Solved ComboFix says I have rootkit

[esen]

My operating system is Windows Vista

I'm going to try my best to explain this. I was infected with malware earlier today. The "symptoms" were getting those obvious fake alerts from those deceiving programs like "Windows Security Suite". Having been infected by malware in the past, I already had Malwarebytes Anti-Malware installed on my computer so I booted it up in safe mode (even in safe mode I was getting those fake alerts) and after several scans I was able to successfully remove (or at least it told me it successfully removed) the infections. Now, almost all of those annoying pop-ups were successfully removed, but when I launch Windows normally, as my desktop is loading, I will get a pop-up located on my taskbar with the following message "Windows Explorer is requesting your permission" and when I click it I get the message "Windows needs your permission to continue". I would try to close it, but it would keep re-emerging. When I tried right-clicking to close it, it literally took my entire desktop (and all my icon shortcuts) away leaving me with no choice but to reboot the computer. I believe this "Windows Explorer" message is a virus, or at least the result of a virus. I ran MBAM several more times but that same pop-up still appears (It DOES NOT appear in safe mode, just normal mode). Keep in mind this pop up is the one that led the pack of fake alerts, leading me to believe it is malware as well.

I tried ComboFix, and after telling me "Access Denied", and that I needed to make an administrative command in order to get it to run, it appeared to run anyway (could the malware have compromised ComboFix?). I then got a message telling me I had a "rootkit.Zeroaccess" and that it inserted itself into my TCP/IP stack. (again, I don't know if this is TRULY ComboFix telling me this, OR the virus telling me this in order to misdirect me [FALSE POSITIVE?]) and that I needed to reboot my computer to try and remove it. I did that, but the pop-up STILL appears, and ran the ComboFix scan again but got the same results.

I know that's a lot to take in, and I hope you can follow what I wrote, as it can be quite confusing.

Any help appreciated.

Thanks.

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Never run Combofix on your own!

 

[esen]

MBAM - While I LOVE MBAM, it appears to be overlooking the main malware infection at hand, it DID however help eliminate a lot of those fake alerts.

Here is the MBAM log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.02

Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.17037
Admin :: ERIC [administrator]

1/11/2012 12:24:19 AM
mbam-log-2012-01-11 (00-24-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 274194
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
__________________________________________

GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-11 01:46:32
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HTS54108 rev.MB4I
Running: btgr6lor.exe; Driver: C:\Users\KCDAdmin\AppData\Local\Temp\fxdyiuoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1236] USER32.dll!TrackPopupMenu 7601CFF8 5 Bytes JMP 6FCC69A2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1332] ntdll.dll!LdrLoadDll 7732EB00 5 Bytes JMP 0135131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197debaede
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197debaede@0023af4633f6 0xBA 0x8C 0x82 0xE3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197debc633
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197debcd93
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197debaede (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197debaede@0023af4633f6 0xBA 0x8C 0x82 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197debc633 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197debcd93 (not active ControlSet)

---- EOF - GMER 1.0.15 ----
_____________________________________________

DDS.txt log:

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23
Run by Admin at 1:49:04 on 2012-01-11
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2038.1156 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:61737
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart board software\NotebookPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Akamai NetSession Interface] "c:\users\kcdadmin\appdata\local\akamai\netsession_win.exe"
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [IBMTBCTL] "c:\program files\thinkpad\tablet shortcut\IBMTBCTL.EXE" /r
mRun: [TSMResident] "c:\program files\thinkpad\tablet shortcut\TSMRESIDENT.EXE" /r
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\users\kcdadmin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\users\kcdadmin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~2.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart board software\SMARTBoardTools.exe
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{E6D21EA0-98F4-47F7-B3D8-D086B681A025} : DhcpNameServer = 10.0.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kcdadmin\appdata\roaming\mozilla\firefox\profiles\er0e4p5e.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61737
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-5 565248]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-11-8 22568]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2006-10-20 13744]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]
S2 ASRSVC;ASR Service;c:\program files\thinkpad\tablet shortcut\asr\ASRSVC.exe [2007-12-20 73728]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-4-25 443712]
S2 TabletSVC;TABLET Service;c:\program files\thinkpad\tablet shortcut\TSMService.exe [2007-12-20 53248]
S2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2007-11-8 35616]
S2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-2 55936]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-7-10 569344]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
S3 STI2303X;SMART Board cable;c:\windows\system32\drivers\STI2303X.sys [2005-7-8 13440]
S3 tpflhlp;tpflhlp;c:\program files\lenovo\system update\session\7juj09us\tpflhlp.sys [2007-8-9 13360]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
.
=============== Created Last 30 ================
.
2012-01-10 21:20:55 -------- d-s---w- C:\ComboFix
2012-01-10 03:07:27 98816 ----a-w- c:\windows\sed.exe
2012-01-10 03:07:27 518144 ----a-w- c:\windows\SWREG.exe
2012-01-10 03:07:27 256000 ----a-w- c:\windows\PEV.exe
2012-01-10 03:07:27 208896 ----a-w- c:\windows\MBR.exe
.
==================== Find3M ====================
.
2011-12-13 18:29:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-14 04:00:50 66048 ----a-w- c:\windows\system32\drivers\smb.sys
.
============= FINISH: 1:54:43.15 ===============

________________________________________

Attach.txt log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 12/19/2007 1:11:38 PM
System Uptime: 1/10/2012 10:06:16 PM (3 hours ago)
.
Motherboard: LENOVO | | 6363G6U
Processor: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz | None | 1662/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 69 GiB total, 18.949 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP599: 12/21/2011 9:04:09 PM - Scheduled Checkpoint
RP600: 12/22/2011 9:01:24 PM - Scheduled Checkpoint
RP601: 12/25/2011 11:38:45 PM - Scheduled Checkpoint
RP602: 12/31/2011 2:25:00 AM - Scheduled Checkpoint
RP603: 1/5/2012 12:01:32 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
.
AbiWord 2.8.6
Access Help
Ad-Aware 2007
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.3 Professional
Adobe Common File Installer
Adobe Flash Player 11 Plugin
Adobe Help Center 2.1
Adobe Photoshop CS
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0.2
Adobe Shockwave Player 11.5
Akamai NetSession Interface
Akamai NetSession Interface Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Bonjour
Business Contact Manager for Outlook 2007 SP2
Client Security Solution
Compatibility Pack for the 2007 Office system
Diskeeper Home
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
eMusic Download Manager 3.0
ffdshow [rev 3299] [2010-03-03]
FirstClass® Client
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
Google Earth
GradeQuick
Help Center
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo VirtualDrive
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 23
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Lenovo System Interface Driver
Maintenance Manager
Malwarebytes Anti-Malware version 1.60.0.1800
McAfee Security Scan Plus
Message Center
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2003 Web Components
Microsoft Office Small Business Connectivity Components
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mobile Broadband Generic Drivers
Mozilla Firefox (3.6.25)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NirSoft BlueScreenView
Norton Security Scan
On Screen Display
OpenOffice.org 3.2
PC-Doctor 5 for Windows
Pharos
Picasa 3
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Real Alternative 1.9.0
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Rescue and Recovery
Rosetta Stone Ltd Services
Security Update for CAPICOM (KB931906)
SMART Board Software
SoundMAX
Spybot - Search & Destroy 1.4
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Tablet Button Driver
ThinkPad Tablet Shortcut Menu
ThinkPad TrackPoint Driver
Thinkpad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
ThinkVantage Access Connections
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Verizon Wireless USB760 Firmware Updates
VitalSource Bookshelf
VZAccess Manager
Wallpapers
Windows Driver Package - Intel (e1express) Net (11/16/2006 9.6.31.0)
Windows Driver Package - Intel hdc (09/15/2006 8.2.0.1008)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1020)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1008)
Windows Driver Package - Intel USB (09/13/2006 8.2.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (11/01/2006 1.41)
Windows Live Toolbar
Windows Media Player Firefox Plugin
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 9:36:18 PM, Error: EventLog [6008] - The previous system shutdown at 9:34:33 PM on 1/9/2012 was unexpected.
1/9/2012 9:22:41 PM, Error: EventLog [6008] - The previous system shutdown at 9:20:44 PM on 1/9/2012 was unexpected.
1/9/2012 7:58:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom lenovo.smi spldr TPPWRIF Wanarpv6
1/9/2012 7:58:24 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2012 7:57:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/9/2012 7:57:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/9/2012 7:57:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/9/2012 7:57:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/9/2012 7:57:04 PM, Error: EventLog [6008] - The previous system shutdown at 7:55:14 PM on 1/9/2012 was unexpected.
1/9/2012 10:30:48 PM, Error: EventLog [6008] - The previous system shutdown at 10:28:42 PM on 1/9/2012 was unexpected.
1/9/2012 10:10:38 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
1/9/2012 1:44:17 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
1/7/2012 1:40:48 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
1/7/2012 1:40:48 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/7/2012 1:39:10 AM, Error: EventLog [6008] - The previous system shutdown at 1:38:02 AM on 1/7/2012 was unexpected.
1/4/2012 4:29:49 PM, Error: Service Control Manager [7000] - The McAfee Security Scan Component Host Service service failed to start due to the following error: Access is denied.
1/4/2012 4:29:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service McComponentHostService with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}
1/4/2012 10:00:32 PM, Error: Microsoft-Windows-TBS [516] - An error occurred while communicating with the TPM. The driver returned 0x8007001f.
1/10/2012 9:50:00 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
1/10/2012 9:46:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
1/10/2012 9:46:23 PM, Error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/10/2012 9:46:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
1/10/2012 9:23:58 PM, Error: EventLog [6008] - The previous system shutdown at 9:05:34 PM on 1/10/2012 was unexpected.
1/10/2012 8:07:57 PM, Error: EventLog [6008] - The previous system shutdown at 4:46:21 PM on 1/10/2012 was unexpected.
1/10/2012 4:29:29 PM, Error: EventLog [6008] - The previous system shutdown at 4:28:11 PM on 1/10/2012 was unexpected.
1/10/2012 3:40:02 PM, Error: EventLog [6008] - The previous system shutdown at 12:45:22 PM on 1/10/2012 was unexpected.
1/10/2012 11:55:31 AM, Error: EventLog [6008] - The previous system shutdown at 2:46:19 AM on 1/10/2012 was unexpected.
1/10/2012 10:07:02 PM, Error: EventLog [6008] - The previous system shutdown at 10:05:50 PM on 1/10/2012 was unexpected.
.
==== End Of File ===========================

