Auto Updater
    Java(TM) 6 Update 23
    Java(TM) SE Runtime Environment 6
    L0phtCrack 6
    LABELVIEW 8.10.05
    LightScribe 1.6.43.1
    LiveReg (Symantec Corporation)
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Easy Assist v2
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server Management Studio Express
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Windows Media Video 9 VCM
    Mozilla Firefox 4.0.1 (x86 en-US)
    mp
    mpmri
    MSCU for Microsoft Vista
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetMeeting 3.01
    Network Viewer v2.2 (002)
    Numara Remote Control Guest
    Numara Track-It! 8 Technician Client
    NVIDIA Drivers
    OnBase Runtime CD Client CD #254742
    PANTECH PC Card Software
    PDF Complete
    ProData RDR
    QlikView x86
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Shortcut Explorer 3.0
    Soft Data Fax Modem with SmartCP
    Sonic Activation Module
    SoundMAX
    Stay-Linked Administrator
    Stay-Linked Server for iSeries Installation Wizard
    Symantec Endpoint Protection
    Symantec pcAnywhere
    Synaptics Pointing Device Driver
    TightVNC 1.3.9
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Vista Default Settings
    VLC media player 1.1.4
    VNC Free Edition 4.1.2
    VZAccess Manager
    WebEx
    WinPcap 4.0.2
    WinSCP 4.2.9
    WinZip
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/14/2012 3:48:22 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    2/14/2012 3:48:22 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    2/14/2012 3:24:22 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer PRT01 with shared resource name HP LaserJet 8150 PCL 5. Error 1753. The printer cannot be used by others on the network.
    2/14/2012 3:24:16 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    2/14/2012 3:24:16 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Service service to connect.
    2/14/2012 3:24:16 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    2/14/2012 3:24:16 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    2/14/2012 3:24:16 PM, Error: Service Control Manager [7000] - The HP Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/14/2012 12:31:24 PM, Error: EventLog [6008] - The previous system shutdown at 12:29:10 PM on 2/14/2012 was unexpected.
    .
    ==== End Of File ===========================
     
