Solved Svchost.exe using inordinate amount of CPU and memory

UThant · Feb 14, 2012

Win vista Business SP 2. Followed 5 step program - logs follow. attach.txt in separate message - message too long. Thanks in advance for your time, help and consideration.
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.14.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
dwozniak :: 1SR-PROG-IT [administrator]

2/14/2012 3:06:13 PM
mbam-log-2012-02-14 (15-06-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 368055
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\dwozniak\AppData\Local\temp\A43B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-14 16:18:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort4 ST9120823AS rev.3.BHC
Running: 4yvc7ogp.exe; Driver: C:\Users\dwozniak\AppData\Local\Temp\uftyrpow.sys

---- System - GMER 1.0.15 ----

SSDT 904F29C0 ZwAlertResumeThread
SSDT 904F2AA0 ZwAlertThread
SSDT 904CD678 ZwAllocateVirtualMemory
SSDT 8E59EAA0 ZwConnectPort
SSDT 904F2548 ZwCreateMutant
SSDT 8691E6D0 ZwCreateThread
SSDT 8682F5A8 ZwFreeVirtualMemory
SSDT 904F2800 ZwImpersonateAnonymousToken
SSDT 904F28E0 ZwImpersonateThread
SSDT 904E5390 ZwMapViewOfSection
SSDT 904F22A0 ZwOpenEvent
SSDT 904DAC70 ZwOpenProcessToken
SSDT 904F2F38 ZwOpenThreadToken
SSDT 904DB088 ZwResumeThread
SSDT 904F2E78 ZwSetContextThread
SSDT 904F2008 ZwSetInformationProcess
SSDT 904F2DA8 ZwSetInformationThread
SSDT 904F21C0 ZwSuspendProcess
SSDT 904F2BE8 ZwSuspendThread
SSDT 904DB180 ZwTerminateProcess
SSDT 904F2CC8 ZwTerminateThread
SSDT 904C5050 ZwUnmapViewOfSection
SSDT 904D9AE8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 82AE18A0 8 Bytes [C0, 29, 4F, 90, A0, 2A, 4F, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 82AE18B4 4 Bytes [78, D6, 4C, 90] {JS 0xffffffffffffffd8; DEC ESP; NOP }
.text ntkrnlpa.exe!KeSetEvent + 1C1 82AE1944 4 Bytes [A0, EA, 59, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1F5 82AE1978 4 Bytes [48, 25, 4F, 90]
.text ntkrnlpa.exe!KeSetEvent + 221 82AE19A4 4 Bytes [D0, E6, 91, 86]
.text ...
? System32\drivers\pvighl.sys The system cannot find the path specified. !
? C:\Windows\System32\Drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CE02340, 0x3D6717, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 6E2AC00F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 6E3EBC22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 6E3EBBE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 6E3EBC5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 6E3EBBA3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 6E3EBB5F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 6E3EBB25 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 6E3EBAEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3228] ole32.dll!OleLoadFromStream 77471E80 5 Bytes JMP 6E3EBE1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 6E2AC00F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 6E3EBC22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 6E3EBBE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 6E3EBC5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 6E3EBBA3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 6E3EBB5F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 6E3EBB25 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 6E3EBAEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5432] ole32.dll!OleLoadFromStream 77471E80 5 Bytes JMP 6E3EBE1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\System32\svchost.exe[6952] kernel32.dll!WriteFile 7638ABE1 5 Bytes JMP 003B000C
.text C:\Windows\System32\svchost.exe[6952] USER32.dll!WindowFromPoint 75F5884F 5 Bytes JMP 01B8000A
.text C:\Windows\System32\svchost.exe[6952] USER32.dll!GetForegroundWindow 75F632C4 5 Bytes JMP 01B9000A
.text C:\Windows\System32\svchost.exe[6952] USER32.dll!GetCursorPos 75F70B88 5 Bytes JMP 01AF000A
.text C:\Windows\System32\svchost.exe[6952] ole32.dll!CoCreateInstance 774A9F3E 5 Bytes JMP 004B000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7494A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [748FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [748EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74928395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [748FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7497CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7491C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [748ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [748E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3676] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [748F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6bb1053f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bb1053f (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bb1053f
Reg HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}
Reg HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}
Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}
Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}
Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}
Reg HKLM\SOFTWARE\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}@FVI2BORQSBKVMWHTNYLKBSB6ZB1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}
Reg HKLM\SOFTWARE\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB62280$\485945278 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\@ 2048 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\bckfg.tmp 862 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\cfg.ini 77 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\keywords 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\L 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\L\vhtmwbun 273408 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U\80000032.@ 77312 bytes
File C:\Windows\$NtUninstallKB62280$\87212029 0 bytes

---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005
Run by dwozniak at 16:21:01 on 2012-02-14
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.711 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AEADISRV.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\CWBRXD.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.hp.com
mDefault_Page_URL = hxxp://www.hp.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: HideLogonScripts = 0 (0x0)
dPolicies-system: HideLegacyLogonScripts = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qliktech.webex.com/client/WBXclient-T27L10NSP30-13034/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.10.10.7
TCP: Interfaces\{86CF2016-AF6D-490E-95EB-27B628A2391E} : DhcpNameServer = 10.10.10.7
TCP: Interfaces\{D01079DF-00B7-44C1-9D05-C9DB55A46D35} : DhcpNameServer = 10.10.10.7
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\qvp.dll
Notify: DeviceNP - DeviceNP.dll
LSA: Notification Packages = SbHpNp scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dwozniak\appdata\roaming\mozilla\firefox\profiles\gqz8wxik.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\users\dwozniak\appdata\roaming\mozilla\plugins\npatgpc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-29 13696]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-4-26 5808]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-23 21504]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-4-27 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-8-8 540448]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2006-12-19 47616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2007-1-5 18944]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-4-23 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-4-30 172131]
S3 LcAgent;LC Remote Agent;c:\windows\temp\lcagent.exe [2010-6-1 308736]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-5-23 21504]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2011-5-24 58240]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-03 15:50:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-18 16:46:55 -------- d-----w- c:\program files\HTML Help Workshop
2012-01-18 14:49:08 -------- d-----w- c:\program files\IBE Software
.