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Download Bootkit Remover to your Desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[esen]

Broni,

I followed your directions for downloading aswMBR, clicked "scan" and it gave me this:

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-11 12:00:40
-----------------------------
12:00:40.280 OS Version: Windows 6.0.6000
12:00:40.280 Number of processors: 2 586 0xE0C
12:00:40.281 ComputerName: ERICS UserName: Admin
12:00:45.894 Initialze error C000010E - driver not loaded
12:03:53.002 Scan error: Incorrect function.
12:05:11.665 The log file has been saved successfully to "C:\Users\KCDAdmin\Desktop\aswMBR.log.error.txt"

___________________________________

Here is what I got out of Bootkit Remover:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Business Edition (build 6000), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`66400000
Boot sector MD5 is: a615252be0f45bb3c4efaf8c9247dffc

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[esen]

Broni,

I downloaded the new version of ComboFix from the link you provided, but it gave me the same message I stated in my initial post (ComboFix has detected rootkit; inserted itself into my tcp/ip stack), and also ("Rootkit !!"). I don't know for sure, but maybe the malware has compromised the ComboFix file? Keep in mind before it even started scanning, it even said "Access Denied", and that it "needed the administrator's command to complete the task" (or something along those lines). Yet, it went on to "scan", and after about a minute, that "Rootkit activity has been detected" message pops up, forcing my computer to reboot itself. That doesn't seem to cure it, though. Nevertheless, the malware is still there. I have no idea where the damn thing manifested itself.

That said, should I just skip to rkill? Or does this mean I need to pursue with something else?

Thanks again.

 

[Broni]

forcing my computer to reboot itself

...and what happened next?

 

[esen]

Well, it rebooted itself, and that "Windows Explorer is requesting your permission" pop-up is still blinking on my taskbar (in normal mode). The pop-up does not appear in safe mode, which by the way, is the mode in which I've been following your instructions (I can't really even operate in normal mode - everything is slow, and my Firefox won't even open).

No log was produced, it just reboots itself as if nothing happened.

________

On a somewhat unrelated note, let me tell you about something else that is happening with my computer.

In safe mode: I can't perform a "Save As" when I'm on Microsoft Open Office.

In normal mode: When I open Open Office, it runs very slow, then freezes for a moment (off and on), and then something strange happened. A new "box" appeared on my taskbar with the Open Office logo next to it and it read "bilmmhinoijpa". I couldn't really even click on it at this point because my computer was going way too slow and kept freezing and not responding. I have no idea what that word means, and a Google search isn't finding anything on it. Weird stuff.

 

[Broni]

Run Combofix from safe mode.
Run rKill first.
...and be patient.
When Combofix finds a rootkit it may take a while.

 

[esen]

I have been running ComboFix in safe mode. I wish I could take a video of what it keeps doing.

I just ran rkill. It did its thing, which only seemed to have lasted about 40 seconds.

Here is the log produced from rkill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/11/2012 at 18:28:03.
Operating System: Windows Vista (TM) Business


Processes terminated by Rkill or while it was running:



Rkill completed on 01/11/2012 at 18:28:06.

 

[Broni]

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[esen]

ListParts log:

ListParts by Farbar
Ran by Admin on 11-01-2012 at 20:32:25
Windows Vista (X86)
Running From: C:\Users\KCDAdmin\Downloads
************************************************************

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 2037.81 MB
Available physical RAM: 1544.57 MB
Total Pagefile: 4308.9 MB
Available Pagefile: 3969.22 MB
Total Virtual: 2047.88 MB
Available Virtual: 1995.59 MB

======================= Partitions =========================

1 Drive c: (SW_Preload) (Fixed) (Total:68.93 GB) (Free:18.48 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 1081 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 5731 MB 1024 KB
Partition 2 Primary 69 GB 5732 MB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C SW_Preload NTFS Partition 69 GB Healthy System (partition with boot components)



****** End Of Log ******

 

[Broni]

Looks good.

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[esen]

OTL.txt:

OTL logfile created on: 1/11/2012 9:12:58 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\KCDAdmin\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 79.31% Memory free
4.21 Gb Paging File | 3.94 Gb Available in Paging File | 93.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.93 Gb Total Space | 18.48 Gb Free Space | 26.81% Space Free | Partition Type: NTFS

Computer Name: ERICS | User Name: Admin | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/11 21:10:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\KCDAdmin\Downloads\OTL.exe
PRC - [2009/03/14 02:20:50 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - [2011/12/14 16:40:39 | 003,316,000 | ---- | M] () [Auto | Stopped] -- c:\program files\common files\akamai/netsession_win_b427739.dll -- (Akamai)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/04/25 19:45:34 | 000,443,712 | ---- | M] (Rosetta Stone Ltd.) [Auto | Stopped] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2008/05/16 22:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Stopped] -- C:\Program Files\PharosSystems\Core\CTskMstr.exe -- (Pharos Systems ComTaskMaster)
SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/07 04:23:02 | 000,013,312 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2007/11/08 10:56:46 | 000,035,616 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\TrackPoint\tp4servinst.exe -- (tp4serv)
SRV - [2007/07/10 14:56:04 | 000,569,344 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007/07/10 14:37:38 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/07/05 15:48:54 | 000,206,120 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2007/07/05 15:48:50 | 000,091,432 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/06/13 02:29:47 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/02 14:07:28 | 000,055,936 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2006/12/22 06:31:50 | 000,108,712 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2006/12/13 23:46:08 | 000,045,056 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2006/11/20 00:14:14 | 000,108,080 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Windows\System32\IPSSVC.EXE -- (IPSSVC)
SRV - [2006/11/15 18:20:46 | 000,634,988 | ---- | M] (Diskeeper Corporation) [Auto | Stopped] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/11/02 04:46:13 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2006/11/02 04:46:12 | 000,167,424 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2005/10/20 04:22:34 | 000,880,640 | ---- | M] (SMART Technologies Inc.) [Auto | Stopped] -- C:\Program Files\SMART Board Software\SMARTBoardService.exe -- (SMART Board Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/18 12:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 12:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/03/05 18:43:32 | 000,223,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/12/20 11:44:16 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2007/10/17 19:58:16 | 000,758,784 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/09/25 02:08:00 | 000,012,080 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)
DRV - [2007/08/09 18:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- C:\Program Files\Lenovo\System Update\session\7juj09us\tpflhlp.sys -- (tpflhlp)
DRV - [2007/05/22 14:59:38 | 000,030,336 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2006/11/28 15:44:00 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/06 03:24:56 | 000,012,080 | ---- | M] (Lenovo Group Limited) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2006/11/02 04:50:17 | 000,041,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2006/11/02 02:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/08/30 05:04:04 | 000,013,744 | ---- | M] (Lenovo Group Limited) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2005/07/08 15:11:32 | 000,013,440 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\STI2303X.sys -- (STI2303X)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]