  3. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  4. UThant

    UThant TS Rookie Topic Starter Posts: 55

    tdsskiller log per request

    08:04:26.0546 9380 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
    08:04:27.0638 9380 ============================================================
    08:04:27.0638 9380 Current date / time: 2012/02/15 08:04:27.0638
    08:04:27.0638 9380 SystemInfo:
    08:04:27.0638 9380
    08:04:27.0638 9380 OS Version: 6.0.6002 ServicePack: 2.0
    08:04:27.0638 9380 Product type: Workstation
    08:04:27.0638 9380 ComputerName: 1SR-PROG-IT
    08:04:27.0638 9380 UserName: dwozniak
    08:04:27.0638 9380 Windows directory: C:\Windows
    08:04:27.0638 9380 System windows directory: C:\Windows
    08:04:27.0638 9380 Processor architecture: Intel x86
    08:04:27.0638 9380 Number of processors: 2
    08:04:27.0638 9380 Page size: 0x1000
    08:04:27.0638 9380 Boot type: Normal boot
    08:04:27.0638 9380 ============================================================
    08:04:29.0011 9380 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    08:04:29.0011 9380 \Device\Harddisk0\DR0:
    08:04:29.0011 9380 MBR used
    08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCC85FC1
    08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCC86000, BlocksNum 0xFF1800
    08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xDC79800, BlocksNum 0x31A800
    08:04:29.0182 9380 Initialize success
    08:04:29.0182 9380 ============================================================
    08:04:31.0163 3796 ============================================================
    08:04:31.0163 3796 Scan started
    08:04:31.0163 3796 Mode: Manual;
    08:04:31.0163 3796 ============================================================
    08:04:32.0739 3796 Accelerometer (17ae46c4f390fb09ddf6dacff5c0a281) C:\Windows\system32\DRIVERS\Accelerometer.sys
    08:04:32.0770 3796 Accelerometer - ok
    08:04:32.0833 3796 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    08:04:32.0942 3796 ACPI - ok
    08:04:32.0989 3796 ADIHdAudAddService (57c2ecea569ce61cfdd4f6d76c3215fe) C:\Windows\system32\drivers\ADIHdAud.sys
    08:04:32.0989 3796 ADIHdAudAddService - ok
    08:04:33.0035 3796 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    08:04:33.0082 3796 adp94xx - ok
    08:04:33.0145 3796 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    08:04:33.0191 3796 adpahci - ok
    08:04:33.0223 3796 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    08:04:33.0238 3796 adpu160m - ok
    08:04:33.0301 3796 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    08:04:33.0316 3796 adpu320 - ok
    08:04:33.0441 3796 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    08:04:33.0457 3796 AFD - ok
    08:04:33.0519 3796 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    08:04:33.0550 3796 agp440 - ok
    08:04:33.0613 3796 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    08:04:33.0644 3796 aic78xx - ok
    08:04:33.0706 3796 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    08:04:33.0737 3796 aliide - ok
    08:04:33.0784 3796 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    08:04:33.0815 3796 amdagp - ok
    08:04:33.0862 3796 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    08:04:33.0878 3796 amdide - ok
    08:04:33.0940 3796 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    08:04:33.0940 3796 AmdK7 - ok
    08:04:33.0987 3796 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
    08:04:34.0018 3796 AmdK8 - ok
    08:04:34.0065 3796 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    08:04:34.0081 3796 arc - ok
    08:04:34.0127 3796 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    08:04:34.0143 3796 arcsas - ok
    08:04:34.0237 3796 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    08:04:34.0252 3796 AsyncMac - ok
    08:04:34.0283 3796 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    08:04:34.0283 3796 atapi - ok
    08:04:34.0315 3796 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\Windows\system32\DRIVERS\ATSwpDrv.sys
    08:04:34.0346 3796 ATSWPDRV - ok
    08:04:34.0424 3796 awlegacy (f7e75c620a04963c9a53c3b47da80405) C:\Windows\System32\Drivers\awlegacy.sys
    08:04:34.0424 3796 awlegacy - ok
    08:04:34.0502 3796 AW_HOST (ca5f2eb69105a4db4f5ced1a9a2ad69c) C:\Windows\system32\drivers\aw_host5.sys
    08:04:34.0533 3796 AW_HOST - ok
    08:04:34.0595 3796 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
    08:04:34.0611 3796 BCM43XV - ok
    08:04:34.0627 3796 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
    08:04:34.0642 3796 bcm4sbxp - ok
    08:04:34.0689 3796 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    08:04:34.0689 3796 Beep - ok
    08:04:34.0705 3796 blbdrive - ok
    08:04:34.0767 3796 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    08:04:34.0767 3796 bowser - ok
    08:04:34.0814 3796 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    08:04:34.0829 3796 BrFiltLo - ok
    08:04:34.0876 3796 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    08:04:34.0876 3796 BrFiltUp - ok
    08:04:34.0923 3796 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    08:04:34.0939 3796 Brserid - ok
    08:04:34.0985 3796 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    08:04:35.0001 3796 BrSerWdm - ok
    08:04:35.0032 3796 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    08:04:35.0032 3796 BrUsbMdm - ok
    08:04:35.0063 3796 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    08:04:35.0079 3796 BrUsbSer - ok
    08:04:35.0126 3796 BthEnum (064fbc56921051de1075495d628b815f) C:\Windows\system32\DRIVERS\BthEnum.sys
    08:04:35.0141 3796 BthEnum - ok
    08:04:35.0188 3796 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    08:04:35.0204 3796 BTHMODEM - ok
    08:04:35.0266 3796 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
    08:04:35.0266 3796 BthPan - ok
    08:04:35.0329 3796 BTHPORT (b24757d9154cca035e1bbd3db92966d7) C:\Windows\system32\Drivers\BTHport.sys
    08:04:35.0344 3796 BTHPORT - ok
    08:04:35.0407 3796 BTHUSB (d42cf5f0c7635b3f1578810fe34d9e41) C:\Windows\system32\Drivers\BTHUSB.sys
    08:04:35.0407 3796 BTHUSB - ok
    08:04:35.0500 3796 catchme - ok
    08:04:35.0609 3796 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    08:04:35.0625 3796 cdfs - ok
    08:04:35.0687 3796 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    08:04:35.0703 3796 cdrom - ok
    08:04:35.0765 3796 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    08:04:35.0781 3796 circlass - ok
    08:04:35.0812 3796 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    08:04:35.0843 3796 CLFS - ok
    08:04:35.0875 3796 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    08:04:35.0875 3796 CmBatt - ok
    08:04:35.0921 3796 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    08:04:35.0937 3796 cmdide - ok
    08:04:35.0999 3796 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    08:04:36.0015 3796 Compbatt - ok
    08:04:36.0077 3796 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    08:04:36.0093 3796 crcdisk - ok
    08:04:36.0155 3796 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    08:04:36.0155 3796 Crusoe - ok
    08:04:36.0218 3796 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    08:04:36.0249 3796 CSC - ok
    08:04:36.0296 3796 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
    08:04:36.0327 3796 CVirtA - ok
    08:04:36.0405 3796 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\Windows\system32\Drivers\CVPNDRVA.sys
    08:04:36.0421 3796 CVPNDRVA - ok
    08:04:36.0483 3796 DAMDrv (5d5984255a4bfaa4262fb750df7cd537) C:\Windows\system32\DRIVERS\DAMDrv.sys
    08:04:36.0514 3796 DAMDrv - ok
    08:04:36.0592 3796 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    08:04:36.0608 3796 DfsC - ok
    08:04:36.0670 3796 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    08:04:36.0670 3796 disk - ok
    08:04:36.0733 3796 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\Windows\system32\DRIVERS\dne2000.sys
    08:04:36.0764 3796 DNE - ok
    08:04:36.0842 3796 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    08:04:36.0857 3796 drmkaud - ok
    08:04:36.0935 3796 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    08:04:37.0013 3796 DXGKrnl - ok
    08:04:37.0060 3796 e1express (2db565612e74e0c01780670270a6fd7f) C:\Windows\system32\DRIVERS\e1e6032.sys
    08:04:37.0076 3796 e1express - ok
    08:04:37.0138 3796 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    08:04:37.0154 3796 E1G60 - ok
    08:04:37.0232 3796 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    08:04:37.0279 3796 Ecache - ok
    08:04:37.0357 3796 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    08:04:37.0466 3796 eeCtrl - ok
    08:04:37.0544 3796 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    08:04:37.0606 3796 elxstor - ok
    08:04:37.0793 3796 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    08:04:37.0793 3796 EraserUtilRebootDrv - ok
    08:04:37.0903 3796 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    08:04:37.0918 3796 exfat - ok
    08:04:37.0965 3796 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    08:04:37.0965 3796 fastfat - ok
    08:04:38.0121 3796 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    08:04:38.0137 3796 fdc - ok
    08:04:38.0183 3796 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    08:04:38.0215 3796 FileInfo - ok
    08:04:38.0277 3796 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    08:04:38.0277 3796 Filetrace - ok
    08:04:38.0324 3796 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    08:04:38.0324 3796 flpydisk - ok
    08:04:38.0371 3796 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    08:04:38.0417 3796 FltMgr - ok
    08:04:38.0542 3796 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    08:04:38.0542 3796 Fs_Rec - ok
    08:04:38.0605 3796 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    08:04:38.0620 3796 gagp30kx - ok
    08:04:38.0698 3796 Gernuwa (5b8f60f7bfec67ce2491fbad799cc058) C:\Windows\system32\drivers\Gernuwa.sys
    08:04:38.0714 3796 Gernuwa - ok
    08:04:38.0807 3796 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
    08:04:38.0823 3796 HBtnKey - ok
    08:04:38.0917 3796 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    08:04:38.0963 3796 HdAudAddService - ok
    08:04:39.0010 3796 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    08:04:39.0057 3796 HDAudBus - ok
    08:04:39.0104 3796 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    08:04:39.0104 3796 HidBth - ok
    08:04:39.0197 3796 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    08:04:39.0213 3796 HidIr - ok
    08:04:39.0260 3796 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    08:04:39.0275 3796 HidUsb - ok
    08:04:39.0322 3796 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    08:04:39.0322 3796 HpCISSs - ok
    08:04:39.0400 3796 hpdskflt (a27494a9325c0d06c89cf47f25da8c46) C:\Windows\system32\DRIVERS\hpdskflt.sys
    08:04:39.0400 3796 hpdskflt - ok
    08:04:39.0463 3796 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
    08:04:39.0478 3796 HpqKbFiltr - ok
    08:04:39.0541 3796 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
    08:04:39.0556 3796 HSFHWAZL - ok
    08:04:39.0681 3796 HSF_DPV (7bc42c65b5c6281777c1a7605b253ba8) C:\Windows\system32\DRIVERS\HSX_DPV.sys
    08:04:39.0743 3796 HSF_DPV - ok
    08:04:39.0821 3796 HSXHWAZL (9ebf2d102ccbb6bcdfbf1b7922f8ba2e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
    08:04:39.0837 3796 HSXHWAZL - ok
    08:04:39.0899 3796 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    08:04:39.0931 3796 HTTP - ok
    08:04:39.0977 3796 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    08:04:40.0211 3796 i2omp - ok
    08:04:40.0523 3796 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    08:04:40.0617 3796 i8042prt - ok
    08:04:40.0711 3796 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    08:04:40.0757 3796 iaStorV - ok
    08:04:40.0804 3796 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    08:04:41.0038 3796 iirsp - ok
    08:04:41.0553 3796 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
    08:04:41.0647 3796 intelide - ok
    08:04:41.0818 3796 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    08:04:41.0818 3796 intelppm - ok
    08:04:41.0881 3796 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    08:04:41.0896 3796 IpFilterDriver - ok
    08:04:41.0943 3796 IpInIp - ok
    08:04:42.0037 3796 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    08:04:42.0068 3796 IPMIDRV - ok
    08:04:42.0115 3796 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    08:04:42.0130 3796 IPNAT - ok
    08:04:42.0193 3796 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    08:04:42.0193 3796 IRENUM - ok
    08:04:42.0255 3796 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    08:04:42.0271 3796 isapnp - ok
    08:04:42.0333 3796 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    08:04:42.0349 3796 iScsiPrt - ok
    08:04:42.0395 3796 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    08:04:42.0489 3796 iteatapi - ok
    08:04:42.0754 3796 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    08:04:42.0848 3796 iteraid - ok
    08:04:43.0113 3796 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    08:04:43.0129 3796 kbdclass - ok
    08:04:43.0175 3796 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    08:04:43.0191 3796 kbdhid - ok
    08:04:43.0363 3796 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    08:04:43.0378 3796 KSecDD - ok
    08:04:43.0503 3796 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    08:04:43.0534 3796 lltdio - ok
    08:04:43.0612 3796 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    08:04:43.0612 3796 LSI_FC - ok
    08:04:43.0675 3796 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    08:04:43.0690 3796 LSI_SAS - ok
    08:04:43.0753 3796 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    08:04:43.0784 3796 LSI_SCSI - ok
    08:04:43.0815 3796 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    08:04:43.0831 3796 luafv - ok
    08:04:43.0877 3796 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
    08:04:43.0893 3796 mdmxsdk - ok
    08:04:43.0940 3796 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    08:04:43.0971 3796 megasas - ok
    08:04:44.0033 3796 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    08:04:44.0049 3796 Modem - ok
    08:04:44.0111 3796 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    08:04:44.0127 3796 monitor - ok
    08:04:44.0174 3796 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\Windows\system32\DRIVERS\motccgp.sys
    08:04:44.0189 3796 motccgp - ok
    08:04:44.0236 3796 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\Windows\system32\DRIVERS\motccgpfl.sys
    08:04:44.0252 3796 motccgpfl - ok
    08:04:44.0314 3796 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
    08:04:44.0314 3796 motmodem - ok
    08:04:44.0392 3796 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motport.sys
    08:04:44.0423 3796 motport - ok
    08:04:44.0470 3796 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    08:04:44.0486 3796 mouclass - ok
    08:04:44.0517 3796 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    08:04:44.0533 3796 mouhid - ok
    08:04:44.0564 3796 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    08:04:44.0595 3796 MountMgr - ok
    08:04:44.0673 3796 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    08:04:44.0689 3796 mpio - ok
    08:04:44.0767 3796 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    08:04:44.0782 3796 mpsdrv - ok
    08:04:44.0860 3796 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    08:04:44.0892 3796 Mraid35x - ok
    08:04:44.0970 3796 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    08:04:45.0001 3796 MRxDAV - ok
    08:04:45.0110 3796 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    08:04:45.0141 3796 mrxsmb - ok
    08:04:45.0266 3796 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    08:04:45.0297 3796 mrxsmb10 - ok
    08:04:45.0375 3796 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    08:04:45.0375 3796 mrxsmb20 - ok
    08:04:45.0422 3796 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
    08:04:45.0453 3796 msahci - ok
    08:04:45.0531 3796 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    08:04:45.0547 3796 msdsm - ok
    08:04:45.0594 3796 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    08:04:45.0609 3796 Msfs - ok
    08:04:45.0640 3796 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    08:04:45.0672 3796 msisadrv - ok
    08:04:45.0718 3796 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    08:04:45.0734 3796 MSKSSRV - ok
    08:04:45.0765 3796 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    08:04:45.0781 3796 MSPCLOCK - ok
    08:04:45.0828 3796 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    08:04:45.0828 3796 MSPQM - ok
    08:04:45.0859 3796 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    08:04:45.0921 3796 MsRPC - ok
    08:04:46.0046 3796 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    08:04:46.0108 3796 mssmbios - ok
    08:04:46.0202 3796 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    08:04:46.0202 3796 MSTEE - ok
    08:04:46.0264 3796 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    08:04:46.0296 3796 Mup - ok
    08:04:46.0405 3796 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    08:04:46.0436 3796 NativeWifiP - ok
    08:04:46.0623 3796 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120214.036\NAVENG.SYS
    08:04:46.0623 3796 NAVENG - ok
    08:04:46.0686 3796 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120214.036\NAVEX15.SYS
    08:04:46.0748 3796 NAVEX15 - ok
    08:04:46.0904 3796 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    08:04:46.0998 3796 NDIS - ok
    08:04:47.0107 3796 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    08:04:47.0122 3796 NdisTapi - ok
    08:04:47.0200 3796 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    08:04:47.0216 3796 Ndisuio - ok