==================== Find3M ====================
.
2012-02-10 13:41:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-09 21:42:19 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 18:39:08 220336 ----a-w- c:\windows\lp.exe
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
2011-11-17 06:48:37 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
============= FINISH: 16:21:59.30 ===============
.

UThant · Feb 14, 2012

attach.txt followup original msg too large

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 1/11/2008 7:27:23 PM
System Uptime: 2/14/2012 3:21:44 PM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 30C5
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | U10 | 2001/200mhz
.
==== Disk Partitions =========================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
AccessToCSV
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Acrobat 8 Standard
Adobe Acrobat 8.3.1 - CPSID_83708
Adobe Acrobat 8.3.1 Standard
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9
Application Installer 4.00.B14
ASDM on 10.10.10.11
AVS DVDMenu Editor 1.2.1.20
AVS Video ReMaker 2.4
AVS4YOU Software Navigator 1.2
BIOS Configuration for HP ProtectTools
CCleaner (remove only)
Centra Client
Cisco ASDM Launcher
Cisco Systems VPN Client 5.0.02.0090
Crystal Reports XI Release 2 .NET 2005 Server
DBU
Device Access Manager for HP ProtectTools
Drive Encryption for HP ProtectTools
ESU for Microsoft Vista
filehippo.com Update Checker
Google Web Accelerator
GoToMeeting 5.0.0.799
HelpNDoc 3.3.0.123 Personal Edition
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Backup & Recovery Manager Installer
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Notebook Accessories Product Tour
HP ProtectTools Security Manager
HP Quick Launch Buttons 6.40 B2
HP Update
HP User Guides 0061
HP Wireless Assistant
HTML Help Workshop
IBM iSeries Access for Windows
IBM iSeries Access for Windows SI29771
Intel(R) Network Connections Drivers
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
Ipswitch WS_FTP 12
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) SE Runtime Environment 6
L0phtCrack 6
LABELVIEW 8.10.05
LightScribe 1.6.43.1
LiveReg (Symantec Corporation)
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Easy Assist v2
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Media Video 9 VCM
Mozilla Firefox 4.0.1 (x86 en-US)
mp
mpmri
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetMeeting 3.01
Network Viewer v2.2 (002)
Numara Remote Control Guest
Numara Track-It! 8 Technician Client
NVIDIA Drivers
OnBase Runtime CD Client CD #254742
PANTECH PC Card Software
PDF Complete
ProData RDR
QlikView x86
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Shortcut Explorer 3.0
Soft Data Fax Modem with SmartCP
Sonic Activation Module
SoundMAX
Stay-Linked Administrator
Stay-Linked Server for iSeries Installation Wizard
Symantec Endpoint Protection
Symantec pcAnywhere
Synaptics Pointing Device Driver
TightVNC 1.3.9
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Vista Default Settings
VLC media player 1.1.4
VNC Free Edition 4.1.2
VZAccess Manager
WebEx
WinPcap 4.0.2
WinSCP 4.2.9
WinZip
.
==== Event Viewer Messages From Past Week ========
.
2/14/2012 3:48:22 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
2/14/2012 3:48:22 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
2/14/2012 3:24:22 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer PRT01 with shared resource name HP LaserJet 8150 PCL 5. Error 1753. The printer cannot be used by others on the network.
2/14/2012 3:24:16 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
2/14/2012 3:24:16 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Service service to connect.
2/14/2012 3:24:16 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
2/14/2012 3:24:16 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
2/14/2012 3:24:16 PM, Error: Service Control Manager [7000] - The HP Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/14/2012 12:31:24 PM, Error: EventLog [6008] - The previous system shutdown at 12:29:10 PM on 2/14/2012 was unexpected.