IE - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]
IE - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61737

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 61737
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/29 18:43:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/29 18:43:13 | 000,000,000 | ---D | M]

[2011/06/01 13:20:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Extensions
[2012/01/10 22:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions
[2011/06/01 18:59:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/10 22:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/02 01:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/11 13:19:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/11 17:54:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll (SMART Technologies Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo)
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo)
O4 - HKLM..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BTVLOGEX.DLL ()
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003..\Run: [Akamai NetSession Interface] C:\Users\KCDAdmin\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\System32\grpconv.exe (Microsoft Corporation)
O4 - Startup: C:\Users\eric.senler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
O4 - Startup: C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
O4 - Startup: C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Windows Live Search - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6D21EA0-98F4-47F7-B3D8-D086B681A025}: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: vidc.tscc - C:\Windows\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 17:21:45 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/11 12:13:44 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\KCDAdmin\Desktop\boot_cleaner.exe
[2012/01/09 22:07:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/09 22:07:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/09 22:07:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2012/01/09 22:07:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/09 19:55:20 | 000,366,080 | ---- | C] (Корпорация Майкрософт) -- C:\Users\KCDAdmin\Documents\4BV87ne7.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/11 17:25:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/11 17:10:17 | 000,025,269 | ---- | M] () -- C:\Windows\System32\PROCDB.INI
[2012/01/11 17:10:16 | 000,000,002 | ---- | M] () -- C:\Windows\System32\IPSCtrl.INI
[2012/01/11 17:10:14 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 17:10:14 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 13:18:24 | 000,003,853 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 21:36:27 | 000,000,916 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/10 00:18:58 | 000,000,836 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\ProgramData\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/09 19:55:20 | 000,366,080 | ---- | M] (Корпорация Майкрософт) -- C:\Users\KCDAdmin\Documents\4BV87ne7.exe
[2012/01/08 17:25:51 | 000,000,570 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for eric.senler.job
[2012/01/07 01:37:39 | 000,103,329 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg
[2011/12/19 19:27:30 | 000,010,372 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
[2011/12/19 19:27:30 | 000,010,372 | -HS- | M] () -- C:\ProgramData\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/11 13:18:24 | 000,003,853 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/10 21:36:27 | 000,000,916 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/09 22:07:27 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/09 22:07:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/09 22:07:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/09 22:07:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/09 22:07:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/09 19:55:09 | 000,011,722 | -HS- | C] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/09 19:55:09 | 000,011,722 | -HS- | C] () -- C:\ProgramData\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/07 01:37:39 | 000,103,329 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg
[2011/12/19 19:23:08 | 000,010,372 | -HS- | C] () -- C:\Users\KCDAdmin\AppData\Local\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
[2011/12/19 19:23:08 | 000,010,372 | -HS- | C] () -- C:\ProgramData\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
[2011/10/20 02:05:27 | 000,003,584 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/09 14:30:05 | 000,000,037 | ---- | C] () -- C:\ProgramData\4a2cfcd
[2011/07/08 21:11:45 | 000,002,736 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Roaming\0E4A.FA4
[2011/06/21 16:44:25 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/06/21 16:42:14 | 000,012,680 | -HS- | C] () -- C:\ProgramData\3035257540
[2011/06/21 16:42:14 | 000,012,680 | -HS- | C] () -- C:\Users\KCDAdmin\AppData\Local\1rd751e8e473gr158v
[2011/06/21 16:30:43 | 000,012,672 | -HS- | C] () -- C:\ProgramData\1rd751e8e473gr158v
[2011/05/03 00:07:39 | 000,010,868 | -HS- | C] () -- C:\ProgramData\1nt4rmyke13d7t8mp831282g0
[2010/04/06 19:32:30 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/02/20 21:05:44 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/02/20 21:03:24 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/11 18:34:48 | 002,215,364 | ---- | C] () -- C:\Windows\System32\igklg400.bin
[2008/02/11 18:34:48 | 001,971,732 | ---- | C] () -- C:\Windows\System32\igklg450.bin
[2008/02/11 18:34:48 | 000,029,932 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.bin
[2008/02/08 15:04:04 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2007/09/13 15:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/06/13 19:26:16 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/06/13 09:24:25 | 000,000,008 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2007/06/13 02:38:44 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2007/06/12 21:39:35 | 000,001,356 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\d3d9caps.dat
[2007/06/05 13:10:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2007/06/05 13:01:18 | 000,012,080 | ---- | C] () -- C:\Windows\System32\drivers\TPPWR32V.SYS
[2007/06/05 12:59:38 | 000,106,496 | ---- | C] () -- C:\Windows\stkbtnpn.dll
[2007/06/05 12:41:50 | 000,000,836 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2007/04/13 14:19:52 | 000,007,680 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2007/03/29 12:42:38 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2007/01/31 17:03:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/12/14 13:14:16 | 000,025,269 | ---- | C] () -- C:\Windows\System32\PROCDB.INI
[2006/12/14 13:14:10 | 000,000,002 | ---- | C] () -- C:\Windows\System32\IPSCtrl.INI
[2006/12/07 09:57:31 | 000,005,788 | ---- | C] () -- C:\Windows\System32\tp4table.dat
[2006/11/10 09:10:49 | 001,490,999 | ---- | C] () -- C:\Windows\System32\tkbtnpn1.dll
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 000,411,544 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:36:36 | 000,063,488 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,120,962 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:33:01 | 000,000,000 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/09/05 13:20:36 | 000,079,400 | ---- | C] () -- C:\Windows\System32\DEVMAN.DLL
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\System32\BiImg.dll
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\BiImg.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\System32\JPeg32.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\JPeg32.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BiEResNT.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\Bic_Res.dll
[2004/09/01 06:42:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\BiEAppNT.exe
[2004/09/01 06:42:44 | 000,000,002 | ---- | C] () -- C:\Windows\bi_group.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2007/06/13 12:44:38 | 000,000,000 | ---D | M] -- C:\Users\alex.fallon\AppData\Roaming\Lenovo
[2010/05/04 08:33:09 | 000,000,000 | ---D | M] -- C:\Users\chris.kessler\AppData\Roaming\Lenovo
[2007/06/13 10:57:15 | 000,000,000 | ---D | M] -- C:\Users\doug.friedman\AppData\Roaming\Lenovo
[2008/01/10 14:23:08 | 000,000,000 | ---D | M] -- C:\Users\eric.senler\AppData\Roaming\Lenovo
[2008/06/20 00:06:48 | 000,000,000 | ---D | M] -- C:\Users\eric.senler\AppData\Roaming\LimeWire
[2009/09/09 17:01:04 | 000,000,000 | ---D | M] -- C:\Users\eric.senler\AppData\Roaming\SMART Technologies Inc
[2011/09/06 09:50:08 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\enchant
[2007/06/12 21:49:26 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Leadertech
[2007/06/12 21:49:54 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Lenovo
[2011/09/20 10:48:40 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\OpenOffice.org
[2011/06/02 10:29:30 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\SMART Technologies Inc
[2007/12/19 15:42:46 | 000,000,000 | ---D | M] -- C:\Users\roger.basham\AppData\Roaming\Lenovo
[2007/06/13 09:30:36 | 000,000,000 | ---D | M] -- C:\Users\tom.james\AppData\Roaming\Lenovo
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 00:19:00 | 000,032,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2006/11/02 04:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
[2006/11/09 18:32:55 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/06/05 12:51:05 | 000,002,128 | ---- | M] () -- C:\drivez.log
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 07:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 07:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 07:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2007/11/07 07:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2007/11/07 07:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 07:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 07:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 07:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 07:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 07:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 07:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 07:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2008/01/22 14:14:07 | 000,001,652 | ---- | M] () -- C:\Job Monitor.lnk
[2012/01/11 17:24:38 | 2451,374,080 | -HS- | M] () -- C:\pagefile.sys
[2012/01/11 18:28:06 | 000,000,366 | ---- | M] () -- C:\rkill.log
[2007/06/05 12:35:46 | 000,000,053 | ---- | M] () -- C:\syslevel.lgl
[2011/06/22 09:28:41 | 000,000,412 | ---- | M] () -- C:\TDSSKiller.2.5.4.0_22.06.2011_10.28.27_log.txt
[2011/06/22 09:29:56 | 000,067,724 | ---- | M] () -- C:\TDSSKiller.2.5.5.0_22.06.2011_10.29.25_log.txt
[2012/01/09 21:46:26 | 000,079,158 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_09.01.2012_21.44.30_log.txt
[2011/10/13 22:59:41 | 000,079,686 | ---- | M] () -- C:\TDSSKiller.2.6.8.0_13.10.2011_23.58.20_log.txt
[2012/01/10 22:28:31 | 000,153,998 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_10.01.2012_22.27.37_log.txt
[2007/06/05 13:52:37 | 000,001,732 | ---- | M] () -- C:\tvtpktfilter.dat
[2007/11/07 07:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 07:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 07:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