    08:04:47.0278 3796 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    08:04:47.0419 3796 NdisWan - ok
    08:04:47.0497 3796 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    08:04:47.0512 3796 NDProxy - ok
    08:04:47.0559 3796 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    08:04:47.0575 3796 NetBIOS - ok
    08:04:47.0622 3796 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    08:04:47.0731 3796 netbt - ok
    08:04:48.0199 3796 NETw4v32 (38d720e0c8b0ecb9a019980265679798) C:\Windows\system32\DRIVERS\NETw4v32.sys
    08:04:48.0292 3796 NETw4v32 - ok
    08:04:48.0448 3796 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    08:04:48.0511 3796 nfrd960 - ok
    08:04:48.0604 3796 NPF (6623e51595c0076755c29c00846c4eb2) C:\Windows\system32\drivers\npf.sys
    08:04:48.0636 3796 NPF - ok
    08:04:48.0682 3796 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    08:04:48.0698 3796 Npfs - ok
    08:04:48.0729 3796 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    08:04:48.0745 3796 nsiproxy - ok
    08:04:48.0807 3796 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    08:04:48.0979 3796 Ntfs - ok
    08:04:49.0213 3796 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    08:04:49.0213 3796 ntrigdigi - ok
    08:04:49.0275 3796 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    08:04:49.0291 3796 Null - ok
    08:04:49.0540 3796 nvlddmkm (977f4622c4f2152331a4f1aee78269dd) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    08:04:50.0274 3796 nvlddmkm - ok
    08:04:50.0383 3796 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    08:04:50.0398 3796 nvraid - ok
    08:04:50.0476 3796 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    08:04:50.0492 3796 nvstor - ok
    08:04:50.0554 3796 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    08:04:50.0570 3796 nv_agp - ok
    08:04:50.0617 3796 NwlnkFlt - ok
    08:04:50.0632 3796 NwlnkFwd - ok
    08:04:50.0664 3796 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
    08:04:50.0679 3796 ohci1394 - ok
    08:04:50.0788 3796 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    08:04:50.0788 3796 Parport - ok
    08:04:50.0866 3796 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    08:04:50.0929 3796 partmgr - ok
    08:04:51.0366 3796 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    08:04:51.0397 3796 Parvdm - ok
    08:04:51.0787 3796 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    08:04:51.0834 3796 pci - ok
    08:04:51.0912 3796 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
    08:04:51.0958 3796 pciide - ok
    08:04:52.0005 3796 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
    08:04:52.0052 3796 pcmcia - ok
    08:04:52.0130 3796 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    08:04:52.0192 3796 PEAUTH - ok
    08:04:52.0286 3796 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    08:04:52.0286 3796 PptpMiniport - ok
    08:04:52.0333 3796 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    08:04:52.0348 3796 Processor - ok
    08:04:52.0395 3796 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    08:04:52.0395 3796 PSched - ok
    08:04:52.0473 3796 PTDCBus (445d21f11eb4f378b206ebca5f597ffa) C:\Windows\system32\DRIVERS\PTDCBus.sys
    08:04:52.0489 3796 PTDCBus - ok
    08:04:52.0770 3796 PTDCMdm (fea4addf9e23b853e5cacc9f013bb986) C:\Windows\system32\DRIVERS\PTDCMdm.sys
    08:04:52.0801 3796 PTDCMdm - ok
    08:04:53.0004 3796 PTDCVsp (56e46ffef17844e626b441176be1aabf) C:\Windows\system32\DRIVERS\PTDCVsp.sys
    08:04:53.0019 3796 PTDCVsp - ok
    08:04:53.0097 3796 PTDCWWAN (a4bbb6c04d80ed32b8f3d3c10430a032) C:\Windows\system32\DRIVERS\PTDCWWAN.sys
    08:04:53.0097 3796 PTDCWWAN - ok
    08:04:53.0222 3796 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
    08:04:53.0253 3796 PxHelp20 - ok
    08:04:53.0425 3796 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    08:04:53.0487 3796 ql2300 - ok
    08:04:53.0877 3796 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    08:04:53.0924 3796 ql40xx - ok
    08:04:54.0049 3796 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    08:04:54.0064 3796 QWAVEdrv - ok
    08:04:54.0158 3796 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
    08:04:54.0392 3796 R300 - ok
    08:04:54.0501 3796 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    08:04:54.0501 3796 RasAcd - ok
    08:04:54.0798 3796 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    08:04:54.0829 3796 Rasl2tp - ok
    08:04:55.0141 3796 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    08:04:55.0156 3796 RasPppoe - ok
    08:04:55.0250 3796 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    08:04:55.0266 3796 RasSstp - ok
    08:04:55.0312 3796 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    08:04:55.0468 3796 rdbss - ok
    08:04:55.0562 3796 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    08:04:55.0578 3796 RDPCDD - ok
    08:04:55.0624 3796 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    08:04:55.0656 3796 rdpdr - ok
    08:04:55.0687 3796 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    08:04:55.0983 3796 RDPENCDD - ok
    08:04:56.0139 3796 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    08:04:56.0170 3796 RDPWD - ok
    08:04:56.0248 3796 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
    08:04:56.0264 3796 RFCOMM - ok
    08:04:56.0326 3796 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
    08:04:56.0342 3796 rimmptsk - ok
    08:04:56.0404 3796 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
    08:04:56.0420 3796 RimUsb - ok
    08:04:56.0482 3796 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
    08:04:56.0482 3796 RimVSerPort - ok
    08:04:56.0545 3796 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\Windows\system32\DRIVERS\rismc32.sys
    08:04:56.0560 3796 rismc32 - ok
    08:04:56.0638 3796 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
    08:04:56.0654 3796 ROOTMODEM - ok
    08:04:56.0794 3796 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    08:04:56.0794 3796 rspndr - ok
    08:04:56.0919 3796 RsvLock (40ace983d0b03e997191ff6f7ff407d7) C:\Windows\system32\drivers\RsvLock.sys
    08:04:56.0950 3796 RsvLock - ok
    08:04:56.0982 3796 SafeBoot (58a8f41e174b28843692812d55547dc3) C:\Windows\system32\drivers\SafeBoot.sys
    08:04:56.0982 3796 Suspicious file (NoAccess): C:\Windows\system32\drivers\SafeBoot.sys. md5: 58a8f41e174b28843692812d55547dc3
    08:04:56.0982 3796 SafeBoot ( LockedFile.Multi.Generic ) - warning
    08:04:56.0982 3796 SafeBoot - detected LockedFile.Multi.Generic (1)
    08:04:57.0122 3796 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\Windows\system32\drivers\SbAlg.sys
    08:04:57.0184 3796 SbAlg - ok
    08:04:57.0278 3796 SbFsLock (df4a90b29b878e8cd95a1ac8f94ca954) C:\Windows\system32\drivers\SbFsLock.sys
    08:04:57.0309 3796 SbFsLock - ok
    08:04:57.0403 3796 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    08:04:57.0496 3796 sbp2port - ok
    08:04:57.0949 3796 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
    08:04:57.0980 3796 sdbus - ok
    08:04:58.0386 3796 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    08:04:58.0401 3796 secdrv - ok
    08:04:58.0635 3796 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    08:04:58.0651 3796 Serenum - ok
    08:04:58.0682 3796 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    08:04:58.0713 3796 Serial - ok
    08:04:58.0744 3796 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
    08:04:58.0760 3796 sermouse - ok
    08:04:58.0838 3796 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    08:04:58.0854 3796 sffdisk - ok
    08:04:59.0322 3796 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    08:04:59.0353 3796 sffp_mmc - ok
    08:04:59.0462 3796 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    08:04:59.0478 3796 sffp_sd - ok
    08:04:59.0868 3796 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    08:04:59.0883 3796 sfloppy - ok
    08:05:00.0102 3796 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    08:05:00.0180 3796 sisagp - ok
    08:05:00.0367 3796 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    08:05:00.0367 3796 SiSRaid2 - ok
    08:05:00.0460 3796 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    08:05:00.0492 3796 SiSRaid4 - ok
    08:05:00.0554 3796 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    08:05:00.0585 3796 Smb - ok
    08:05:00.0710 3796 SPBBCDrv (77780509a16a1df7f2d8531d21ddb9b9) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    08:05:00.0741 3796 SPBBCDrv - ok
    08:05:00.0788 3796 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    08:05:00.0804 3796 spldr - ok
    08:05:00.0835 3796 SRTSP (5e4985a84f13abf5727bed3c50bd7031) C:\Windows\system32\Drivers\SRTSP.SYS
    08:05:00.0897 3796 SRTSP - ok
    08:05:00.0960 3796 SRTSPL (8117dca2cdf9d11c441c473dc9631655) C:\Windows\system32\Drivers\SRTSPL.SYS
    08:05:01.0006 3796 SRTSPL - ok
    08:05:01.0053 3796 SRTSPX (5e89104af0dc94b659ea8ec3e66c3eeb) C:\Windows\system32\Drivers\SRTSPX.SYS
    08:05:01.0069 3796 SRTSPX - ok
    08:05:01.0162 3796 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    08:05:01.0178 3796 srv - ok
    08:05:01.0209 3796 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    08:05:01.0225 3796 srv2 - ok
    08:05:01.0256 3796 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    08:05:01.0272 3796 srvnet - ok
    08:05:01.0350 3796 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    08:05:01.0365 3796 swenum - ok
    08:05:01.0412 3796 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    08:05:01.0412 3796 Symc8xx - ok
    08:05:01.0459 3796 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\Windows\system32\Drivers\SYMEVENT.SYS
    08:05:01.0474 3796 SymEvent - ok
    08:05:01.0537 3796 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\Windows\System32\Drivers\SYMREDRV.SYS
    08:05:01.0552 3796 SYMREDRV - ok
    08:05:01.0615 3796 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\Windows\System32\Drivers\SYMTDI.SYS
    08:05:01.0646 3796 SYMTDI - ok
    08:05:01.0708 3796 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    08:05:01.0771 3796 Sym_hi - ok
    08:05:01.0849 3796 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    08:05:01.0864 3796 Sym_u3 - ok
    08:05:01.0927 3796 SynTP (bf7aa84d5af0faa0978c840e63b17dbf) C:\Windows\system32\DRIVERS\SynTP.sys
    08:05:01.0942 3796 SynTP - ok
    08:05:02.0083 3796 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
    08:05:02.0176 3796 Tcpip - ok
    08:05:02.0223 3796 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
    08:05:02.0239 3796 Tcpip6 - ok
    08:05:02.0286 3796 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    08:05:02.0286 3796 tcpipreg - ok
    08:05:02.0332 3796 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    08:05:02.0332 3796 TDPIPE - ok
    08:05:02.0379 3796 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    08:05:02.0379 3796 TDTCP - ok
    08:05:02.0442 3796 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    08:05:02.0457 3796 tdx - ok
    08:05:02.0488 3796 TermDD (85908da29af0ab835048107ad2ad07d1) C:\Windows\system32\DRIVERS\termdd.sys
    08:05:02.0504 3796 TermDD - ok
    08:05:02.0972 3796 TPM (cb258c2f726f1be73c507022be33ebb3) C:\Windows\system32\drivers\tpm.sys
    08:05:03.0003 3796 TPM - ok
    08:05:03.0206 3796 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    08:05:03.0222 3796 tssecsrv - ok
    08:05:03.0253 3796 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    08:05:03.0268 3796 tunmp - ok
    08:05:03.0300 3796 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    08:05:03.0315 3796 tunnel - ok
    08:05:03.0362 3796 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    08:05:03.0393 3796 uagp35 - ok
    08:05:03.0440 3796 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    08:05:03.0456 3796 udfs - ok
    08:05:03.0580 3796 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    08:05:03.0627 3796 uliagpkx - ok
    08:05:03.0752 3796 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    08:05:03.0768 3796 uliahci - ok
    08:05:03.0814 3796 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    08:05:03.0846 3796 UlSata - ok
    08:05:03.0908 3796 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    08:05:03.0939 3796 ulsata2 - ok
    08:05:03.0986 3796 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    08:05:03.0986 3796 umbus - ok
    08:05:04.0454 3796 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    08:05:04.0516 3796 usbccgp - ok
    08:05:04.0984 3796 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    08:05:05.0016 3796 usbcir - ok
    08:05:05.0094 3796 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    08:05:05.0156 3796 usbehci - ok
    08:05:05.0218 3796 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    08:05:05.0234 3796 usbhub - ok
    08:05:05.0281 3796 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
    08:05:05.0296 3796 usbohci - ok
    08:05:05.0328 3796 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    08:05:05.0343 3796 usbprint - ok
    08:05:05.0421 3796 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    08:05:05.0437 3796 USBSTOR - ok
    08:05:05.0484 3796 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    08:05:05.0484 3796 usbuhci - ok
    08:05:05.0562 3796 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    08:05:05.0562 3796 vga - ok
    08:05:05.0608 3796 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    08:05:05.0608 3796 VgaSave - ok
    08:05:05.0640 3796 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    08:05:05.0655 3796 viaagp - ok
    08:05:05.0686 3796 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    08:05:05.0702 3796 ViaC7 - ok
    08:05:05.0733 3796 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    08:05:05.0764 3796 viaide - ok
    08:05:05.0811 3796 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    08:05:05.0811 3796 volmgr - ok
    08:05:05.0952 3796 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    08:05:06.0264 3796 volmgrx - ok
    08:05:06.0342 3796 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    08:05:06.0357 3796 volsnap - ok
    08:05:06.0373 3796 vsdatant - ok
    08:05:06.0404 3796 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    08:05:06.0420 3796 vsmraid - ok
    08:05:06.0482 3796 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    08:05:06.0498 3796 WacomPen - ok
    08:05:06.0544 3796 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    08:05:06.0560 3796 Wanarp - ok
    08:05:06.0560 3796 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    08:05:06.0560 3796 Wanarpv6 - ok
    08:05:06.0622 3796 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    08:05:06.0654 3796 Wd - ok
    08:05:06.0700 3796 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    08:05:06.0747 3796 Wdf01000 - ok
    08:05:06.0825 3796 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
    08:05:06.0841 3796 WimFltr - ok
    08:05:06.0888 3796 winachsf (5a77ac34a0ffb70ce8b35b524fede9ba) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
    08:05:06.0950 3796 winachsf - ok
    08:05:07.0028 3796 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    08:05:07.0028 3796 WmiAcpi - ok
    08:05:07.0324 3796 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    08:05:07.0324 3796 ws2ifsl - ok
    08:05:07.0402 3796 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    08:05:07.0402 3796 WUDFRd - ok
    08:05:07.0465 3796 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
    08:05:07.0465 3796 XAudio - ok
    08:05:07.0496 3796 MBR (0x1B8) (6403378443eaa23bb8721c6f3bf78513) \Device\Harddisk0\DR0
    08:05:07.0527 3796 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    08:05:07.0527 3796 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    08:05:07.0527 3796 Boot (0x1200) (6c8cddfc90a1db25a83aea56927e7fb0) \Device\Harddisk0\DR0\Partition0
    08:05:07.0527 3796 \Device\Harddisk0\DR0\Partition0 - ok
    08:05:07.0543 3796 Boot (0x1200) (1c96d780de0154eb141ad99290a5eb94) \Device\Harddisk0\DR0\Partition1
    08:05:07.0543 3796 \Device\Harddisk0\DR0\Partition1 - ok
    08:05:07.0558 3796 Boot (0x1200) (6f593f221ea0a96f924e8a65bc97f325) \Device\Harddisk0\DR0\Partition2
    08:05:07.0558 3796 \Device\Harddisk0\DR0\Partition2 - ok
    08:05:07.0558 3796 ============================================================
    08:05:07.0558 3796 Scan finished
    08:05:07.0558 3796 ============================================================
    08:05:07.0574 4068 Detected object count: 2
    08:05:07.0574 4068 Actual detected object count: 2
    08:05:45.0282 4068 SafeBoot ( LockedFile.Multi.Generic ) - skipped by user
    08:05:45.0282 4068 SafeBoot ( LockedFile.Multi.Generic ) - User select action: Skip
    08:05:46.0405 4068 \Device\Harddisk0\DR0\# - copied to quarantine
    08:05:46.0405 4068 \Device\Harddisk0\DR0 - copied to quarantine
    08:05:46.0592 4068 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
    08:05:46.0624 4068 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
    08:05:50.0524 4068 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
    08:05:50.0618 4068 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    08:05:50.0852 4068 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    08:05:51.0070 4068 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
    08:05:51.0132 4068 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
    08:05:51.0148 4068 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
    08:05:51.0148 4068 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
    08:05:51.0164 4068 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
    08:05:51.0195 4068 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
    08:05:51.0382 4068 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
    08:05:51.0600 4068 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    08:05:51.0616 4068 \Device\Harddisk0\DR0 - ok
    08:05:53.0660 4068 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    08:05:56.0655 0640 Deinitialize success
     