.
==== End Of File ===========================

Broni · Feb 14, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===========================================================

Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

UThant · Feb 15, 2012

tdsskiller log per request

08:04:26.0546 9380 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
08:04:27.0638 9380 ============================================================
08:04:27.0638 9380 Current date / time: 2012/02/15 08:04:27.0638
08:04:27.0638 9380 SystemInfo:
08:04:27.0638 9380
08:04:27.0638 9380 OS Version: 6.0.6002 ServicePack: 2.0
08:04:27.0638 9380 Product type: Workstation
08:04:27.0638 9380 ComputerName: 1SR-PROG-IT
08:04:27.0638 9380 UserName: dwozniak
08:04:27.0638 9380 Windows directory: C:\Windows
08:04:27.0638 9380 System windows directory: C:\Windows
08:04:27.0638 9380 Processor architecture: Intel x86
08:04:27.0638 9380 Number of processors: 2
08:04:27.0638 9380 Page size: 0x1000
08:04:27.0638 9380 Boot type: Normal boot
08:04:27.0638 9380 ============================================================
08:04:29.0011 9380 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:04:29.0011 9380 \Device\Harddisk0\DR0:
08:04:29.0011 9380 MBR used
08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCC85FC1
08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCC86000, BlocksNum 0xFF1800
08:04:29.0011 9380 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xDC79800, BlocksNum 0x31A800
08:04:29.0182 9380 Initialize success
08:04:29.0182 9380 ============================================================
08:04:31.0163 3796 ============================================================
08:04:31.0163 3796 Scan started
08:04:31.0163 3796 Mode: Manual;
08:04:31.0163 3796 ============================================================
08:04:32.0739 3796 Accelerometer (17ae46c4f390fb09ddf6dacff5c0a281) C:\Windows\system32\DRIVERS\Accelerometer.sys
08:04:32.0770 3796 Accelerometer - ok
08:04:32.0833 3796 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
08:04:32.0942 3796 ACPI - ok
08:04:32.0989 3796 ADIHdAudAddService (57c2ecea569ce61cfdd4f6d76c3215fe) C:\Windows\system32\drivers\ADIHdAud.sys
08:04:32.0989 3796 ADIHdAudAddService - ok
08:04:33.0035 3796 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
08:04:33.0082 3796 adp94xx - ok
08:04:33.0145 3796 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
08:04:33.0191 3796 adpahci - ok
08:04:33.0223 3796 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
08:04:33.0238 3796 adpu160m - ok
08:04:33.0301 3796 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
08:04:33.0316 3796 adpu320 - ok
08:04:33.0441 3796 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
08:04:33.0457 3796 AFD - ok
08:04:33.0519 3796 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
08:04:33.0550 3796 agp440 - ok
08:04:33.0613 3796 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
08:04:33.0644 3796 aic78xx - ok
08:04:33.0706 3796 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
08:04:33.0737 3796 aliide - ok
08:04:33.0784 3796 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
08:04:33.0815 3796 amdagp - ok
08:04:33.0862 3796 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
08:04:33.0878 3796 amdide - ok
08:04:33.0940 3796 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
08:04:33.0940 3796 AmdK7 - ok
08:04:33.0987 3796 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
08:04:34.0018 3796 AmdK8 - ok
08:04:34.0065 3796 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
08:04:34.0081 3796 arc - ok
08:04:34.0127 3796 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
08:04:34.0143 3796 arcsas - ok
08:04:34.0237 3796 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
08:04:34.0252 3796 AsyncMac - ok
08:04:34.0283 3796 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
08:04:34.0283 3796 atapi - ok
08:04:34.0315 3796 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\Windows\system32\DRIVERS\ATSwpDrv.sys
08:04:34.0346 3796 ATSWPDRV - ok
08:04:34.0424 3796 awlegacy (f7e75c620a04963c9a53c3b47da80405) C:\Windows\System32\Drivers\awlegacy.sys
08:04:34.0424 3796 awlegacy - ok
08:04:34.0502 3796 AW_HOST (ca5f2eb69105a4db4f5ced1a9a2ad69c) C:\Windows\system32\drivers\aw_host5.sys
08:04:34.0533 3796 AW_HOST - ok
08:04:34.0595 3796 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
08:04:34.0611 3796 BCM43XV - ok
08:04:34.0627 3796 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
08:04:34.0642 3796 bcm4sbxp - ok
08:04:34.0689 3796 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
08:04:34.0689 3796 Beep - ok
08:04:34.0705 3796 blbdrive - ok
08:04:34.0767 3796 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
08:04:34.0767 3796 bowser - ok
08:04:34.0814 3796 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
08:04:34.0829 3796 BrFiltLo - ok
08:04:34.0876 3796 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
08:04:34.0876 3796 BrFiltUp - ok
08:04:34.0923 3796 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
08:04:34.0939 3796 Brserid - ok
08:04:34.0985 3796 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