< %systemroot%\Fonts\*.com >
[2006/11/02 07:37:19 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:37:19 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:19 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:37:19 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 04:46:04 | 000,032,768 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\system32\spool\prtprocs\w32x86\EP0NPP01.DLL
[2006/11/02 07:36:30 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/03/14 12:33:50 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/06/17 21:48:30 | 000,000,286 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/09/20 03:02:40 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\KCDAdmin\Desktop\boot_cleaner.exe
[2007/06/12 11:17:26 | 002,080,768 | ---- | M] (KCP Technologies) -- C:\Users\KCDAdmin\Desktop\GSP 4.06.exe
[2010/09/02 01:13:41 | 155,184,736 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\OOo_3.2.1_Win_x86_install-wJRE_en-US.exe
[2007/01/24 17:22:14 | 000,594,432 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\zsnesw.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2006/11/02 07:36:17 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2011/06/01 13:13:22 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
[2011/06/01 13:13:22 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
[2011/01/04 08:01:15 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
[2011/01/04 08:01:15 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/06/12 21:47:19 | 000,000,402 | -HS- | M] () -- C:\Users\KCDAdmin\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/05/03 07:49:46 | 000,010,868 | -HS- | M] () -- C:\ProgramData\1nt4rmyke13d7t8mp831282g0
[2011/06/21 16:33:43 | 000,012,672 | -HS- | M] () -- C:\ProgramData\1rd751e8e473gr158v
[2011/12/19 19:27:30 | 000,010,372 | -HS- | M] () -- C:\ProgramData\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
[2011/06/21 16:43:20 | 000,012,680 | -HS- | M] () -- C:\ProgramData\3035257540
[2011/07/10 00:56:52 | 000,000,037 | ---- | M] () -- C:\ProgramData\4a2cfcd
[2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\ProgramData\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2011/06/01 11:26:50 | 000,000,008 | RHS- | M] () -- C:\ProgramData\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMPFC5A2B2

< End of report >

 

[esen]

Extras.txt:

OTL Extras logfile created on: 1/11/2012 9:12:58 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\KCDAdmin\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 79.31% Memory free
4.21 Gb Paging File | 3.94 Gb Available in Paging File | 93.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.93 Gb Total Space | 18.48 Gb Free Space | 26.81% Space Free | Partition Type: NTFS

Computer Name: ERICS | User Name: Admin | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*