  5. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Good.

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download BTKR_RunBox to your desktop.

    Double click on downloaded BTKR_RunBox.exe file.
    Small RunBox DOS window will open.
    Press any key to continue.
    Press "1" to select "Run a scan with Bootkit Remover" option.
    Press "Enter".
    Press "Enter" one more time to generate log.
    Click OK, IF any "Warning" message pops up.
    Notepad will open with Bootkit Remover log.
    Copy the content and post it in your next reply.
    In RunBox press "4" then Enter to exit it.

    NOTE. In case you lost the log it's also located on your desktop as "scan.txt"
     
  6. UThant

    UThant TS Rookie Topic Starter Posts: 55

    aswMBR and BTKR_Runbox logs

    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-15 13:23:25
    -----------------------------
    13:23:25.411 OS Version: Windows 6.0.6002 Service Pack 2
    13:23:25.411 Number of processors: 2 586 0xF0A
    13:23:25.412 ComputerName: 1SR-PROG-IT UserName: dwozniak
    13:23:31.778 Initialize success
    13:30:57.538 AVAST engine defs: 12021500
    13:36:34.513 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-8
    13:36:34.516 Disk 0 Vendor: ST9120823AS 3.BHC Size: 114473MB BusType: 3
    13:36:34.576 Disk 0 MBR read successfully
    13:36:34.579 Disk 0 MBR scan
    13:36:34.944 Disk 0 unknown MBR code
    13:36:34.988 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104715 MB offset 63
    13:36:35.060 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8163 MB offset 214458368
    13:36:35.086 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1589 MB offset 231184384
    13:36:35.234 Disk 0 scanning sectors +234438656
    13:36:35.527 Disk 0 scanning C:\Windows\system32\drivers
    13:37:28.212 Service scanning
    13:37:30.074 Service SafeBoot C:\Windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
    13:37:30.910 Modules scanning
    13:38:14.178 Disk 0 trace - called modules:
    13:38:14.219 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS
    13:38:14.229 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8648b7d0]
    13:38:14.234 3 CLASSPNP.SYS[88bcb8b3] -> nt!IofCallDriver -> [0x86388378]
    13:38:14.239 5 hpdskflt.sys[88badeb7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-8[0x85ab5b98]
    13:38:18.412 AVAST engine scan C:\Windows
    13:38:34.984 AVAST engine scan C:\Windows\system32
    13:47:25.884 AVAST engine scan C:\Windows\system32\drivers
    13:47:46.249 AVAST engine scan C:\Users\dwozniak
    13:49:31.555 File: C:\Users\dwozniak\AppData\Local\temp\5FD9.tmp **INFECTED** Win32:MalOb-HP [Cryp]
    13:53:05.699 AVAST engine scan C:\ProgramData
    13:56:35.222 Scan finished successfully
    14:01:45.539 Disk 0 MBR has been saved successfully to "C:\Users\dwozniak\Desktop\MBR.dat"
    14:01:45.548 The log file has been saved successfully to "C:\Users\dwozniak\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com
    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Business Edition Service Pack 2 (build 6002), 32-bit
    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 701fc521a455dfd715ca6d2d6afe2b46

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>

    Done;



    Press any key to quit...
     
  7. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
      **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
      **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
      Use AppRemover to uninstall it: http://www.appremover.com/
      We can reinstall it when we're done with CF.
      **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
      **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



      Make sure, you re-enable your security programs, when you're done with Combofix.

      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      NOTE.
      If, for some reason, Combofix refuses to run, try one of the following:

      1. Run Combofix from Safe Mode (How to...)

      2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
      Do NOT run it yet.

      Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

      There are 4 different versions. If one of them won't run then download and try to run the other one.

      Vista and Win7 users need to right click Rkill and choose Run as Administrator

      You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

      Rkill.com
      Rkill.scr
      Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. UThant

    UThant TS Rookie Topic Starter Posts: 55

    Combofix log

    ComboFix 12-02-15.01 - dwozniak 02/15/2012 14:53:05.2.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.1149 [GMT -5:00]
    Running from: c:\users\dwozniak\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\DFRF387.tmp
    c:\users\dwozniak\g2mdlhlpx.exe
    c:\users\mmasters\g2mdlhlpx.exe
    c:\windows\$NtUninstallKB62280$
    c:\windows\$NtUninstallKB62280$\485945278\@
    c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
    c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
    c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
    c:\windows\$NtUninstallKB62280$\485945278\keywords
    c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
    c:\windows\$NtUninstallKB62280$\485945278\L\vhtmwbun
    c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
    c:\windows\$NtUninstallKB62280$\87212029
    c:\windows\system32\zip32.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-15 13:56 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-02-03 15:50 . 2012-02-15 13:05 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-01-18 16:46 . 2012-01-18 16:46 -------- d-----w- c:\program files\HTML Help Workshop
    2012-01-18 14:49 . 2012-01-18 14:49 -------- d-----w- c:\program files\IBE Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 13:41 . 2011-05-16 15:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 19:52 . 2012-02-15 13:36 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-01-09 21:42 . 2011-06-15 08:20 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-16 15:59 . 2012-02-15 13:37 834048 ----a-w- c:\windows\system32\wininet.dll
    2011-12-10 20:24 . 2012-01-09 21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 15:59 . 2012-01-11 10:22 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-22 18:39 . 2011-11-22 18:58 220336 ----a-w- c:\windows\lp.exe
    2011-11-18 20:23 . 2012-01-11 10:22 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-18 17:47 . 2012-01-11 10:22 66560 ----a-w- c:\windows\system32\packager.dll
    2011-04-14 16:26 . 2011-06-16 15:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-12 115560]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-19 13531680]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-19 92704]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts"= 0 (0x0)
    "HideLegacyLogonScripts"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
    2007-04-30 15:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ SbHpNp scecli
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-1112\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-3566\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4087\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4092\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4151\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4231\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\bedsales.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4265\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-500\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
    backup=c:\windows\pss\DVD Check.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
    backup=c:\windows\pss\Run Google Web Accelerator.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
    2007-03-07 09:40 20531 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2007-09-19 21:30 66816 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 20:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-03-19 18:00 13531680 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-03-19 18:00 92704 ----a-w- c:\windows\System32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
    2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
    2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2007-11-06 20:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 03:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-21 13:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
    2007-01-10 23:12 317128 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    PeerDist REG_MULTI_SZ PeerDistSvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-15 c:\windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
    - c:\windows\system32\msfeedssync.exe [2008-05-23 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.hp.com
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.10.10.7
    FF - ProfilePath - c:\users\dwozniak\AppData\Roaming\Mozilla\Firefox\Profiles\gqz8wxik.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    SafeBoot-27439961.sys
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_06\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-15 15:11
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
    "ImagePath"="a"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*]
    "FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
    bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
    8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
    8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*]
    "FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
    bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
    "FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
    bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}*]
    "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
    8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(700)
    c:\windows\SbHpNp.dll
    .
    - - - - - - - > 'Explorer.exe'(3080)
    c:\progra~1\WINZIP\WZSHLSTB.DLL
    c:\program files\WinSCP\DragExt.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\AEADISRV.EXE
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\windows\CWBRXD.EXE
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\PDF Complete\pdfsvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\System32\rundll32.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-15 15:20:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-15 20:20
    ComboFix2.txt 2010-01-07 21:51
    .
    Pre-Run: 40,836,898,816 bytes free
    Post-Run: 41,488,166,912 bytes free
    .
    - - End Of File - - CE14F0EF86C8B02F7605F6A6BC505E86
     
  9. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}*]
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. UThant

    UThant TS Rookie Topic Starter Posts: 55

    Second Combofix log

    ComboFix 12-02-16.01 - dwozniak 02/16/2012 9:17.3.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.1064 [GMT -5:00]
    Running from: c:\users\dwozniak\Desktop\ComboFix.exe
    Command switches used :: c:\users\dwozniak\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-16 13:38 . 2012-02-16 13:39 -------- d-----w- c:\users\TEMP
    2012-02-15 20:05 . 2012-02-16 14:29 -------- d-----w- c:\users\dwozniak\AppData\Local\temp
    2012-02-15 13:56 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-02-15 13:36 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-02-03 15:50 . 2012-02-15 13:05 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-01-18 16:46 . 2012-01-18 16:46 -------- d-----w- c:\program files\HTML Help Workshop
    2012-01-18 14:49 . 2012-01-18 14:49 -------- d-----w- c:\program files\IBE Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 13:41 . 2011-05-16 15:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-09 21:42 . 2011-06-15 08:20 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-10 20:24 . 2012-01-09 21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 15:59 . 2012-01-11 10:22 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-22 18:39 . 2011-11-22 18:58 220336 ----a-w- c:\windows\lp.exe
    2011-11-18 20:23 . 2012-01-11 10:22 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-18 17:47 . 2012-01-11 10:22 66560 ----a-w- c:\windows\system32\packager.dll
    2011-04-14 16:26 . 2011-06-16 15:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-12 115560]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-19 13531680]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-19 92704]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts"= 0 (0x0)
    "HideLegacyLogonScripts"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
    2007-04-30 15:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ SbHpNp scecli
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-1112\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-3566\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4087\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4092\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4151\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4231\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\bedsales.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4265\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-500\Scripts\Logon\0\0]
    "Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
    backup=c:\windows\pss\DVD Check.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
    backup=c:\windows\pss\Run Google Web Accelerator.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
    2007-03-07 09:40 20531 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2007-09-19 21:30 66816 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 20:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-03-19 18:00 13531680 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-03-19 18:00 92704 ----a-w- c:\windows\System32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
    2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
    2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2007-11-06 20:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 03:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-21 13:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
    2007-01-10 23:12 317128 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    PeerDist REG_MULTI_SZ PeerDistSvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-16 c:\windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
    - c:\windows\system32\msfeedssync.exe [2008-05-23 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hp.com
    mStart Page = hxxp://www.hp.com
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.10.10.7
    FF - ProfilePath - c:\users\dwozniak\AppData\Roaming\Mozilla\Firefox\Profiles\gqz8wxik.default\
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
    "ImagePath"="a"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1415918955-262412770-2076119496-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,f4,ba,44,50,fa,3e,4e,8c,30,24,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,f4,ba,44,50,fa,3e,4e,8c,30,24,\
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(736)
    c:\windows\SbHpNp.dll
    .
    Completion time: 2012-02-16 09:32:51
    ComboFix-quarantined-files.txt 2012-02-16 14:32
    ComboFix2.txt 2012-02-15 20:20
    ComboFix3.txt 2010-01-07 21:51
    .
    Pre-Run: 40,735,719,424 bytes free
    Post-Run: 40,732,463,104 bytes free
    .
    - - End Of File - - 68E09EDDB7F5CA4F05DC1E73E5E268D5
     
  11. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Good job :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. UThant

    UThant TS Rookie Topic Starter Posts: 55

    half the OTL log

    OTL logfile created on: 2/16/2012 1:14:13 PM - Run 1
    OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\dwozniak\Desktop
    Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6002.18005)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.98 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.65% Memory free
    4.20 Gb Paging File | 2.66 Gb Available in Paging File | 63.25% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 102.26 Gb Total Space | 37.94 Gb Free Space | 37.10% Space Free | Partition Type: NTFS
    Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
    Drive F: | 7.97 Gb Total Space | 0.98 Gb Free Space | 12.31% Space Free | Partition Type: NTFS
    Drive H: | 50.01 Gb Total Space | 24.25 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
    Drive I: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive J: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive K: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive M: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive P: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive Q: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS

    Computer Name: 1SR-PROG-IT | User Name: dwozniak | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/02/16 13:12:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\dwozniak\Desktop\OTL.exe
    PRC - [2011/08/30 12:24:59 | 000,624,056 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    PRC - [2009/04/10 22:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    PRC - [2008/09/11 19:47:38 | 001,787,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    PRC - [2008/09/11 19:47:38 | 001,439,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    PRC - [2008/09/11 19:47:38 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PRC - [2008/09/11 19:47:36 | 002,436,536 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    PRC - [2008/08/28 15:06:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    PRC - [2008/06/25 13:02:07 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    PRC - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2007/05/08 10:38:46 | 000,540,448 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
    PRC - [2007/04/27 12:58:58 | 000,221,184 | ---- | M] (SafeBoot International) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    PRC - [2007/03/07 04:40:00 | 000,061,489 | ---- | M] (IBM Corporation) -- C:\Windows\cwbrxd.exe
    PRC - [2007/02/06 01:44:24 | 000,069,632 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE
    PRC - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    PRC - [2006/05/12 14:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/05 03:52:30 | 000,756,048 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
    MOD - [2011/08/30 11:55:00 | 002,469,888 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 8.0\PDFMaker\Common\AdobePDFMakerX.dll
    MOD - [2011/06/22 11:46:12 | 000,434,016 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
    MOD - [2009/02/26 13:46:56 | 000,064,344 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
    MOD - [2007/07/09 21:24:38 | 000,311,296 | ---- | M] () -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    MOD - [2007/02/16 19:40:42 | 005,521,408 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
    MOD - [2007/02/16 19:40:40 | 001,466,368 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
    SRV - File not found [On_Demand | Stopped] -- -- (LcAgent)
    SRV - [2009/10/09 16:57:12 | 000,943,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/01/16 13:52:53 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
    SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
    SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
    SRV - [2008/09/11 19:47:38 | 001,787,200 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
    SRV - [2008/09/11 19:47:38 | 000,312,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
    SRV - [2008/09/11 19:47:36 | 002,436,536 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2008/08/28 15:06:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2008/06/30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2008/06/25 13:02:07 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
    SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2007/11/06 15:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
    SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2007/05/08 10:38:46 | 000,540,448 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
    SRV - [2007/04/30 10:28:34 | 000,172,131 | ---- | M] (Hewlett-Packard Ltd) [On_Demand | Stopped] -- C:\Windows\System32\flcdlock.exe -- (FLCDLOCK)
    SRV - [2007/04/27 12:58:58 | 000,221,184 | ---- | M] (SafeBoot International) [Auto | Running] -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe -- (HpFkCryptService)
    SRV - [2007/03/07 04:40:00 | 000,061,489 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\Windows\cwbrxd.exe -- (Cwbrxd)
    SRV - [2007/03/05 12:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
    SRV - [2007/02/06 01:44:24 | 000,069,632 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
    SRV - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
    SRV - [2006/05/12 14:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
    SRV - [2001/02/14 09:00:00 | 000,106,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2012/02/08 03:04:47 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120215.036\NAVEX15.SYS -- (NAVEX15)
    DRV - [2012/02/08 03:04:47 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2012/02/08 03:04:47 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120215.036\NAVENG.SYS -- (NAVENG)
    DRV - [2012/02/03 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2009/01/26 08:16:49 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008/09/11 19:47:40 | 000,317,872 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
    DRV - [2008/09/11 19:47:40 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
    DRV - [2008/09/11 19:47:40 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
    DRV - [2008/09/11 19:47:32 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
    DRV - [2008/09/11 19:47:32 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2008/09/11 19:47:32 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgpfl.sys -- (motccgpfl)
    DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgp.sys -- (motccgp)
    DRV - [2008/03/19 13:00:00 | 007,438,432 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/02/07 00:13:00 | 000,218,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2008/01/19 02:42:12 | 000,045,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
    DRV - [2007/11/06 15:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
    DRV - [2007/10/31 18:36:32 | 002,252,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
    DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motport.sys -- (motport)
    DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motmodem.sys -- (motmodem)
    DRV - [2007/06/18 15:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
    DRV - [2007/04/30 19:30:14 | 000,058,240 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCWWAN.sys -- (PTDCWWAN)
    DRV - [2007/04/26 21:23:36 | 000,005,808 | ---- | M] (SafeBoot International) [Kernel | System | Running] -- C:\Windows\System32\drivers\rsvlock.sys -- (RsvLock)
    DRV - [2007/04/26 21:23:06 | 000,100,095 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SafeBoot.sys -- (SafeBoot)
    DRV - [2007/04/23 15:13:44 | 000,030,008 | ---- | M] (Hewlett-Packard Development Company L.P.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DAMDrv.sys -- (DAMDrv)
    DRV - [2007/04/15 20:00:06 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2007/04/10 17:55:28 | 000,140,808 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atswpdrv.sys -- (ATSWPDRV) (****DEBUG****) AuthenTec TruePrint USB Driver (SwipeSensor)
    DRV - [2007/04/01 05:45:30 | 000,039,808 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCVsp.sys -- (PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP)
    DRV - [2007/04/01 05:45:26 | 000,041,728 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCMdm.sys -- (PTDCMdm) PANTECH PC Card Drivers (UDP)
    DRV - [2007/04/01 05:45:22 | 000,027,520 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCBus.sys -- (PTDCBus) PANTECH PC Card Composite Device Driver (UDP)
    DRV - [2007/03/29 18:54:00 | 000,013,696 | ---- | M] (SafeBoot International) [File_System | Boot | Running] -- C:\Windows\System32\drivers\SbFsLock.sys -- (SbFsLock)
    DRV - [2007/02/24 09:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2007/01/05 03:00:02 | 000,027,136 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
    DRV - [2007/01/05 03:00:02 | 000,018,944 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
    DRV - [2006/12/19 20:08:00 | 000,047,616 | ---- | M] (RICOH Company, Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rismc32.sys -- (rismc32)
    DRV - [2006/11/02 03:50:52 | 000,128,104 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
    DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
    DRV - [2006/11/02 02:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2006/10/09 15:31:46 | 000,044,720 | ---- | M] (SafeBoot N.V.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SbAlg.sys -- (SbAlg)
    DRV - [2006/06/28 12:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
    DRV - [2000/09/11 09:00:00 | 000,030,398 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\AW_HOST5.sys -- (AW_HOST)
    DRV - [2000/09/11 09:00:00 | 000,014,032 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\GERNUWA.sys -- (Gernuwa)
    DRV - [2000/09/11 09:00:00 | 000,010,816 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\awlegacy.sys -- (awlegacy)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
    IE - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
    IE - HKU\S-1-5-21-1415918955-262412770-2076119496-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web-accelerator@google.com: C:\Program Files\Google\Web Accelerator\firefox [2008/07/03 11:56:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/16 10:43:40 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/06/16 10:43:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/04/14 11:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

    O1 HOSTS File: ([2012/02/15 15:09:04 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (&Google Web Accelerator Helper) - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
    O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\..\Toolbar\WebBrowser: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
    O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\..\Toolbar\WebBrowser: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
    O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
    O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
    O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://qliktech.webex.com/client/WBXclient-T27L10NSP30-13034/webex/ieatgpc1.cab (GpcContainer Class)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.7
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = halex.local
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{86CF2016-AF6D-490E-95EB-27B628A2391E}: DhcpNameServer = 10.10.10.7
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D01079DF-00B7-44C1-9D05-C9DB55A46D35}: DhcpNameServer = 10.10.10.7
    O18 - Protocol\Handler\qvp {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll (QlikTech AB)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: GinaDLL - (C:\Windows\system32\awgina.dll) - C:\Windows\System32\awgina.dll (Symantec Corporation)
    O20 - Winlogon\Notify\DeviceNP: DllName - (DeviceNP.dll) - C:\Windows\System32\DeviceNP.dll (Hewlett-Packard Limited)
    O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - File not found
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (lsdelete)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\.DEFAULT\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
    O37 - HKU\S-1-5-18\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lhacm - C:\Windows\System32\lhacm.acm (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.WMV3 - C:\Windows\System32\wmv9vcm.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/16 09:32:57 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/02/16 09:31:32 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/02/16 08:41:06 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Roaming\Adobe
    [2012/02/16 08:41:06 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Adobe
    [2012/02/16 08:39:53 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    [2012/02/16 08:39:53 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    [2012/02/16 08:39:35 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Roaming\Identities
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\Temporary Internet Files
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Videos
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Pictures
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Music
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\History
    [2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\Application Data
    [2012/02/16 08:38:58 | 000,000,000 | --SD | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft
    [2012/02/16 08:38:58 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    [2012/02/16 08:38:58 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    [2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\temp
    [2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Symantec
    [2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Microsoft Help
    [2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Microsoft
    [2012/02/15 13:14:20 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/02/03 10:50:14 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/01/18 11:46:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HTML Help Workshop
    [2012/01/18 11:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\HTML Help Workshop
    [2012/01/18 09:49:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HelpNDoc
    [2012/01/18 09:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\IBE Software
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/16 13:15:12 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
    [2012/02/16 12:38:15 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/02/16 12:38:15 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/02/16 08:59:30 | 000,000,977 | ---- | M] () -- C:\Users\dwozniak\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
    [2012/02/16 08:57:18 | 000,374,538 | ---- | M] () -- C:\ProgramData\nvModes.001
    [2012/02/16 08:57:12 | 000,000,065 | -H-- | M] () -- C:\TrackitAudit.id
    [2012/02/16 08:57:08 | 000,374,600 | ---- | M] () -- C:\ProgramData\nvModes.dat
    [2012/02/16 08:42:38 | 000,384,183 | ---- | M] () -- C:\Users\TEMP\Desktop\Vista__3-Vista_Problem_Error_Your_user_profile_was_not_loaded_correctly.pdf
    [2012/02/16 08:38:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/02/16 08:37:45 | 2129,977,344 | -HS- | M] () -- C:\hiberfil.sys
    [2012/02/16 08:36:11 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
    [2012/02/15 15:09:04 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/02/15 14:16:46 | 000,436,336 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/02/15 13:18:36 | 000,652,102 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/02/15 13:18:36 | 000,123,624 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/02/15 13:14:56 | 000,001,573 | ---- | M] () -- C:\Windows\ODBC.INI
    [2012/02/14 12:35:21 | 000,000,078 | ---- | M] () -- C:\Windows\ricdb.ini
    [2012/02/14 12:35:20 | 000,000,097 | ---- | M] () -- C:\Windows\System32\RPCS.ini
    [2012/02/14 12:30:43 | 348,072,879 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
     