08:04:35.0001 3796 BrSerWdm - ok
08:04:35.0032 3796 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
08:04:35.0032 3796 BrUsbMdm - ok
08:04:35.0063 3796 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
08:04:35.0079 3796 BrUsbSer - ok
08:04:35.0126 3796 BthEnum (064fbc56921051de1075495d628b815f) C:\Windows\system32\DRIVERS\BthEnum.sys
08:04:35.0141 3796 BthEnum - ok
08:04:35.0188 3796 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
08:04:35.0204 3796 BTHMODEM - ok
08:04:35.0266 3796 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
08:04:35.0266 3796 BthPan - ok
08:04:35.0329 3796 BTHPORT (b24757d9154cca035e1bbd3db92966d7) C:\Windows\system32\Drivers\BTHport.sys
08:04:35.0344 3796 BTHPORT - ok
08:04:35.0407 3796 BTHUSB (d42cf5f0c7635b3f1578810fe34d9e41) C:\Windows\system32\Drivers\BTHUSB.sys
08:04:35.0407 3796 BTHUSB - ok
08:04:35.0500 3796 catchme - ok
08:04:35.0609 3796 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
08:04:35.0625 3796 cdfs - ok
08:04:35.0687 3796 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
08:04:35.0703 3796 cdrom - ok
08:04:35.0765 3796 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
08:04:35.0781 3796 circlass - ok
08:04:35.0812 3796 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
08:04:35.0843 3796 CLFS - ok
08:04:35.0875 3796 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
08:04:35.0875 3796 CmBatt - ok
08:04:35.0921 3796 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
08:04:35.0937 3796 cmdide - ok
08:04:35.0999 3796 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
08:04:36.0015 3796 Compbatt - ok
08:04:36.0077 3796 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
08:04:36.0093 3796 crcdisk - ok
08:04:36.0155 3796 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
08:04:36.0155 3796 Crusoe - ok
08:04:36.0218 3796 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
08:04:36.0249 3796 CSC - ok
08:04:36.0296 3796 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
08:04:36.0327 3796 CVirtA - ok
08:04:36.0405 3796 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\Windows\system32\Drivers\CVPNDRVA.sys
08:04:36.0421 3796 CVPNDRVA - ok
08:04:36.0483 3796 DAMDrv (5d5984255a4bfaa4262fb750df7cd537) C:\Windows\system32\DRIVERS\DAMDrv.sys
08:04:36.0514 3796 DAMDrv - ok
08:04:36.0592 3796 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
08:04:36.0608 3796 DfsC - ok
08:04:36.0670 3796 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
08:04:36.0670 3796 disk - ok
08:04:36.0733 3796 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\Windows\system32\DRIVERS\dne2000.sys
08:04:36.0764 3796 DNE - ok
08:04:36.0842 3796 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
08:04:36.0857 3796 drmkaud - ok
08:04:36.0935 3796 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
08:04:37.0013 3796 DXGKrnl - ok
08:04:37.0060 3796 e1express (2db565612e74e0c01780670270a6fd7f) C:\Windows\system32\DRIVERS\e1e6032.sys
08:04:37.0076 3796 e1express - ok
08:04:37.0138 3796 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
08:04:37.0154 3796 E1G60 - ok
08:04:37.0232 3796 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
08:04:37.0279 3796 Ecache - ok
08:04:37.0357 3796 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
08:04:37.0466 3796 eeCtrl - ok
08:04:37.0544 3796 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
08:04:37.0606 3796 elxstor - ok
08:04:37.0793 3796 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
08:04:37.0793 3796 EraserUtilRebootDrv - ok
08:04:37.0903 3796 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
08:04:37.0918 3796 exfat - ok
08:04:37.0965 3796 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
08:04:37.0965 3796 fastfat - ok
08:04:38.0121 3796 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
08:04:38.0137 3796 fdc - ok
08:04:38.0183 3796 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
08:04:38.0215 3796 FileInfo - ok
08:04:38.0277 3796 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
08:04:38.0277 3796 Filetrace - ok
08:04:38.0324 3796 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
08:04:38.0324 3796 flpydisk - ok
08:04:38.0371 3796 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
08:04:38.0417 3796 FltMgr - ok
08:04:38.0542 3796 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
08:04:38.0542 3796 Fs_Rec - ok
08:04:38.0605 3796 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
08:04:38.0620 3796 gagp30kx - ok
08:04:38.0698 3796 Gernuwa (5b8f60f7bfec67ce2491fbad799cc058) C:\Windows\system32\drivers\Gernuwa.sys
08:04:38.0714 3796 Gernuwa - ok
08:04:38.0807 3796 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
08:04:38.0823 3796 HBtnKey - ok
08:04:38.0917 3796 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
08:04:38.0963 3796 HdAudAddService - ok
08:04:39.0010 3796 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
08:04:39.0057 3796 HDAudBus - ok
08:04:39.0104 3796 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
08:04:39.0104 3796 HidBth - ok
08:04:39.0197 3796 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