[HKEY_USERS\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{013D2DBF-7B1E-4D51-B48C-E176ECC61FA2}" = lport=137 | protocol=17 | dir=in | app=system |
"{1BCD3377-3EE2-4F09-B9B6-78B8F94C098B}" = rport=445 | protocol=6 | dir=out | app=system |
"{22F1F147-9D1C-4D51-9A10-B65B7B553560}" = lport=138 | protocol=17 | dir=in | app=system |
"{5442C904-9A15-4798-89CE-8D09F4FBB8C3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{60B16CBC-4823-41E3-9596-66AE74E408FF}" = rport=139 | protocol=6 | dir=out | app=system |
"{633B2367-8751-4A7A-9296-221E9F1095BB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{68646C91-FF06-4E9A-88B7-B72B14D4D519}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{87020A12-0999-4947-B294-4DBFF1C66698}" = rport=137 | protocol=17 | dir=out | app=system |
"{9BF65267-4AD1-4AEE-AF65-CFF559F7CE5F}" = lport=139 | protocol=6 | dir=in | app=system |
"{A695E97D-7212-464A-A5E6-B53A144F2BB2}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{A87BDB79-28F9-4BD4-9E41-AB56B3C70E27}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{C4111110-A6A2-4E74-82D7-F01F80331D1D}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{D8D70F21-3041-489B-A9D4-037E4AB15290}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{E2B1085C-E595-42EE-AA8D-3E54033F47A4}" = lport=445 | protocol=6 | dir=in | app=system |
"{F250328D-D310-4D5C-95CF-F440A82CD808}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{F67971BB-BA91-4086-9510-6C0D6898350F}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{034334CA-D93C-4829-BCA9-1CB476519E0C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{06F60179-D58C-4A5D-AFBC-017C64E4F7A0}" = protocol=6 | dir=out | app=c:\program files\rosettastoneltdservices\rosettastonedaemon.exe |
"{0E887CC5-18CF-4C81-9E97-0D37B8FABEBE}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{2A20D316-180F-4EF9-805C-224E0720992D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{40AACE6D-6998-4D2D-88A2-9313D4C76155}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{483A6EEC-09C9-4EAD-979F-4E53FC8FF415}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{4929F04E-3341-4188-8678-0ECF24D35661}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{59840E46-997C-4D99-8849-1B7D1816E9C4}" = dir=in | app=c:\windows\system32\ir50_3232.exe |
"{62AF14B6-8A62-4384-B067-1A6D9464F49D}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{7415661A-D094-46E6-B96D-18BD945696F1}" = dir=in | app=c:\program files\pharossystems\core\ctskmstr.exe |
"{7F47FD49-AA89-48DB-BA43-F6D16472BCA1}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{88B3CB77-A495-4EBE-A297-C9524C675CBC}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8F94271B-37A8-4C3D-A7B0-539EF0942060}" = dir=in | app=c:\windows\system32\ir50_3232.exe |
"{9A6E4A6A-1F22-4424-BC5A-6B25B9EC12E0}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{A44BF7A5-00F1-4257-93C1-090D0FFAC576}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{CC5768C6-C936-4021-8501-9595BD7BFF25}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{D29B8DE6-7B5B-4543-A3A8-27DE2FFF4398}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{D4D733AE-2AAD-4DEF-8C0D-FED74A046117}" = dir=in | app=c:\program files\rosettastoneltdservices\rosettastonedaemon.exe |
"{D6E1119C-530E-495C-9148-B8E64590FB24}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E8E2D01E-E63E-4169-A420-640FA2E1DB3B}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{EAD65EDE-2D1A-4E29-AE74-7EAF6B0EF8F3}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{F3542B78-55F0-41CA-BC17-77F1CF11AF5D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{FE5DC7F0-7D9B-421E-B38A-269F015C2FC6}" = dir=in | app=c:\windows\system32\ir50_3232.exe |
"TCP Query User{12BCF33D-DF38-4745-AA39-223EA28E3012}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{409CD7F2-45B4-485A-A0F0-D3E236B412B3}C:\windows\system32\rundll32.exe" = protocol=6 | dir=in | app=c:\windows\system32\rundll32.exe |
"TCP Query User{5E997051-F4E3-49B8-9FCC-B1F4F338D917}C:\program files\grisoft\avg7\avgcc.exe" = protocol=6 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"TCP Query User{708A66FC-CDE1-4812-B29A-4EF3B52A480D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{7FE531E3-A6F5-439C-BBCC-05167F92ECDA}C:\program files\grisoft\avg7\avgcc.exe" = protocol=6 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"TCP Query User{95F5F4B4-FEE2-490C-9CD0-D974D251260A}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"TCP Query User{BB08F0CC-C0C9-4615-A6A8-EFB79B41DFCA}C:\program files\grisoft\avg7\avgcc.exe" = protocol=6 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"TCP Query User{CB6FF222-0138-450E-B6F6-7623A0E21C67}C:\users\eric.senler\appdata\local\temp\rar$ex00.165\eclipse\eclipse.exe" = protocol=6 | dir=in | app=c:\users\eric.senler\appdata\local\temp\rar$ex00.165\eclipse\eclipse.exe |
"TCP Query User{CD4353F5-B6AB-4436-A299-ADD427DD5C90}C:\users\kcdadmin\documents\firstclass\fcspra.exe" = protocol=6 | dir=in | app=c:\users\kcdadmin\documents\firstclass\fcspra.exe |
"TCP Query User{DA56BE00-5C3A-4E0D-AC4E-8625DDD68BEA}C:\users\kcdadmin\appdata\local\akamai\netsession_win.exe" = protocol=6 | dir=in | app=c:\users\kcdadmin\appdata\local\akamai\netsession_win.exe |
"UDP Query User{095BFAC6-AF32-40CF-A1AA-C61FE65653B1}C:\windows\system32\rundll32.exe" = protocol=17 | dir=in | app=c:\windows\system32\rundll32.exe |
"UDP Query User{1CB4074F-E742-427B-B75D-83D10A6F0C25}C:\program files\grisoft\avg7\avgcc.exe" = protocol=17 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"UDP Query User{2A07B76C-9071-42D8-8C79-693CED8C734E}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{3C174153-11AA-48B6-B735-7DA24210E0AE}C:\users\kcdadmin\appdata\local\akamai\netsession_win.exe" = protocol=17 | dir=in | app=c:\users\kcdadmin\appdata\local\akamai\netsession_win.exe |
"UDP Query User{8E14E7AA-0EBC-4843-95AE-01B9B377BDA5}C:\program files\grisoft\avg7\avgcc.exe" = protocol=17 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"UDP Query User{94ABB8CB-3FAE-4586-A91A-F411BD7BC723}C:\program files\grisoft\avg7\avgcc.exe" = protocol=17 | dir=in | app=c:\program files\grisoft\avg7\avgcc.exe |
"UDP Query User{9A10A592-E821-4A20-B110-0C28F47ABE3A}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{B82870F9-0D50-4010-976E-3A9B8D20D59C}C:\users\eric.senler\appdata\local\temp\rar$ex00.165\eclipse\eclipse.exe" = protocol=17 | dir=in | app=c:\users\eric.senler\appdata\local\temp\rar$ex00.165\eclipse\eclipse.exe |
"UDP Query User{C229831D-BE63-4804-A190-E5FD78B00032}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"UDP Query User{C8756A27-2ECC-4BBB-841B-5DDE7A836379}C:\users\kcdadmin\documents\firstclass\fcspra.exe" = protocol=17 | dir=in | app=c:\users\kcdadmin\documents\firstclass\fcspra.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}" = Ad-Aware 2007
"{0F4EFCE8-E358-4430-A504-F55F32BA1816}" = Client Security Solution
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{26903C89-780A-463E-8CBD-E47A73927254}" = ThinkPad Tablet Button Driver
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java(TM) 6 Update 20
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 23
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{3230518C-2953-4FB9-8485-B3CDFCC36A70}" = Rosetta Stone Ltd Services
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{342F103D-F8E5-4B44-9FE1-6D74E05640C5}" = VitalSource Bookshelf
"{394958C2-8036-4385-81F5-B63F221D0DD0}" = InterVideo VirtualDrive
"{3A8FE746-19BA-4168-8D01-D45897C7310E}" = VZAccess Manager
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1B0FC1-BEEA-47DB-88DE-CFD8F26C2D0D}" = Thinkpad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
"{530AFAFF-6F0A-48BB-88D0-04F9658322D3}" = Adobe Premiere Elements 3.0.2
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{796E076A-82F7-4D49-98C8-DEC0C3BC733A}" = Diskeeper Home
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E4C16B8-8F76-4940-8505-98E93C00BF19}" = Rescue and Recovery
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8485F313-4B62-42F3-ADD8-0DE34A4DDAEF}" = Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D757887-9CD3-4F97-9873-E049E1C264CE}" = SMART Board Software
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2DB59F-091A-40B4-958D-1C8264624126}" = ThinkPad Tablet Shortcut Menu
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC2BA148-EE9C-4F1A-AFCE-F38C2C71D29B}" = Mobile Broadband Generic Drivers
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{D64AAE0A-63C5-43C0-AFA7-65761A322028}" = GradeQuick
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}" = ThinkPad Power Manager
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{E1A83640-A568-4B56-A4C9-AB38C7035156}" = ThinkPad Mobility Center Customization
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F362902D-BC94-4187-8960-3B51F55B2EB0}" = Verizon Wireless USB760 Firmware Updates
"{F705E3E1-A471-426B-9A09-73429F3418EE}" = System Migration Assistant
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"3CD6E6EC537F34026EA60F5BE964BCA8B58F5703" = Windows Driver Package - Lenovo (IBMPMDRV) System (11/01/2006 1.41)
"73501D040246FD1119FF9BD02EAA9CA1541A9E01" = Windows Driver Package - Intel USB (09/13/2006 8.2.0.1008)
"791A34704A3AAC62E238B140D8FC6E49D41AD375" = Windows Driver Package - Intel (e1express) Net (11/16/2006 9.6.31.0)
"8B51271D05166ED3E2A0A7FD52BCB8628E296043" = Windows Driver Package - Intel System (09/15/2006 7.0.0.1020)
"9DE44D33DF9291DE11A1A790CFBF8541856C70DC" = Windows Driver Package - Intel hdc (09/15/2006 8.2.0.1008)
"AbiWord2" = AbiWord 2.8.6
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Akamai" = Akamai NetSession Interface Service
"AwayTask" = Maintenance Manager
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"C07FE7FC75ACBDD151782F792980433C19F635D4" = Windows Driver Package - Intel hdc (09/15/2006 8.2.0.1008)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"DADE94E03F9586B655AEA5F99234D390348E108C" = Windows Driver Package - Intel System (09/15/2006 8.2.0.1008)
"Dipmon" = Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
"E6CEFD9A59425A2A27E92572AB367B28C371D3D8" = Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
"eMusic Download Manager" = eMusic Download Manager 3.0
"ffdshow_is1" = ffdshow [rev 3299] [2010-03-03]
"FPIRPOn" = Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{8136ADEE-7FA1-4091-900C-DD0229BFE14F}" =
"LENOVO.SMIIF" = Lenovo System Interface Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mobile Broadband Generic Drivers" = Mobile Broadband Generic Drivers
"Mozilla Firefox (3.6.25)" = Mozilla Firefox (3.6.25)
"NirSoft BlueScreenView" = NirSoft BlueScreenView
"NSS" = Norton Security Scan
"OnScreenDisplay" = On Screen Display
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"Pharos" = Pharos
"Picasa 3" = Picasa 3
"Power Management Driver" = ThinkPad Power Management Driver
"PremElem30" = Adobe Premiere Elements 3.0.2
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealAlt_is1" = Real Alternative 1.9.0
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"TrackPoint" = ThinkPad TrackPoint Driver
"USBPMon" = Registry patch for Windows Vista USB S3 PM Enablement
"Windows Live Toolbar" = Windows Live Toolbar
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-617106367-3599637792-3033426161-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Akamai" = Akamai NetSession Interface

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2012 2:21:22 PM | Computer Name = ERICS | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4363, time
stamp 0x4ee68bf9, faulting module coreclr.dll, version 4.0.60831.0, time stamp
0x4e5d6c64, exception code 0x8013150a, fault offset 0x0013d2a6, process id 0x75c,
application start time 0x01ccd08dbe34ff2c.

Error - 1/11/2012 6:00:19 PM | Computer Name = ERICS | Source = EventSystem | ID = 4609
Description =

Error - 1/11/2012 6:07:35 PM | Computer Name = ERICS | Source = System Restore | ID = 8193
Description =

Error - 1/11/2012 6:08:53 PM | Computer Name = ERICS | Source = Application Error | ID = 1000
Description = Faulting application pev.3XE, version 0.0.0.0, time stamp 0x4e06cfe8,
faulting module pev.3XE, version 0.0.0.0, time stamp 0x4e06cfe8, exception code
0xc0000417, fault offset 0x00081dc9, process id 0x118, application start time 0x01ccd0ad9acf7a19.

Error - 1/11/2012 6:09:08 PM | Computer Name = ERICS | Source = EventSystem | ID = 4609
Description =

Error - 1/11/2012 6:13:09 PM | Computer Name = ERICS | Source = EventSystem | ID = 4609
Description =

Error - 1/11/2012 6:22:17 PM | Computer Name = ERICS | Source = System Restore | ID = 8193
Description =

Error - 1/11/2012 6:25:40 PM | Computer Name = ERICS | Source = EventSystem | ID = 4609
Description =

Error - 1/11/2012 7:28:10 PM | Computer Name = ERICS | Source = EventSystem | ID = 4609
Description =

Error - 1/11/2012 10:14:28 PM | Computer Name = ERICS | Source = System Restore | ID = 8193
Description =

[ System Events ]
Error - 1/11/2012 6:13:49 PM | Computer Name = ERICS | Source = Service Control Manager | ID = 7026
Description =

Error - 1/11/2012 6:19:19 PM | Computer Name = ERICS | Source = DCOM | ID = 10005
Description =

Error - 1/11/2012 6:23:14 PM | Computer Name = ERICS | Source = Service Control Manager | ID = 7030
Description =

Error - 1/11/2012 6:25:03 PM | Computer Name = ERICS | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:23:50 PM on 1/11/2012 was unexpected.