  13. UThant

    UThant TS Rookie Topic Starter Posts: 55

    2nd half OTL log

    ========== Files Created - No Company Name ==========

    [2012/02/16 08:42:38 | 000,384,183 | ---- | C] () -- C:\Users\TEMP\Desktop\Vista__3-Vista_Problem_Error_Your_user_profile_was_not_loaded_correctly.pdf
    [2012/02/16 08:39:58 | 000,000,988 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    [2012/02/16 08:39:52 | 000,000,983 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
    [2012/02/16 08:39:43 | 000,000,807 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetMeeting.lnk
    [2012/02/16 08:39:32 | 000,000,954 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
    [2012/02/03 09:37:54 | 2129,977,344 | -HS- | C] () -- C:\hiberfil.sys
    [2012/01/09 16:21:14 | 000,008,660 | -HS- | C] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
    [2011/06/16 13:00:51 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/01/14 16:42:22 | 000,000,256 | ---- | C] () -- C:\Windows\System32\pool.bin
    [2010/03/12 15:04:49 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
    [2010/01/07 16:38:39 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2010/01/07 16:38:39 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/01/07 16:38:39 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/01/07 16:38:39 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/01/07 16:38:39 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2009/10/20 13:21:02 | 000,000,030 | ---- | C] () -- C:\Windows\Ppcswin.ini
    [2009/10/20 13:18:41 | 000,000,030 | ---- | C] () -- C:\Windows\–ÖTwpcswin.ini
    [2009/10/20 13:18:41 | 000,000,030 | ---- | C] () -- C:\Windows\±’pwpcswin.ini
    [2009/09/10 09:29:42 | 000,000,078 | ---- | C] () -- C:\Windows\ricdb.ini
    [2009/09/10 09:29:38 | 000,000,097 | ---- | C] () -- C:\Windows\System32\RPCS.ini
    [2009/06/04 11:51:47 | 000,000,065 | ---- | C] () -- C:\ProgramData\TrackitAudit.id
    [2009/06/03 12:05:04 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2009/06/03 12:04:51 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/06/03 12:03:29 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2009/06/03 12:03:29 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/01/16 13:52:53 | 000,000,000 | ---- | C] () -- C:\Windows\eDrawingOfficeAutomator.INI
    [2008/09/02 07:14:38 | 000,000,030 | ---- | C] () -- C:\Windows\Sèupcswin.ini
    [2008/09/02 07:14:38 | 000,000,030 | ---- | C] () -- C:\Windows\12¹vpcswin.ini
    [2008/09/01 11:34:41 | 000,000,030 | ---- | C] () -- C:\Windows\SèSwpcswin.ini
    [2008/09/01 11:34:41 | 000,000,030 | ---- | C] () -- C:\Windows\12Ývpcswin.ini
    [2008/08/27 07:33:05 | 000,000,030 | ---- | C] () -- C:\Windows\SèÌupcswin.ini
    [2008/08/27 07:33:05 | 000,000,030 | ---- | C] () -- C:\Windows\12Lvpcswin.ini
    [2008/08/25 07:15:49 | 000,000,030 | ---- | C] () -- C:\Windows\12fwpcswin.ini
    [2008/08/18 08:06:01 | 000,000,030 | ---- | C] () -- C:\Windows\SèRwpcswin.ini
    [2008/08/18 08:06:01 | 000,000,030 | ---- | C] () -- C:\Windows\127vpcswin.ini
    [2008/08/14 08:27:37 | 000,000,030 | ---- | C] () -- C:\Windows\SèÉupcswin.ini
    [2008/08/14 08:27:37 | 000,000,030 | ---- | C] () -- C:\Windows\12Ýupcswin.ini
    [2008/08/11 09:01:25 | 000,000,030 | ---- | C] () -- C:\Windows\Sèçvpcswin.ini
    [2008/08/11 09:01:25 | 000,000,030 | ---- | C] () -- C:\Windows\12šupcswin.ini
    [2008/08/08 10:16:38 | 000,000,030 | ---- | C] () -- C:\Windows\Sè$vpcswin.ini
    [2008/08/08 10:16:38 | 000,000,030 | ---- | C] () -- C:\Windows\12Ivpcswin.ini
    [2008/08/08 07:27:58 | 000,000,030 | ---- | C] () -- C:\Windows\Sè#wpcswin.ini
    [2008/08/08 07:27:58 | 000,000,030 | ---- | C] () -- C:\Windows\12ávpcswin.ini
    [2008/08/06 06:53:26 | 000,000,030 | ---- | C] () -- C:\Windows\SèEwpcswin.ini
    [2008/08/06 06:53:26 | 000,000,030 | ---- | C] () -- C:\Windows\12}wpcswin.ini
    [2008/08/06 06:53:25 | 000,000,030 | ---- | C] () -- C:\Windows\Lpcswin.ini
    [2008/08/05 09:44:40 | 000,000,030 | ---- | C] () -- C:\Windows\12Twpcswin.ini
    [2008/06/10 13:33:27 | 000,000,000 | ---- | C] () -- C:\Windows\obsi32.INI
    [2008/06/10 13:32:33 | 000,000,301 | ---- | C] () -- C:\Windows\cdkey.ini
    [2008/06/10 13:31:31 | 000,319,488 | ---- | C] () -- C:\Windows\test2.exe
    [2008/06/10 13:29:30 | 000,006,522 | ---- | C] () -- C:\Windows\ONBASE.INI
    [2008/05/16 10:58:04 | 000,012,632 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
    [2008/05/13 11:06:22 | 000,172,032 | ---- | C] () -- C:\Windows\System32\cwbrw.dll
    [2008/05/13 11:06:22 | 000,024,576 | ---- | C] () -- C:\Windows\System32\cwbsv.dll
    [2008/05/13 11:06:22 | 000,016,384 | ---- | C] () -- C:\Windows\System32\cwbad.dll
    [2008/05/13 11:06:21 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbnl.dll
    [2008/05/13 11:06:21 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbco.dll
    [2008/04/11 10:23:09 | 000,000,026 | ---- | C] () -- C:\Windows\lvdbed.INI
    [2008/04/10 12:43:43 | 000,374,600 | ---- | C] () -- C:\ProgramData\nvModes.dat
    [2008/04/10 12:43:43 | 000,374,538 | ---- | C] () -- C:\ProgramData\nvModes.001
    [2008/04/02 12:55:24 | 000,000,205 | ---- | C] () -- C:\Windows\ODBCINST.INI
    [2008/02/29 17:00:39 | 000,001,573 | ---- | C] () -- C:\Windows\ODBC.INI
    [2008/02/29 16:53:29 | 000,000,234 | ---- | C] () -- C:\Windows\netop.ini
    [2008/02/11 16:51:04 | 000,055,808 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
    [2008/01/29 12:04:09 | 000,024,630 | ---- | C] () -- C:\Windows\System32\cwbunplp.exe
    [2008/01/29 12:04:00 | 000,126,976 | ---- | C] () -- C:\Windows\cwbzip.exe
    [2008/01/29 12:04:00 | 000,020,529 | ---- | C] () -- C:\Windows\System32\cwbwiz.dll
    [2008/01/29 12:04:00 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbsy.dll
    [2008/01/29 12:04:00 | 000,016,384 | ---- | C] () -- C:\Windows\System32\cwbnldlg.dll
    [2008/01/11 16:07:47 | 000,012,860 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2008/01/11 14:54:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
    [2008/01/11 14:54:36 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
    [2008/01/11 14:54:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
    [2008/01/11 14:54:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
    [2008/01/11 14:54:36 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
    [2008/01/11 14:54:36 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
    [2007/11/06 15:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
    [2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
    [2007/04/30 10:31:14 | 000,274,432 | ---- | C] () -- C:\Windows\System32\flcdlmsg.dll
    [2007/04/26 21:23:06 | 000,100,095 | ---- | C] () -- C:\Windows\System32\drivers\SafeBoot.sys
    [2007/01/19 09:30:56 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
    [2007/01/05 03:00:02 | 000,018,944 | ---- | C] () -- C:\Windows\System32\hpservice.exe
    [2006/11/09 16:07:03 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
    [2006/11/09 16:06:34 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
    [2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:47:43 | 000,436,336 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 05:33:01 | 000,652,102 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,123,624 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2006/09/19 01:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
    [2006/09/19 01:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
    [2006/03/09 05:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
    [2005/12/21 17:57:36 | 000,139,264 | ---- | C] () -- C:\Windows\System32\nsldap32v50.dll
    [2005/12/21 17:57:04 | 000,024,576 | ---- | C] () -- C:\Windows\System32\nsldappr32v50.dll
    [2005/12/21 17:54:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\nsldapssl32v50.dll
    [1999/06/18 08:06:00 | 000,031,232 | ---- | C] () -- C:\Windows\System32\ftp4w32.dll
    [1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL
    [1998/05/06 21:10:00 | 000,069,632 | R--- | C] () -- C:\Windows\System32\ODMA32.dll

    ========== LOP Check ==========

    [2009/02/20 08:07:29 | 000,000,000 | ---D | M] -- C:\Users\bjones.HALEX\AppData\Roaming\SampleView
    [2008/07/11 12:27:45 | 000,000,000 | ---D | M] -- C:\Users\cstapleton\AppData\Roaming\IBM
    [2008/07/11 12:37:30 | 000,000,000 | ---D | M] -- C:\Users\cstapleton\AppData\Roaming\webex
    [2010/08/05 16:02:59 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Centra
    [2008/08/11 15:35:37 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2009/01/16 13:57:22 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\EDrawings
    [2008/09/04 11:41:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\IBM
    [2009/01/30 09:36:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\InterVideo
    [2010/05/26 10:18:30 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Numara Software
    [2011/10/17 08:56:43 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\QlikTech
    [2011/01/26 15:00:05 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Research In Motion
    [2010/08/05 16:04:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Saba
    [2008/08/28 14:04:26 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\SampleView
    [2009/04/09 10:19:35 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\VSee
    [2011/11/03 10:18:21 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\webex
    [2008/05/21 07:45:55 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\LinkedIn
    [2008/05/07 14:17:22 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\PeerNetworking
    [2008/03/26 12:29:28 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\SampleView
    [2008/02/27 13:20:24 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\Smith Micro
    [2008/07/01 13:47:25 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\VSee
    [2008/05/23 09:28:13 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\webex
    [2012/02/16 08:36:10 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012/02/16 13:15:12 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/04/29 22:28:42 | 000,204,722 | ---- | M] () -- C:\1_043010.DBF
    [2011/02/08 12:50:34 | 000,000,389 | ---- | M] () -- C:\AS400.KMP
    [2010/03/01 13:55:59 | 000,001,368 | ---- | M] () -- C:\aujetran.fdf
    [2009/01/29 10:04:41 | 035,745,976 | ---- | M] (Online Media Technologies Ltd. ) -- C:\AVSVideoReMaker.exe
    [2009/04/10 22:36:38 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2006/11/09 08:00:46 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2009/08/03 07:56:47 | 000,000,584 | ---- | M] () -- C:\Ciam_LogFile.log
    [2012/02/16 09:32:52 | 000,014,135 | ---- | M] () -- C:\ComboFix.txt
    [2008/01/30 11:20:19 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2007/08/08 15:46:43 | 000,000,000 | ---- | M] () -- C:\C_USERPART
    [2009/02/18 16:33:49 | 000,270,848 | ---- | M] () -- C:\Eric Presentation - Cost Cutting - short.ppt
    [2009/06/01 07:59:14 | 000,031,744 | ---- | M] () -- C:\HD Incoming Interchange Analysis week ending 052909.xls
    [2012/02/16 08:37:45 | 2129,977,344 | -HS- | M] () -- C:\hiberfil.sys
    [2008/03/19 12:40:54 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2008/03/19 12:40:54 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2012/02/16 08:37:38 | 2443,730,944 | -HS- | M] () -- C:\pagefile.sys
    [2008/05/23 12:40:49 | 000,000,627 | ---- | M] () -- C:\pdinstl.log
    [2012/01/10 08:23:02 | 000,000,366 | ---- | M] () -- C:\rkill.log
    [2012/01/09 16:41:35 | 000,083,918 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_09.01.2012_16.40.39_log.txt
    [2012/01/10 08:24:14 | 000,000,348 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_10.01.2012_08.24.08_log.txt
    [2012/02/03 10:50:22 | 000,086,370 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_03.02.2012_10.46.09_log.txt
    [2012/01/10 08:32:53 | 000,083,316 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_10.01.2012_08.32.24_log.txt
    [2012/02/15 08:05:56 | 000,087,852 | ---- | M] () -- C:\TDSSKiller.2.7.12.0_15.02.2012_08.04.26_log.txt
    [2012/02/16 08:57:12 | 000,000,065 | -H-- | M] () -- C:\TrackitAudit.id

    < %systemroot%\Fonts\*.com >
    [2006/11/02 07:37:19 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 07:37:19 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 07:37:19 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/06/03 12:16:10 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 16:37:34 | 000,000,065 | -H-- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/01/19 02:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
    [2006/11/02 07:36:30 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/05/23 10:43:23 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/11/19 10:33:49 | 000,000,365 | -HS- | M] () -- C:\Users\dwozniak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/02/14 15:50:20 | 000,302,592 | ---- | M] () -- C:\Users\dwozniak\Desktop\4yvc7ogp.exe
    [2012/02/15 13:23:13 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\dwozniak\Desktop\aswMBR.exe
    [2012/02/15 14:02:49 | 000,568,832 | ---- | M] () -- C:\Users\dwozniak\Desktop\BTKR_RunBox.exe
    [2012/02/16 09:12:59 | 004,405,806 | R--- | M] (Swearware) -- C:\Users\dwozniak\Desktop\ComboFix.exe
    [2012/02/16 13:12:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\dwozniak\Desktop\OTL.exe
    [2012/02/15 08:04:02 | 002,061,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\dwozniak\Desktop\tdsskiller.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2006/11/02 07:36:17 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2012/02/16 08:19:01 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
    [2012/02/16 08:19:01 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
    [2012/02/16 08:13:00 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
    [2012/02/16 08:13:01 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/07/21 09:03:11 | 000,000,402 | -HS- | M] () -- C:\Users\dwozniak\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/01/09 16:35:18 | 000,008,660 | -HS- | M] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
    [2011/10/24 09:57:03 | 000,012,860 | RHS- | M] () -- C:\ProgramData\ntuser.pol
    [2012/02/16 08:57:18 | 000,374,538 | ---- | M] () -- C:\ProgramData\nvModes.001
    [2009/06/04 11:51:47 | 000,000,065 | ---- | M] () -- C:\ProgramData\TrackitAudit.id