08:04:39.0213 3796 HidIr - ok
08:04:39.0260 3796 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
08:04:39.0275 3796 HidUsb - ok
08:04:39.0322 3796 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
08:04:39.0322 3796 HpCISSs - ok
08:04:39.0400 3796 hpdskflt (a27494a9325c0d06c89cf47f25da8c46) C:\Windows\system32\DRIVERS\hpdskflt.sys
08:04:39.0400 3796 hpdskflt - ok
08:04:39.0463 3796 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
08:04:39.0478 3796 HpqKbFiltr - ok
08:04:39.0541 3796 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
08:04:39.0556 3796 HSFHWAZL - ok
08:04:39.0681 3796 HSF_DPV (7bc42c65b5c6281777c1a7605b253ba8) C:\Windows\system32\DRIVERS\HSX_DPV.sys
08:04:39.0743 3796 HSF_DPV - ok
08:04:39.0821 3796 HSXHWAZL (9ebf2d102ccbb6bcdfbf1b7922f8ba2e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
08:04:39.0837 3796 HSXHWAZL - ok
08:04:39.0899 3796 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
08:04:39.0931 3796 HTTP - ok
08:04:39.0977 3796 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
08:04:40.0211 3796 i2omp - ok
08:04:40.0523 3796 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
08:04:40.0617 3796 i8042prt - ok
08:04:40.0711 3796 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
08:04:40.0757 3796 iaStorV - ok
08:04:40.0804 3796 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
08:04:41.0038 3796 iirsp - ok
08:04:41.0553 3796 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
08:04:41.0647 3796 intelide - ok
08:04:41.0818 3796 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
08:04:41.0818 3796 intelppm - ok
08:04:41.0881 3796 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:04:41.0896 3796 IpFilterDriver - ok
08:04:41.0943 3796 IpInIp - ok
08:04:42.0037 3796 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
08:04:42.0068 3796 IPMIDRV - ok
08:04:42.0115 3796 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
08:04:42.0130 3796 IPNAT - ok
08:04:42.0193 3796 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
08:04:42.0193 3796 IRENUM - ok
08:04:42.0255 3796 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
08:04:42.0271 3796 isapnp - ok
08:04:42.0333 3796 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
08:04:42.0349 3796 iScsiPrt - ok
08:04:42.0395 3796 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
08:04:42.0489 3796 iteatapi - ok
08:04:42.0754 3796 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
08:04:42.0848 3796 iteraid - ok
08:04:43.0113 3796 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
08:04:43.0129 3796 kbdclass - ok
08:04:43.0175 3796 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
08:04:43.0191 3796 kbdhid - ok
08:04:43.0363 3796 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
08:04:43.0378 3796 KSecDD - ok
08:04:43.0503 3796 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
08:04:43.0534 3796 lltdio - ok
08:04:43.0612 3796 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
08:04:43.0612 3796 LSI_FC - ok
08:04:43.0675 3796 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
08:04:43.0690 3796 LSI_SAS - ok
08:04:43.0753 3796 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
08:04:43.0784 3796 LSI_SCSI - ok
08:04:43.0815 3796 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
08:04:43.0831 3796 luafv - ok
08:04:43.0877 3796 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
08:04:43.0893 3796 mdmxsdk - ok
08:04:43.0940 3796 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
08:04:43.0971 3796 megasas - ok
08:04:44.0033 3796 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
08:04:44.0049 3796 Modem - ok
08:04:44.0111 3796 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
08:04:44.0127 3796 monitor - ok
08:04:44.0174 3796 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\Windows\system32\DRIVERS\motccgp.sys
08:04:44.0189 3796 motccgp - ok
08:04:44.0236 3796 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\Windows\system32\DRIVERS\motccgpfl.sys
08:04:44.0252 3796 motccgpfl - ok
08:04:44.0314 3796 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
08:04:44.0314 3796 motmodem - ok
08:04:44.0392 3796 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motport.sys
08:04:44.0423 3796 motport - ok
08:04:44.0470 3796 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
08:04:44.0486 3796 mouclass - ok
08:04:44.0517 3796 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
08:04:44.0533 3796 mouhid - ok
08:04:44.0564 3796 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
08:04:44.0595 3796 MountMgr - ok
08:04:44.0673 3796 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
08:04:44.0689 3796 mpio - ok
08:04:44.0767 3796 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
08:04:44.0782 3796 mpsdrv - ok
08:04:44.0860 3796 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
08:04:44.0892 3796 Mraid35x - ok
08:04:44.0970 3796 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
08:04:45.0001 3796 MRxDAV - ok
08:04:45.0110 3796 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:04:45.0141 3796 mrxsmb - ok