Error - 1/11/2012 6:25:30 PM | Computer Name = ERICS | Source = DCOM | ID = 10005
Description =

Error - 1/11/2012 6:25:40 PM | Computer Name = ERICS | Source = DCOM | ID = 10005
Description =

Error - 1/11/2012 6:25:45 PM | Computer Name = ERICS | Source = DCOM | ID = 10005
Description =

Error - 1/11/2012 6:25:46 PM | Computer Name = ERICS | Source = DCOM | ID = 10005
Description =

Error - 1/11/2012 6:26:22 PM | Computer Name = ERICS | Source = Service Control Manager | ID = 7001
Description =

Error - 1/11/2012 6:26:22 PM | Computer Name = ERICS | Source = Service Control Manager | ID = 7026
Description =


< End of report >

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - Startup: C:\Users\eric.senler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
  O4 - Startup: C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 File not found
  O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*
  O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe" -a "%1" %*
  [2012/01/09 19:55:20 | 000,366,080 | ---- | C] (Корпорация Майкрософт) -- C:\Users\KCDAdmin\Documents\4BV87ne7.exe
  [2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb 407
  [2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\ProgramData\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
  [2012/01/09 19:55:20 | 000,366,080 | ---- | M] (Корпорация Майкрософт) -- C:\Users\KCDAdmin\Documents\4BV87ne7.exe
  [2011/12/19 19:27:30 | 000,010,372 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
  [2011/12/19 19:27:30 | 000,010,372 | -HS- | M] () -- C:\ProgramData\2upg2v81fl1rft62764lpa4sr108ul5d0ie34
  [2011/06/21 16:42:14 | 000,012,680 | -HS- | C] () -- C:\ProgramData\3035257540
  [2011/06/21 16:42:14 | 000,012,680 | -HS- | C] () -- C:\Users\KCDAdmin\AppData\Local\1rd751e8e473gr158v
  [2011/06/21 16:30:43 | 000,012,672 | -HS- | C] () -- C:\ProgramData\1rd751e8e473gr158v
  [2011/05/03 00:07:39 | 000,010,868 | -HS- | C] () -- C:\ProgramData\1nt4rmyke13d7t8mp831282g0
  @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  
  :Files
  C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

==========================================================

When done with the above...
You're not running any AV program.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

 

[esen]

Ok, after the scan was complete and it made me reboot my computer, the only new icons I saw on my desktop were the following (both named "desktop.ini")

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

___

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Photo Gallery.lnk=@%ProgramFiles%\Windows Photo Gallery\PhotoLibraryResources.dll,-1581
________________

Should I still proceed with your recent directions?

 

[esen]

Whoops, didn't realize I had to open OTL again after the reboot.

It did produce a log:

All processes killed
========== OTL ==========
C:\Users\eric.senler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk moved successfully.
C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Users\KCDAdmin\Documents\4BV87ne7.exe moved successfully.
File C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb 407 not found.
C:\ProgramData\gp581ij784jium85460it54566v07fp376c3tk3e3yb407 moved successfully.
File C:\Users\KCDAdmin\Documents\4BV87ne7.exe not found.
C:\Users\KCDAdmin\AppData\Local\2upg2v81fl1rft62764lpa4sr108ul5d0ie34 moved successfully.
C:\ProgramData\2upg2v81fl1rft62764lpa4sr108ul5d0ie34 moved successfully.
C:\ProgramData\3035257540 moved successfully.
C:\Users\KCDAdmin\AppData\Local\1rd751e8e473gr158v moved successfully.
C:\ProgramData\1rd751e8e473gr158v moved successfully.
C:\ProgramData\1nt4rmyke13d7t8mp831282g0 moved successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
========== FILES ==========
File\Folder C:\Windows\system32\config\systemprofile\AppData\Local\xoq.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: alex.fallon
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: chris.kessler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: doug.friedman
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: eric.senler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65839101 bytes
->Java cache emptied: 2996954 bytes
->FireFox cache emptied: 55953684 bytes
->Flash cache emptied: 293119 bytes

User: KCDAdmin
->Temp folder emptied: 187722434 bytes
->Temporary Internet Files folder emptied: 63357534 bytes
->Java cache emptied: 1303277 bytes
->FireFox cache emptied: 85719529 bytes
->Flash cache emptied: 77024 bytes

User: Public
->Temp folder emptied: 0 bytes

User: roger.basham
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 17054405 bytes
->Java cache emptied: 0 bytes

User: tom.james
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 855730 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 74778102 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 530.00 mb


[EMPTYJAVA]

User: alex.fallon

User: All Users

User: chris.kessler

User: Default

User: Default User

User: doug.friedman

User: eric.senler
->Java cache emptied: 0 bytes

User: KCDAdmin
->Java cache emptied: 0 bytes

User: Public

User: roger.basham
->Java cache emptied: 0 bytes

User: tom.james

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: alex.fallon

User: All Users

User: chris.kessler

User: Default

User: Default User

User: doug.friedman

User: eric.senler
->Flash cache emptied: 0 bytes

User: KCDAdmin
->Flash cache emptied: 0 bytes

User: Public

User: roger.basham

User: tom.james

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01112012_223126

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[esen]

Here is the log that resulted from the Quick scan in OTL:

OTL logfile created on: 1/11/2012 10:53:47 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\KCDAdmin\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.96% Memory free
4.21 Gb Paging File | 3.88 Gb Available in Paging File | 92.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.93 Gb Total Space | 18.89 Gb Free Space | 27.40% Space Free | Partition Type: NTFS

Computer Name: ERICS | User Name: Admin | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/11 21:10:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\KCDAdmin\Downloads\OTL.exe
PRC - [2011/12/29 18:43:08 | 000,912,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/14 02:20:50 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/29 18:43:09 | 000,849,368 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2011/12/13 13:29:20 | 008,527,008 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/12/14 16:40:39 | 003,316,000 | ---- | M] () [Auto | Stopped] -- c:\program files\common files\akamai/netsession_win_b427739.dll -- (Akamai)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/08/24 07:47:07 | 000,378,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2009/04/25 19:45:34 | 000,443,712 | ---- | M] (Rosetta Stone Ltd.) [Auto | Stopped] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2008/05/16 22:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Stopped] -- C:\Program Files\PharosSystems\Core\CTskMstr.exe -- (Pharos Systems ComTaskMaster)
SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/07 04:23:02 | 000,013,312 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2007/11/08 10:56:46 | 000,035,616 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\TrackPoint\tp4servinst.exe -- (tp4serv)
SRV - [2007/07/10 14:56:04 | 000,569,344 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007/07/10 14:37:38 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/07/05 15:48:54 | 000,206,120 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2007/07/05 15:48:50 | 000,091,432 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/06/13 02:29:47 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/02 14:07:28 | 000,055,936 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2006/12/22 06:31:50 | 000,108,712 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2006/12/13 23:46:08 | 000,045,056 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2006/11/20 00:14:14 | 000,108,080 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Windows\System32\IPSSVC.EXE -- (IPSSVC)
SRV - [2006/11/15 18:20:46 | 000,634,988 | ---- | M] (Diskeeper Corporation) [Auto | Stopped] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/11/02 04:46:13 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2006/11/02 04:46:12 | 000,167,424 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2005/10/20 04:22:34 | 000,880,640 | ---- | M] (SMART Technologies Inc.) [Auto | Stopped] -- C:\Program Files\SMART Board Software\SMARTBoardService.exe -- (SMART Board Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/18 12:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 12:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/03/05 18:43:32 | 000,223,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/12/20 11:44:16 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2007/10/17 19:58:16 | 000,758,784 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/09/25 02:08:00 | 000,012,080 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)
DRV - [2007/08/09 18:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- C:\Program Files\Lenovo\System Update\session\7juj09us\tpflhlp.sys -- (tpflhlp)
DRV - [2007/05/22 14:59:38 | 000,030,336 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2006/11/28 15:44:00 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/06 03:24:56 | 000,012,080 | ---- | M] (Lenovo Group Limited) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2006/11/02 04:50:17 | 000,041,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2006/11/02 02:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/08/30 05:04:04 | 000,013,744 | ---- | M] (Lenovo Group Limited) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2005/07/08 15:11:32 | 000,013,440 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\STI2303X.sys -- (STI2303X)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61737

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 61737
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/29 18:43:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/29 18:43:13 | 000,000,000 | ---D | M]