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "NoAutoRebootWithLoggedOnUsers" = 1
    "AutoInstallMinorUpdates" = 1
    "IncludeRecommendedUpdates" = 1
    "AUPowerManagement" = 1
    "NoAUShutdownOption" = 0
    "NoAutoUpdate" = 0
    "AUOptions" = 4
    "ScheduledInstallDay" = 0
    "ScheduledInstallTime" = 13
    "UseWUServer" = 1
    "RescheduleWaitTimeEnabled" = 1
    "RescheduleWaitTime" = 15
    "DetectionFrequencyEnabled" = 1
    "DetectionFrequency" = 22
    "RebootWarningTimeoutEnabled" = 1
    "RebootWarningTimeout" = 30
    "RebootRelaunchTimeoutEnabled" = 1
    "RebootRelaunchTimeout" = 60

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E0258CAE

    < End of report >
     
  14. UThant

    UThant TS Rookie Topic Starter Posts: 55

    Extras log

    OTL Extras logfile created on: 2/16/2012 1:14:14 PM - Run 1
    OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\dwozniak\Desktop
    Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6002.18005)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.98 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.65% Memory free
    4.20 Gb Paging File | 2.66 Gb Available in Paging File | 63.25% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 102.26 Gb Total Space | 37.94 Gb Free Space | 37.10% Space Free | Partition Type: NTFS
    Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
    Drive F: | 7.97 Gb Total Space | 0.98 Gb Free Space | 12.31% Space Free | Partition Type: NTFS
    Drive H: | 50.01 Gb Total Space | 24.25 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
    Drive I: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive J: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive K: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive M: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive P: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
    Drive Q: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS

    Computer Name: 1SR-PROG-IT | User Name: dwozniak | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
    .exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

    [HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
    .exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0
    "DisabledInterfaces" = {D01079DF-00B7-44C1-9D05-C9DB55A46D35},{86CF2016-AF6D-490E-95EB-27B628A2391E}

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0
    "DisabledInterfaces" = {D01079DF-00B7-44C1-9D05-C9DB55A46D35},{86CF2016-AF6D-490E-95EB-27B628A2391E}

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{12802776-20C7-4A05-9D47-3C5F75C0D355}" = lport=3389 | protocol=6 | dir=in | app=system |
    "{2ED6612D-3992-46B9-8E46-50BB65F836CB}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
    "{3FD5D9AE-CFE5-4BD1-87BC-5F49D8787EED}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
    "{42F7A520-D64D-402A-B8E2-8A8FDE95B863}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{43D6EEBD-1CA2-4041-BF5A-CB8AE3A74A77}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
    "{495C4BD9-C0A4-475F-A5A3-65B9AD8277A2}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe |
    "{4EC70035-630F-4031-B2D5-130FFB6DDAC3}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
    "{5175AE39-88E2-4A0E-8BDF-C91B1A81372B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{5511D978-26D0-4544-AA17-2763ED68E2DA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{58DA459D-6F79-4D8F-B308-2DF98718B880}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
    "{5E0C3F29-3F4F-4C5D-9D99-5D035E1024DF}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
    "{6B5B9057-54E9-4464-A598-A84B259E7093}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
    "{73F5CB90-79A7-493A-BEA7-0CDE0B3017D4}" = lport=5358 | protocol=6 | dir=in | app=system |
    "{74A9EFA8-AC0E-4971-9D6E-1A0EF89B43EF}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
    "{883B150B-C51C-4407-84DA-79F8632B100A}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
    "{89A92230-A4DD-4E5B-8EF7-9448517942D6}" = rport=5358 | protocol=6 | dir=out | app=system |
    "{89DF70BB-0834-4F67-81F7-77CDF9ED8403}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
    "{996E19E8-A3E1-4057-AF99-C2EB650591F5}" = rport=5357 | protocol=6 | dir=out | app=system |
    "{9A73AD10-3BB4-4DE9-A309-2A88E64D0617}" = lport=5357 | protocol=6 | dir=in | app=system |
    "{9C2D5096-1CEC-4526-8DCE-94F6271BA4DF}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
    "{AE3239F9-E441-4BE7-87A8-1CE60DF0DB09}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
    "{B6FD6B91-1320-4FB3-BFE6-5B938B6DEECF}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
    "{C9C27580-7B13-4B50-B356-18E210303423}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
    "{C9EBFF3B-1B44-4A74-AE69-E122B7C6D573}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
    "{CA33C307-B457-4DB8-AC9C-73916B8F2501}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
    "{CE429DAD-5BAD-4F9B-A4F2-251226C8E431}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
    "{D1B2CADB-65D4-47A2-9B2A-D37DFEBCB401}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{D70C66C4-1BC7-47F5-9B55-28783A92348B}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
    "{E697546B-E2BF-4CA0-889B-950C507F0059}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
    "{EF388B75-643C-475A-AE5D-D1D926367FE8}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
    "{F08150F3-DFFB-42D2-A565-30FF41AEDEE0}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{03E04F68-89C8-487C-A3E6-76ED7C882BA1}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
    "{0E18D78B-C2C9-4AA5-94BA-3A0E5739CAF7}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
    "{23687BFB-2C93-49DF-9F15-89895370EE69}" = protocol=6 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
    "{2ED4F4D8-52EE-4FBA-A9CC-C48BCA19D724}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
    "{396212BC-1174-43C6-A74D-6A3DC81ADF9E}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
    "{4E2A68A1-E8CE-4923-86C6-C02826A88873}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
    "{5855F152-47F7-4344-BCA8-36BFB69A88D4}" = protocol=6 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
    "{73380F58-4D22-4E87-9B9B-C94DB4D75089}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
    "{83CF79D7-44A1-455E-992A-BE41F1272113}" = protocol=17 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
    "{903BE726-6436-4C87-A81E-A522708225AE}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
    "{956C4957-1CE7-421E-A3C4-F4470321A054}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
    "{A0317A65-7332-416A-BBFC-F6ABD77EB680}" = protocol=6 | dir=in | app=%systemroot%\system32\netproj.exe |
    "{A12D6D05-B45F-4705-8F7D-7F6D3E4D535E}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
    "{A2EE0EC3-6AAF-4E2A-A67E-B1E62DB3E2ED}" = protocol=6 | dir=out | app=%systemroot%\system32\netproj.exe |
    "{A4492290-08D3-48F4-A41A-053CEE320439}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
    "{AF17B684-819B-44AC-8334-8E1157730BE0}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
    "{AF8C0DA5-2D05-4877-95DF-FEBC0957F637}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
    "{B057DA81-626C-4285-AA72-24AB72E55607}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
    "{B3831B2B-1701-4611-BC23-44024A135CF2}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
    "{C55FDAFD-1076-4759-B98D-D5D33C34637E}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
    "{D3258AD2-ECA8-4A85-A0FC-6ADF36D10679}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
    "{DDB39332-D3EE-4156-ABE7-7A1F54F6ACCA}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
    "{EBBF4DB1-0429-470C-B2C3-52484AD95434}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
    "{ECC4C522-DB45-4E1B-A78D-A20C6136146B}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
    "{EE1E2EBF-CD81-435A-894A-111B5A0A6CFA}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
    "{EFCC0A8B-962E-41D8-BB77-5DB67BDB0A22}" = protocol=17 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
    "TCP Query User{15882214-7457-4300-9688-6EEFD7361B63}C:\program files\ibm\client access\cwbunnav.exe" = protocol=6 | dir=in | app=c:\program files\ibm\client access\cwbunnav.exe |
    "TCP Query User{1BF0C776-9048-4DC1-9E25-C2B64C8BA95B}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
    "TCP Query User{422E9B91-ED88-4DD4-8D8D-1FEC85A30AA2}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "TCP Query User{746C512D-9604-4A58-A576-C7EF8B11A339}C:\program files\microsoft office\office12\winword.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\winword.exe |
    "TCP Query User{8A4F66C2-533E-43A6-8AC3-9E19352EFC31}C:\windows\system32\ftp.exe" = protocol=6 | dir=in | app=c:\windows\system32\ftp.exe |
    "TCP Query User{A7136C4D-C01D-459E-B7A5-1102CF36CAEB}C:\windows\system32\mstsc.exe" = protocol=6 | dir=in | app=c:\windows\system32\mstsc.exe |
    "TCP Query User{B4DB7EB0-A571-4BA6-835A-369E9C384E0A}C:\program files\netmeeting\conf.exe" = protocol=6 | dir=in | app=c:\program files\netmeeting\conf.exe |
    "TCP Query User{D694F9BC-C2C5-4EC8-8276-24BEB30C6FC9}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
    "TCP Query User{E844CADE-11D5-45EE-9E68-D1B6F4021376}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
    "TCP Query User{FCEBC868-EEF7-4581-A0ED-74FA1F09014B}C:\program files\ibm\client access\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\client access\jre\bin\javaw.exe |
    "UDP Query User{481CFA5C-6039-4600-8A51-8BD86BB1C3CA}C:\program files\ibm\client access\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\client access\jre\bin\javaw.exe |
    "UDP Query User{5287FCEC-98ED-45D6-8390-216CACCC7BED}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "UDP Query User{86179435-CC93-48C5-A650-D5DDEF713585}C:\program files\ibm\client access\cwbunnav.exe" = protocol=17 | dir=in | app=c:\program files\ibm\client access\cwbunnav.exe |
    "UDP Query User{8D1D9860-6284-4892-BBB7-468C1B060A72}C:\program files\microsoft office\office12\winword.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\winword.exe |
    "UDP Query User{949F259E-45D4-4230-81F1-2F93864035BB}C:\windows\system32\ftp.exe" = protocol=17 | dir=in | app=c:\windows\system32\ftp.exe |
    "UDP Query User{AA23BCC5-CCA6-48D6-A8D0-5E781FF532B7}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |
    "UDP Query User{C24D06BF-57BC-4C4F-85F0-96FC85729AD1}C:\program files\netmeeting\conf.exe" = protocol=17 | dir=in | app=c:\program files\netmeeting\conf.exe |
    "UDP Query User{D7680A78-34CB-4120-BF65-F376EBABFB2A}C:\windows\system32\mstsc.exe" = protocol=17 | dir=in | app=c:\windows\system32\mstsc.exe |
    "UDP Query User{DB761AF5-8708-4D19-8417-3BC81E355831}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |
    "UDP Query User{F630D4F5-EA23-4BEC-BE2B-58B62686BB71}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00000038-C690-11DB-9900-000E0CBD0225}" = Numara Remote Control Guest
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{033F6F4A-040B-42AE-B4B0-34E1344CFB51}" = AccessToCSV
    "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
    "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
    "{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
    "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 23
    "{27161A23-6B1A-4147-B2F4-1EC3ED5C4A85}" = DBU
    "{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
    "{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
    "{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
    "{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
    "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2
    "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
    "{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup & Recovery Manager Installer
    "{41846938-6A9E-488B-9E37-21F7D814ECFA}" = mpmri
    "{49C27FB0-CEEF-4A11-8114-0BFE336D3884}" = Symantec Endpoint Protection
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{521F72F4-FFE4-4959-AA88-EED06125211F}" = HP Notebook Accessories Product Tour
    "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
    "{55B52830-024A-443E-AF61-61E1E71AFA1B}" = Device Access Manager for HP ProtectTools
    "{584B0895-8EF3-4175-8E80-1B68BFA04636}" = HP Help and Support
    "{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
    "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
    "{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
    "{6A1975EB-27E6-491D-94BC-6355FA25F40F}" = Google Web Accelerator
    "{6A9AFDFF-AF78-4642-8903-6B20B794D85D}" = LABELVIEW 8.10.05
    "{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
    "{70CEFEBA-F757-4DBE-8A21-027C326137CE}" = Application Installer 4.00.B14
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73726B45-FD55-4AA8-852F-4AB3285E6CAC}" = mp
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{7F82FE45-E5B5-45D5-AD1D-2CF381E0512F}" = Cisco ASDM Launcher
    "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
    "{871DF2BE-41D2-4334-AC33-839AF16FC8FE}" = Cisco Systems VPN Client 5.0.02.0090
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_OUTLOOKR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_OUTLOOKR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_OUTLOOKR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_OUTLOOKR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_OUTLOOKR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_OUTLOOKR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
    "{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
    "{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
    "{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
    "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
    "{93D44E47-EBE0-43FC-A427-8AC3CD026536}" = Vista Default Settings
    "{997FF31A-80C9-4B92-8F80-10953D2AE9A3}" = QlikView x86
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
    "{A7FE99B6-E077-4F52-BC6A-E24C338F3C23}" = Crystal Reports XI Release 2 .NET 2005 Server
    "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
    "{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
    "{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
    "{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
    "{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP 12
    "{ADA35685-E6DC-42F2-807E-312AD0D18AA6}" = HP User Guides 0061
    "{B05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
    "{BBE5C83E-4DC5-494F-8A23-3AAE242E94C2}" = HP Easy Setup - Frontend
    "{C5EDCC75-41E1-4510-B533-7B2ABA37BE45}" = ESU for Microsoft Vista
    "{C74D0FA0-1D49-464F-A707-B427EE3385C1}" = BIOS Configuration for HP ProtectTools
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
    "{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D32067CD-7409-4792-BFA0-1469BCD8F0C8}" = HP Wireless Assistant
    "{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1
    "{DA546462-1AD9-4435-8E06-C7C74D1F4E4B}" = ProData RDR
    "{DB6F07FF-A436-453a-B685-F6C1F4F09D22}" = PANTECH PC Card Software
    "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
    "{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
    "{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
    "{F843AC27-704C-4731-A590-F57841B488F2}" = Drive Encryption for HP ProtectTools
    "{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
    "{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
    "{FF2528E6-45F9-45D0-9531-6F369AC7B886}" = OnBase Runtime CD Client CD #254742
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "ActiveTouchMeetingClient" = WebEx
    "Adobe Acrobat 8 Standard" = Adobe Acrobat 8.3.1 Standard
    "Adobe Acrobat 8 Standard_831" = Adobe Acrobat 8.3.1 - CPSID_83708
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "AVS DVDMenu Editor_is1" = AVS DVDMenu Editor 1.2.1.20
    "AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.2
    "AVS4YOU Video ReMaker_is1" = AVS Video ReMaker 2.4
    "CCleaner" = CCleaner (remove only)
    "CentraClient" = Centra Client
    "ClientAccessExpress" = IBM iSeries Access for Windows
    "ClientAccessExpressSP" = IBM iSeries Access for Windows SI29771
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpZ1379z" = Soft Data Fax Modem with SmartCP
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "filehippo.com" = filehippo.com Update Checker
    "HelpNDoc_is1" = HelpNDoc 3.3.0.123 Personal Edition
    "HTML Help Workshop" = HTML Help Workshop
    "L0phtCrack 6" = L0phtCrack 6
    "LiveReg" = LiveReg (Symantec Corporation)
    "LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
    "NetMeeting" = NetMeeting 3.01
    "Network Viewer v2.2 (002)" = Network Viewer v2.2 (002)
    "NVIDIA Drivers" = NVIDIA Drivers
    "OUTLOOKR" = Microsoft Office Outlook 2007
    "PDF Complete" = PDF Complete
    "PROHYBRIDR" = 2007 Microsoft Office system
    "PROPLUS" = Microsoft Office Professional Plus 2007
    "PROSet" = Intel(R) Network Connections Drivers
    "RealVNC_is1" = VNC Free Edition 4.1.2
    "Shortcut Explorer_is1" = Shortcut Explorer 3.0
    "STANDARDR" = Microsoft Office Standard 2007
    "Stay-Linked Administrator" = Stay-Linked Administrator
    "Stay-Linked Server for iSeries Installation Wizard" = Stay-Linked Server for iSeries Installation Wizard
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TightVNC_is1" = TightVNC 1.3.9
    "VLC media player" = VLC media player 1.1.4
    "VZAccess Manager" = VZAccess Manager
    "WinPcapInst" = WinPcap 4.0.2
    "winscp3_is1" = WinSCP 4.2.9
    "WinZip" = WinZip
    "WMV9_VCM" = Microsoft Windows Media Video 9 VCM