08:04:45.0266 3796 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:04:45.0297 3796 mrxsmb10 - ok
08:04:45.0375 3796 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:04:45.0375 3796 mrxsmb20 - ok
08:04:45.0422 3796 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
08:04:45.0453 3796 msahci - ok
08:04:45.0531 3796 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
08:04:45.0547 3796 msdsm - ok
08:04:45.0594 3796 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
08:04:45.0609 3796 Msfs - ok
08:04:45.0640 3796 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
08:04:45.0672 3796 msisadrv - ok
08:04:45.0718 3796 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
08:04:45.0734 3796 MSKSSRV - ok
08:04:45.0765 3796 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
08:04:45.0781 3796 MSPCLOCK - ok
08:04:45.0828 3796 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
08:04:45.0828 3796 MSPQM - ok
08:04:45.0859 3796 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
08:04:45.0921 3796 MsRPC - ok
08:04:46.0046 3796 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
08:04:46.0108 3796 mssmbios - ok
08:04:46.0202 3796 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
08:04:46.0202 3796 MSTEE - ok
08:04:46.0264 3796 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
08:04:46.0296 3796 Mup - ok
08:04:46.0405 3796 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
08:04:46.0436 3796 NativeWifiP - ok
08:04:46.0623 3796 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120214.036\NAVENG.SYS
08:04:46.0623 3796 NAVENG - ok
08:04:46.0686 3796 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120214.036\NAVEX15.SYS
08:04:46.0748 3796 NAVEX15 - ok
08:04:46.0904 3796 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
08:04:46.0998 3796 NDIS - ok
08:04:47.0107 3796 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
08:04:47.0122 3796 NdisTapi - ok
08:04:47.0200 3796 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
08:04:47.0216 3796 Ndisuio - ok
08:04:47.0278 3796 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
08:04:47.0419 3796 NdisWan - ok
08:04:47.0497 3796 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
08:04:47.0512 3796 NDProxy - ok
08:04:47.0559 3796 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
08:04:47.0575 3796 NetBIOS - ok
08:04:47.0622 3796 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
08:04:47.0731 3796 netbt - ok
08:04:48.0199 3796 NETw4v32 (38d720e0c8b0ecb9a019980265679798) C:\Windows\system32\DRIVERS\NETw4v32.sys
08:04:48.0292 3796 NETw4v32 - ok
08:04:48.0448 3796 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
08:04:48.0511 3796 nfrd960 - ok
08:04:48.0604 3796 NPF (6623e51595c0076755c29c00846c4eb2) C:\Windows\system32\drivers\npf.sys
08:04:48.0636 3796 NPF - ok
08:04:48.0682 3796 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
08:04:48.0698 3796 Npfs - ok
08:04:48.0729 3796 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
08:04:48.0745 3796 nsiproxy - ok
08:04:48.0807 3796 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
08:04:48.0979 3796 Ntfs - ok
08:04:49.0213 3796 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
08:04:49.0213 3796 ntrigdigi - ok
08:04:49.0275 3796 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
08:04:49.0291 3796 Null - ok
08:04:49.0540 3796 nvlddmkm (977f4622c4f2152331a4f1aee78269dd) C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:04:50.0274 3796 nvlddmkm - ok
08:04:50.0383 3796 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
08:04:50.0398 3796 nvraid - ok
08:04:50.0476 3796 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
08:04:50.0492 3796 nvstor - ok
08:04:50.0554 3796 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
08:04:50.0570 3796 nv_agp - ok
08:04:50.0617 3796 NwlnkFlt - ok
08:04:50.0632 3796 NwlnkFwd - ok
08:04:50.0664 3796 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
08:04:50.0679 3796 ohci1394 - ok
08:04:50.0788 3796 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
08:04:50.0788 3796 Parport - ok
08:04:50.0866 3796 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
08:04:50.0929 3796 partmgr - ok
08:04:51.0366 3796 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
08:04:51.0397 3796 Parvdm - ok
08:04:51.0787 3796 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
08:04:51.0834 3796 pci - ok
08:04:51.0912 3796 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
08:04:51.0958 3796 pciide - ok
08:04:52.0005 3796 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
08:04:52.0052 3796 pcmcia - ok
08:04:52.0130 3796 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
08:04:52.0192 3796 PEAUTH - ok
08:04:52.0286 3796 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
08:04:52.0286 3796 PptpMiniport - ok
08:04:52.0333 3796 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
08:04:52.0348 3796 Processor - ok
08:04:52.0395 3796 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
08:04:52.0395 3796 PSched - ok
08:04:52.0473 3796 PTDCBus (445d21f11eb4f378b206ebca5f597ffa) C:\Windows\system32\DRIVERS\PTDCBus.sys
08:04:52.0489 3796 PTDCBus - ok