[2011/06/01 13:20:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Extensions
[2012/01/10 22:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions
[2011/06/01 18:59:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/10 22:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/02 01:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/11 13:19:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/11 17:54:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll (SMART Technologies Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo)
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo)
O4 - HKLM..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BTVLOGEX.DLL ()
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\KCDAdmin\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\System32\grpconv.exe (Microsoft Corporation)
O4 - Startup: C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Windows Live Search - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6D21EA0-98F4-47F7-B3D8-D086B681A025}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O29 - HKLM SecurityProviders - (credssp.dll) -credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 22:31:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/11 17:21:45 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/11 12:13:44 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\KCDAdmin\Desktop\boot_cleaner.exe
[2012/01/09 22:07:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/09 22:07:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/09 22:07:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2012/01/09 22:07:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

========== Files - Modified Within 30 Days ==========

[2012/01/11 22:41:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/11 17:10:17 | 000,025,269 | ---- | M] () -- C:\Windows\System32\PROCDB.INI
[2012/01/11 17:10:16 | 000,000,002 | ---- | M] () -- C:\Windows\System32\IPSCtrl.INI
[2012/01/11 17:10:14 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 17:10:14 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 13:18:24 | 000,003,853 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 21:36:27 | 000,000,916 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/10 00:18:58 | 000,000,836 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/08 17:25:51 | 000,000,570 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for eric.senler.job
[2012/01/07 01:37:39 | 000,103,329 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg

========== Files Created - No Company Name ==========

[2012/01/11 13:18:24 | 000,003,853 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/10 21:36:27 | 000,000,916 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/09 22:07:27 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/09 22:07:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/09 22:07:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/09 22:07:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/09 22:07:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/09 19:55:09 | 000,011,722 | -HS- | C] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
[2012/01/07 01:37:39 | 000,103,329 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg
[2011/10/20 02:05:27 | 000,003,584 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/09 14:30:05 | 000,000,037 | ---- | C] () -- C:\ProgramData\4a2cfcd
[2011/07/08 21:11:45 | 000,002,736 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Roaming\0E4A.FA4
[2011/06/21 16:44:25 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/04/06 19:32:30 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/02/20 21:05:44 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/02/20 21:03:24 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/11 18:34:48 | 002,215,364 | ---- | C] () -- C:\Windows\System32\igklg400.bin
[2008/02/11 18:34:48 | 001,971,732 | ---- | C] () -- C:\Windows\System32\igklg450.bin
[2008/02/11 18:34:48 | 000,029,932 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.bin
[2008/02/08 15:04:04 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2007/09/13 15:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/06/13 19:26:16 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/06/13 09:24:25 | 000,000,008 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2007/06/13 02:38:44 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2007/06/12 21:39:35 | 000,001,356 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\d3d9caps.dat
[2007/06/05 13:10:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2007/06/05 13:01:18 | 000,012,080 | ---- | C] () -- C:\Windows\System32\drivers\TPPWR32V.SYS
[2007/06/05 12:59:38 | 000,106,496 | ---- | C] () -- C:\Windows\stkbtnpn.dll
[2007/06/05 12:41:50 | 000,000,836 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2007/04/13 14:19:52 | 000,007,680 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2007/03/29 12:42:38 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2007/01/31 17:03:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/12/14 13:14:16 | 000,025,269 | ---- | C] () -- C:\Windows\System32\PROCDB.INI
[2006/12/14 13:14:10 | 000,000,002 | ---- | C] () -- C:\Windows\System32\IPSCtrl.INI
[2006/12/07 09:57:31 | 000,005,788 | ---- | C] () -- C:\Windows\System32\tp4table.dat
[2006/11/10 09:10:49 | 001,490,999 | ---- | C] () -- C:\Windows\System32\tkbtnpn1.dll
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 000,411,544 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:36:36 | 000,063,488 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,120,962 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:33:01 | 000,000,000 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/09/05 13:20:36 | 000,079,400 | ---- | C] () -- C:\Windows\System32\DEVMAN.DLL
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\System32\BiImg.dll
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\BiImg.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\System32\JPeg32.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\JPeg32.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BiEResNT.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\Bic_Res.dll
[2004/09/01 06:42:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\BiEAppNT.exe
[2004/09/01 06:42:44 | 000,000,002 | ---- | C] () -- C:\Windows\bi_group.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2011/09/06 09:50:08 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\enchant
[2007/06/12 21:49:26 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Leadertech
[2007/06/12 21:49:54 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Lenovo
[2011/09/20 10:48:40 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\OpenOffice.org
[2011/06/02 10:29:30 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\SMART Technologies Inc
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 00:19:00 | 000,032,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

 

[Broni]

the only new icons I saw on my desktop were the following (both named "desktop.ini")

Open Windows Explorer, go Tools>Folder options>View tab and checkmark "Hide protected operating system files".
OK your way out.

 

[Broni]

We also have "hosts" file missing.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. File is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

NOTE.
If you receive You don't have permission to save in this location message take ownership of C:\windows\system32\drivers\etc folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
If the above doesn't work save the file to some known location, like your desktop, copy it from there and paste it to "etc" folder.

==============================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2012/01/09 21:20:49 | 000,011,722 | -HS- | M] () -- C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

 

[esen]

Here is the log resulting from the Run Fix scan:

All processes killed
========== OTL ==========
C:\Users\KCDAdmin\AppData\Local\gp581ij784jium85460it54566v07fp376c3tk3e3yb407 moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: alex.fallon
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: chris.kessler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: doug.friedman
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: eric.senler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: KCDAdmin
->Temp folder emptied: 45336 bytes
->Temporary Internet Files folder emptied: 55525 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 18828123 bytes
->Flash cache emptied: 456 bytes

User: Public
->Temp folder emptied: 0 bytes

User: roger.basham
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: tom.james
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


[EMPTYJAVA]

User: alex.fallon

User: All Users

User: chris.kessler

User: Default

User: Default User

User: doug.friedman

User: eric.senler
->Java cache emptied: 0 bytes

User: KCDAdmin
->Java cache emptied: 0 bytes

User: Public

User: roger.basham
->Java cache emptied: 0 bytes

User: tom.james

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: alex.fallon

User: All Users

User: chris.kessler

User: Default

User: Default User

User: doug.friedman

User: eric.senler
->Flash cache emptied: 0 bytes

User: KCDAdmin
->Flash cache emptied: 0 bytes

User: Public

User: roger.basham

User: tom.james

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01112012_231555

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
___________________________________

Here is the log resulting from the Quick Scan scan:

OTL logfile created on: 1/11/2012 11:25:47 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\KCDAdmin\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.52 Gb Available Physical Memory | 76.54% Memory free
4.21 Gb Paging File | 3.89 Gb Available in Paging File | 92.45% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.93 Gb Total Space | 18.57 Gb Free Space | 26.94% Space Free | Partition Type: NTFS

Computer Name: ERICS | User Name: Admin | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/11 21:10:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\KCDAdmin\Downloads\OTL.exe
PRC - [2011/12/29 18:43:08 | 000,912,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/14 02:20:50 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/29 18:43:09 | 000,849,368 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/12/14 16:40:39 | 003,316,000 | ---- | M] () [Auto | Stopped] -- c:\program files\common files\akamai/netsession_win_b427739.dll -- (Akamai)
SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/08/24 07:47:07 | 000,378,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2009/04/25 19:45:34 | 000,443,712 | ---- | M] (Rosetta Stone Ltd.) [Auto | Stopped] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2008/05/16 22:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Stopped] -- C:\Program Files\PharosSystems\Core\CTskMstr.exe -- (Pharos Systems ComTaskMaster)
SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/07 04:23:02 | 000,013,312 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2007/11/08 10:56:46 | 000,035,616 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\TrackPoint\tp4servinst.exe -- (tp4serv)
SRV - [2007/07/10 14:56:04 | 000,569,344 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007/07/10 14:37:38 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/07/05 15:48:54 | 000,206,120 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2007/07/05 15:48:50 | 000,091,432 | ---- | M] (Lenovo) [Auto | Stopped] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2007/06/13 08:19:53 | 000,565,248 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/06/13 02:29:47 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/02 14:07:28 | 000,055,936 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2006/12/22 06:31:50 | 000,108,712 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2006/12/13 23:46:08 | 000,045,056 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2006/11/20 00:14:14 | 000,108,080 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Windows\System32\IPSSVC.EXE -- (IPSSVC)
SRV - [2006/11/15 18:20:46 | 000,634,988 | ---- | M] (Diskeeper Corporation) [Auto | Stopped] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/11/02 04:46:13 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2006/11/02 04:46:12 | 000,167,424 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2005/10/20 04:22:34 | 000,880,640 | ---- | M] (SMART Technologies Inc.) [Auto | Stopped] -- C:\Program Files\SMART Board Software\SMARTBoardService.exe -- (SMART Board Service)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/12/18 12:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 12:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/03/05 18:43:32 | 000,223,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/12/20 11:44:16 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2007/10/17 19:58:16 | 000,758,784 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/09/25 02:08:00 | 000,012,080 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)
DRV - [2007/08/09 18:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- C:\Program Files\Lenovo\System Update\session\7juj09us\tpflhlp.sys -- (tpflhlp)
DRV - [2007/05/22 14:59:38 | 000,030,336 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2006/11/28 15:44:00 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/06 03:24:56 | 000,012,080 | ---- | M] (Lenovo Group Limited) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2006/11/02 04:50:17 | 000,041,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2006/11/02 02:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/08/30 05:04:04 | 000,013,744 | ---- | M] (Lenovo Group Limited) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2005/07/08 15:11:32 | 000,013,440 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\STI2303X.sys -- (STI2303X)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 90 BA 34 06 F3 EB 25 42 99 57 49 A0 F9 AC 58 97 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61737