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 7/29/2011 10:23:56 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
    Description = SocketManager: unknown listener event: 0

    Error - 7/29/2011 10:24:55 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
    Description = SConnection: AuthFailureException: No password configured for VNC
    Auth

    Error - 7/29/2011 1:31:54 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
    Description = SocketManager: unknown listener event: 0

    Error - 8/11/2011 1:11:34 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
    Description =

    Error - 8/11/2011 1:23:41 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
    Description =

    Error - 8/11/2011 1:23:42 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
    Description =

    Error - 8/16/2011 1:39:36 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Application Hang | ID = 1002
    Description = The program iexplore.exe version 7.0.6002.18005 stopped interacting
    with Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Problem Reports and Solutions control panel. Process
    ID: 2bb8 Start Time: 01cc5c1976fc844b Termination Time: 0

    Error - 9/2/2011 4:56:17 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = EventSystem | ID = 4609
    Description =

    Error - 9/15/2011 3:10:21 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = SescLU | ID = 13
    Description = LiveUpdate returned a non-critical error. Available content updates
    may have failed to install.

    Error - 9/24/2011 7:15:23 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = SescLU | ID = 13
    Description = LiveUpdate returned a non-critical error. Available content updates
    may have failed to install.

    [ OSession Events ]
    Error - 8/5/2008 10:58:34 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 22
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 9/10/2008 12:14:57 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1821
    seconds with 1260 seconds of active time. This session ended with a crash.

    Error - 9/10/2008 12:46:42 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 33
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 12/1/2009 4:02:28 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 21669
    seconds with 3600 seconds of active time. This session ended with a crash.

    Error - 3/24/2011 9:23:52 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 2916
    seconds with 180 seconds of active time. This session ended with a crash.

    Error - 3/28/2011 11:39:00 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 12770
    seconds with 2700 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 2/15/2012 4:08:54 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
    Description =

    Error - 2/15/2012 4:16:35 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7022
    Description =

    Error - 2/16/2012 9:13:43 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7009
    Description =

    Error - 2/16/2012 9:13:43 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
    Description =

    Error - 2/16/2012 9:39:09 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7009
    Description =

    Error - 2/16/2012 9:39:09 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
    Description =

    Error - 2/16/2012 10:14:57 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7034
    Description =

    Error - 2/16/2012 10:16:32 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
    Description =

    Error - 2/16/2012 10:22:31 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
    Description =

    Error - 2/16/2012 10:29:31 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
    Description =


    < End of report >
     
  15. UThant

    UThant TS Rookie Topic Starter Posts: 55

    How is the computer doing?

    Better than I am at this point. CPU usage is down to between 6 and 10% but memory is still around 56% and climbs occasionally. Still have one monster svchost.exe running around 69 Mb. Vista also could not log my profile on properly this morning after I shut the machine down for the night last night and logged me on with a temporary profile. I had to do a registry edit to restore the registry value for my normal profile in order to get it back and then still had to rebuild my Outlook ost file and settings. Quite the pain, if you know what I mean.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    That's normal. Vista handles RAM differently than the previous Windows versions.
    As long as CPU usage stays low you're fine.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
      O37 - HKU\.DEFAULT\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
      O37 - HKU\S-1-5-18\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
      [2012/01/09 16:21:14 | 000,008,660 | -HS- | C] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
      @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E0258CAE
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ==================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  17. UThant

    UThant TS Rookie Topic Starter Posts: 55

    Four more logs

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
    Registry key HKEY_USERS\.DEFAULT\Software\Classes\Jsk\ deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
    Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
    Registry key HKEY_USERS\S-1-5-18\Software\Classes\Jsk\ not found.
    HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
    C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh moved successfully.
    ADS C:\ProgramData\TEMP:E0258CAE deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator

    User: All Users

    User: arg

    User: bjones

    User: bjones.HALEX

    User: bpi

    User: cstapleton

    User: Default

    User: Default User

    User: dwozniak

    User: mbassett

    User: mmasters

    User: Public

    User: stemple

    User: tdjackson

    User: TEMP

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: arg

    User: bjones

    User: bjones.HALEX

    User: bpi

    User: cstapleton

    User: Default

    User: Default User

    User: dwozniak

    User: mbassett

    User: mmasters

    User: Public

    User: stemple

    User: tdjackson

    User: TEMP

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: arg

    User: bjones

    User: bjones.HALEX

    User: bpi

    User: cstapleton

    User: Default

    User: Default User

    User: dwozniak

    User: mbassett

    User: mmasters

    User: Public

    User: stemple

    User: tdjackson

    User: TEMP

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.32.0 log created on 02162012_143607

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    Results of screen317's Security Check version 0.99.24
    Windows Vista Service Pack 2 x86 (UAC is disabled!)
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Symantec Endpoint Protection
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Ad-Aware
    CCleaner (remove only)
    Java(TM) 6 Update 31
    Java(TM) SE Runtime Environment 6
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe is disabled!
    ``````````End of Log````````````
    Farbar Service Scanner Version: 14-02-2012
    Ran by dwozniak (administrator) on 16-02-2012 at 14:57:07
    Running from "C:\Users\dwozniak\Desktop"
    Microsoft® Windows Vista™ Business Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error: Google IP is offline
    Attempt to access Yahoo IP returend error: Yahoo IP is offline


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-11-11 13:02] - [2009-10-09 16:55] - 0584704 ____A (Microsoft Corporation) 0D4A07E5AC9998E4B251D603C96D4F20

    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
    C:\TDSSKiller_Quarantine\15.02.2012_08.04.27\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan
     
  18. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Uninstall Java(TM) SE Runtime Environment 6 .

    ==============================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  19. UThant

    UThant TS Rookie Topic Starter Posts: 55

    Posting last OTL log for this thread, I hope

    OTL log is below. Broni, thanks very much for your work on this issue. You have been very professional and I appreciate your time and efforts on my behalf.
    Don Wozniak
    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: arg
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: bjones
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: bjones.HALEX
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: bpi
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: cstapleton
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: dwozniak
    ->Temp folder emptied: 53375 bytes
    ->Temporary Internet Files folder emptied: 48432732 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 9613 bytes

    User: mbassett
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: mmasters
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: stemple
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: tdjackson
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: TEMP
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 46.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: arg

    User: bjones

    User: bjones.HALEX
    ->Flash cache emptied: 0 bytes

    User: bpi

    User: cstapleton

    User: Default

    User: Default User

    User: dwozniak
    ->Flash cache emptied: 0 bytes

    User: mbassett

    User: mmasters
    ->Flash cache emptied: 0 bytes

    User: Public

    User: stemple

    User: tdjackson

    User: TEMP

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: arg

    User: bjones

    User: bjones.HALEX
    ->Java cache emptied: 0 bytes

    User: bpi

    User: cstapleton

    User: Default

    User: Default User

    User: dwozniak
    ->Java cache emptied: 0 bytes

    User: mbassett

    User: mmasters
    ->Java cache emptied: 0 bytes

    User: Public

    User: stemple

    User: tdjackson

    User: TEMP

    Total Java Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.32.0 log created on 02202012_074012

    Files\Folders moved on Reboot...
    C:\Users\dwozniak\AppData\Local\Temp\ExchangePerflog_8484fa316751ae68cfcccd43.dat moved successfully.
    File\Folder C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{86B22137-A1D7-4948-B774-0B5C5B4D2840}.tmp not found!
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD4400E4-BBD9-484A-B09E-51597C84C5AE}.tmp moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E6040D79-7497-4AE5-A0DB-1B9A9BF89979}.tmp moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJXLSCGE\918[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJXLSCGE\partner[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W2ZTT7LL\partner[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\712808C8\net[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\712808C8\showthread[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21K37DZN\partner[1].htm moved successfully.
    C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

    Registry entries deleted on Reboot...
     
  20. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...