08:04:52.0770 3796 PTDCMdm (fea4addf9e23b853e5cacc9f013bb986) C:\Windows\system32\DRIVERS\PTDCMdm.sys
08:04:52.0801 3796 PTDCMdm - ok
08:04:53.0004 3796 PTDCVsp (56e46ffef17844e626b441176be1aabf) C:\Windows\system32\DRIVERS\PTDCVsp.sys
08:04:53.0019 3796 PTDCVsp - ok
08:04:53.0097 3796 PTDCWWAN (a4bbb6c04d80ed32b8f3d3c10430a032) C:\Windows\system32\DRIVERS\PTDCWWAN.sys
08:04:53.0097 3796 PTDCWWAN - ok
08:04:53.0222 3796 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
08:04:53.0253 3796 PxHelp20 - ok
08:04:53.0425 3796 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
08:04:53.0487 3796 ql2300 - ok
08:04:53.0877 3796 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
08:04:53.0924 3796 ql40xx - ok
08:04:54.0049 3796 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
08:04:54.0064 3796 QWAVEdrv - ok
08:04:54.0158 3796 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
08:04:54.0392 3796 R300 - ok
08:04:54.0501 3796 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
08:04:54.0501 3796 RasAcd - ok
08:04:54.0798 3796 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:04:54.0829 3796 Rasl2tp - ok
08:04:55.0141 3796 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
08:04:55.0156 3796 RasPppoe - ok
08:04:55.0250 3796 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
08:04:55.0266 3796 RasSstp - ok
08:04:55.0312 3796 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
08:04:55.0468 3796 rdbss - ok
08:04:55.0562 3796 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:04:55.0578 3796 RDPCDD - ok
08:04:55.0624 3796 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
08:04:55.0656 3796 rdpdr - ok
08:04:55.0687 3796 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
08:04:55.0983 3796 RDPENCDD - ok
08:04:56.0139 3796 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
08:04:56.0170 3796 RDPWD - ok
08:04:56.0248 3796 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
08:04:56.0264 3796 RFCOMM - ok
08:04:56.0326 3796 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
08:04:56.0342 3796 rimmptsk - ok
08:04:56.0404 3796 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
08:04:56.0420 3796 RimUsb - ok
08:04:56.0482 3796 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
08:04:56.0482 3796 RimVSerPort - ok
08:04:56.0545 3796 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\Windows\system32\DRIVERS\rismc32.sys
08:04:56.0560 3796 rismc32 - ok
08:04:56.0638 3796 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
08:04:56.0654 3796 ROOTMODEM - ok
08:04:56.0794 3796 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
08:04:56.0794 3796 rspndr - ok
08:04:56.0919 3796 RsvLock (40ace983d0b03e997191ff6f7ff407d7) C:\Windows\system32\drivers\RsvLock.sys
08:04:56.0950 3796 RsvLock - ok
08:04:56.0982 3796 SafeBoot (58a8f41e174b28843692812d55547dc3) C:\Windows\system32\drivers\SafeBoot.sys
08:04:56.0982 3796 Suspicious file (NoAccess): C:\Windows\system32\drivers\SafeBoot.sys. md5: 58a8f41e174b28843692812d55547dc3
08:04:56.0982 3796 SafeBoot ( LockedFile.Multi.Generic ) - warning
08:04:56.0982 3796 SafeBoot - detected LockedFile.Multi.Generic (1)
08:04:57.0122 3796 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\Windows\system32\drivers\SbAlg.sys
08:04:57.0184 3796 SbAlg - ok
08:04:57.0278 3796 SbFsLock (df4a90b29b878e8cd95a1ac8f94ca954) C:\Windows\system32\drivers\SbFsLock.sys
08:04:57.0309 3796 SbFsLock - ok
08:04:57.0403 3796 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
08:04:57.0496 3796 sbp2port - ok
08:04:57.0949 3796 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
08:04:57.0980 3796 sdbus - ok
08:04:58.0386 3796 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
08:04:58.0401 3796 secdrv - ok
08:04:58.0635 3796 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
08:04:58.0651 3796 Serenum - ok
08:04:58.0682 3796 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
08:04:58.0713 3796 Serial - ok
08:04:58.0744 3796 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
08:04:58.0760 3796 sermouse - ok
08:04:58.0838 3796 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
08:04:58.0854 3796 sffdisk - ok
08:04:59.0322 3796 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
08:04:59.0353 3796 sffp_mmc - ok
08:04:59.0462 3796 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
08:04:59.0478 3796 sffp_sd - ok
08:04:59.0868 3796 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
08:04:59.0883 3796 sfloppy - ok
08:05:00.0102 3796 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
08:05:00.0180 3796 sisagp - ok
08:05:00.0367 3796 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
08:05:00.0367 3796 SiSRaid2 - ok
08:05:00.0460 3796 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
08:05:00.0492 3796 SiSRaid4 - ok
08:05:00.0554 3796 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
08:05:00.0585 3796 Smb - ok
08:05:00.0710 3796 SPBBCDrv (77780509a16a1df7f2d8531d21ddb9b9) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
08:05:00.0741 3796 SPBBCDrv - ok
08:05:00.0788 3796 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
08:05:00.0804 3796 spldr - ok