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: wrc@avast.com:6.0.1367
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 61737
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/01/11 23:10:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/29 18:43:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/29 18:43:13 | 000,000,000 | ---D | M]

[2011/06/01 13:20:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Extensions
[2012/01/11 23:22:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions
[2011/06/01 18:59:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\KCDAdmin\AppData\Roaming\mozilla\Firefox\Profiles\er0e4p5e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/11 23:22:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/02 01:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/11 13:19:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/11 17:54:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2012/01/11 23:10:46 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2012/01/11 23:09:00 | 000,000,759 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll (SMART Technologies Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo)
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BTVLOGEX.DLL ()
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\KCDAdmin\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\System32\grpconv.exe (Microsoft Corporation)
O4 - Startup: C:\Users\KCDAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Windows Live Search - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - c:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6D21EA0-98F4-47F7-B3D8-D086B681A025}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O29 - HKLM SecurityProviders - (credssp.dll) -credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 23:11:09 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/01/11 23:11:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/01/11 23:11:08 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/01/11 23:11:06 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/01/11 23:11:06 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/01/11 23:11:05 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/01/11 23:11:05 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/01/11 23:10:45 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/01/11 23:10:45 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/01/11 23:10:21 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/01/11 23:10:21 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/01/11 22:31:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/11 17:21:45 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/11 12:13:44 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\KCDAdmin\Desktop\boot_cleaner.exe
[2012/01/09 22:07:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/09 22:07:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/09 22:07:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2012/01/09 22:07:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

========== Files - Modified Within 30 Days ==========

[2012/01/11 23:20:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/11 23:18:52 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 23:18:52 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 23:11:09 | 000,001,839 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/01/11 23:11:05 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/01/11 23:09:00 | 000,000,759 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/11 17:10:17 | 000,025,269 | ---- | M] () -- C:\Windows\System32\PROCDB.INI
[2012/01/11 17:10:16 | 000,000,002 | ---- | M] () -- C:\Windows\System32\IPSCtrl.INI
[2012/01/11 13:18:24 | 000,003,853 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 21:36:27 | 000,000,916 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/10 00:18:58 | 000,000,836 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/01/08 17:25:51 | 000,000,570 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for eric.senler.job
[2012/01/07 01:37:39 | 000,103,329 | ---- | M] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg

========== Files Created - No Company Name ==========

[2012/01/11 23:11:09 | 000,001,839 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/01/11 13:18:24 | 000,003,853 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\ENG101.Course.Description.Notes.abw
[2012/01/10 21:36:27 | 000,000,916 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/09 22:07:27 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/09 22:07:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/09 22:07:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/09 22:07:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/09 22:07:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/07 01:37:39 | 000,103,329 | ---- | C] () -- C:\Users\KCDAdmin\Desktop\KYSTS.Directions.jpg
[2011/10/20 02:05:27 | 000,003,584 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/09 14:30:05 | 000,000,037 | ---- | C] () -- C:\ProgramData\4a2cfcd
[2011/07/08 21:11:45 | 000,002,736 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Roaming\0E4A.FA4
[2011/06/21 16:44:25 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/04/06 19:32:30 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/02/20 21:05:44 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/02/20 21:03:24 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/11 18:34:48 | 002,215,364 | ---- | C] () -- C:\Windows\System32\igklg400.bin
[2008/02/11 18:34:48 | 001,971,732 | ---- | C] () -- C:\Windows\System32\igklg450.bin
[2008/02/11 18:34:48 | 000,029,932 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.bin
[2008/02/08 15:04:04 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2007/09/13 15:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/06/13 19:26:16 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/06/13 09:24:25 | 000,000,008 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2007/06/13 02:38:44 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2007/06/12 21:39:35 | 000,001,356 | ---- | C] () -- C:\Users\KCDAdmin\AppData\Local\d3d9caps.dat
[2007/06/05 13:10:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2007/06/05 13:01:18 | 000,012,080 | ---- | C] () -- C:\Windows\System32\drivers\TPPWR32V.SYS
[2007/06/05 12:59:38 | 000,106,496 | ---- | C] () -- C:\Windows\stkbtnpn.dll
[2007/06/05 12:41:50 | 000,000,836 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2007/04/13 14:19:52 | 000,007,680 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2007/03/29 12:42:38 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2007/01/31 17:03:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/12/14 13:14:16 | 000,025,269 | ---- | C] () -- C:\Windows\System32\PROCDB.INI
[2006/12/14 13:14:10 | 000,000,002 | ---- | C] () -- C:\Windows\System32\IPSCtrl.INI
[2006/12/07 09:57:31 | 000,005,788 | ---- | C] () -- C:\Windows\System32\tp4table.dat
[2006/11/10 09:10:49 | 001,490,999 | ---- | C] () -- C:\Windows\System32\tkbtnpn1.dll
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 000,411,544 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:36:36 | 000,063,488 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,120,962 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:33:01 | 000,000,000 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/09/05 13:20:36 | 000,079,400 | ---- | C] () -- C:\Windows\System32\DEVMAN.DLL
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\System32\BiImg.dll
[2004/09/01 06:42:44 | 000,257,536 | ---- | C] () -- C:\Windows\BiImg.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\System32\JPeg32.dll
[2004/09/01 06:42:44 | 000,110,592 | ---- | C] () -- C:\Windows\JPeg32.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BiEResNT.dll
[2004/09/01 06:42:44 | 000,073,728 | ---- | C] () -- C:\Windows\System32\Bic_Res.dll
[2004/09/01 06:42:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\BiEAppNT.exe
[2004/09/01 06:42:44 | 000,000,002 | ---- | C] () -- C:\Windows\bi_group.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2011/09/06 09:50:08 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\enchant
[2007/06/12 21:49:26 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Leadertech
[2007/06/12 21:49:54 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\Lenovo
[2011/09/20 10:48:40 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\OpenOffice.org
[2011/06/02 10:29:30 | 000,000,000 | ---D | M] -- C:\Users\KCDAdmin\AppData\Roaming\SMART Technologies Inc
[2012/01/11 13:08:29 | 000,000,256 | ---- | M] () -- C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
[2012/01/10 00:19:00 | 000,032,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

 

[Broni]

Good

How is computer doing?

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

===========================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[esen]

Wow, it worked! That pop-up is not there in "normal mode" anymore!

May I ask what, exactly, it was that we did to remove that specific virus? Even MBAM couldn't locate it.

____________

Anyway, here are the logs you wanted:

Checkup.txt:

Results of screen317's Security Check version 0.99.24
Windows Vista x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
McAfee Security Scan Plus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.4
Java(TM) 6 Update 20
Java(TM) 6 Update 30
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Out of date Java installed!
Adobe Flash Player 11.1.102.55
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````
_____________________________________

Farbar Service Scanner log:

Farbar Service Scanner
Ran by Admin (administrator) on 12-01-2012 at 00:19:24
Microsoft® Windows Vista™ Business (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2007-12-19 14:57] - [2007-12-19 14:57] - 0204800 ____A (Microsoft Corporation)

C:\Windows\system32\Drivers\afd.sys
[2006-11-02 03:58] - [2006-11-02 03:58] - 0270336 ____A (Microsoft Corporation)

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll
[2009-03-14 01:39] - [2009-03-14 01:39] - 0084480 ____A (Microsoft Corporation) 05D7E62FD2EABAD579EB4D0C29245EEC

C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
_____________________________

I will post the TFC log in a minute.