08:05:00.0835 3796 SRTSP (5e4985a84f13abf5727bed3c50bd7031) C:\Windows\system32\Drivers\SRTSP.SYS
08:05:00.0897 3796 SRTSP - ok
08:05:00.0960 3796 SRTSPL (8117dca2cdf9d11c441c473dc9631655) C:\Windows\system32\Drivers\SRTSPL.SYS
08:05:01.0006 3796 SRTSPL - ok
08:05:01.0053 3796 SRTSPX (5e89104af0dc94b659ea8ec3e66c3eeb) C:\Windows\system32\Drivers\SRTSPX.SYS
08:05:01.0069 3796 SRTSPX - ok
08:05:01.0162 3796 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
08:05:01.0178 3796 srv - ok
08:05:01.0209 3796 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
08:05:01.0225 3796 srv2 - ok
08:05:01.0256 3796 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
08:05:01.0272 3796 srvnet - ok
08:05:01.0350 3796 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
08:05:01.0365 3796 swenum - ok
08:05:01.0412 3796 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
08:05:01.0412 3796 Symc8xx - ok
08:05:01.0459 3796 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\Windows\system32\Drivers\SYMEVENT.SYS
08:05:01.0474 3796 SymEvent - ok
08:05:01.0537 3796 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\Windows\System32\Drivers\SYMREDRV.SYS
08:05:01.0552 3796 SYMREDRV - ok
08:05:01.0615 3796 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\Windows\System32\Drivers\SYMTDI.SYS
08:05:01.0646 3796 SYMTDI - ok
08:05:01.0708 3796 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
08:05:01.0771 3796 Sym_hi - ok
08:05:01.0849 3796 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
08:05:01.0864 3796 Sym_u3 - ok
08:05:01.0927 3796 SynTP (bf7aa84d5af0faa0978c840e63b17dbf) C:\Windows\system32\DRIVERS\SynTP.sys
08:05:01.0942 3796 SynTP - ok
08:05:02.0083 3796 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
08:05:02.0176 3796 Tcpip - ok
08:05:02.0223 3796 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
08:05:02.0239 3796 Tcpip6 - ok
08:05:02.0286 3796 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
08:05:02.0286 3796 tcpipreg - ok
08:05:02.0332 3796 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
08:05:02.0332 3796 TDPIPE - ok
08:05:02.0379 3796 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
08:05:02.0379 3796 TDTCP - ok
08:05:02.0442 3796 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
08:05:02.0457 3796 tdx - ok
08:05:02.0488 3796 TermDD (85908da29af0ab835048107ad2ad07d1) C:\Windows\system32\DRIVERS\termdd.sys
08:05:02.0504 3796 TermDD - ok
08:05:02.0972 3796 TPM (cb258c2f726f1be73c507022be33ebb3) C:\Windows\system32\drivers\tpm.sys
08:05:03.0003 3796 TPM - ok
08:05:03.0206 3796 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:05:03.0222 3796 tssecsrv - ok
08:05:03.0253 3796 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
08:05:03.0268 3796 tunmp - ok
08:05:03.0300 3796 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
08:05:03.0315 3796 tunnel - ok
08:05:03.0362 3796 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
08:05:03.0393 3796 uagp35 - ok
08:05:03.0440 3796 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
08:05:03.0456 3796 udfs - ok
08:05:03.0580 3796 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
08:05:03.0627 3796 uliagpkx - ok
08:05:03.0752 3796 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
08:05:03.0768 3796 uliahci - ok
08:05:03.0814 3796 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
08:05:03.0846 3796 UlSata - ok
08:05:03.0908 3796 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
08:05:03.0939 3796 ulsata2 - ok
08:05:03.0986 3796 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
08:05:03.0986 3796 umbus - ok
08:05:04.0454 3796 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
08:05:04.0516 3796 usbccgp - ok
08:05:04.0984 3796 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
08:05:05.0016 3796 usbcir - ok
08:05:05.0094 3796 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
08:05:05.0156 3796 usbehci - ok
08:05:05.0218 3796 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
08:05:05.0234 3796 usbhub - ok
08:05:05.0281 3796 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
08:05:05.0296 3796 usbohci - ok
08:05:05.0328 3796 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
08:05:05.0343 3796 usbprint - ok
08:05:05.0421 3796 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:05:05.0437 3796 USBSTOR - ok
08:05:05.0484 3796 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
08:05:05.0484 3796 usbuhci - ok
08:05:05.0562 3796 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
08:05:05.0562 3796 vga - ok
08:05:05.0608 3796 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
08:05:05.0608 3796 VgaSave - ok
08:05:05.0640 3796 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
08:05:05.0655 3796 viaagp - ok
08:05:05.0686 3796 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
08:05:05.0702 3796 ViaC7 - ok
08:05:05.0733 3796 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
08:05:05.0764 3796 viaide - ok
08:05:05.0811 3796 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
08:05:05.0811 3796 volmgr - ok
08:05:05.0952 3796 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
08:05:06.0264 3796 volmgrx - ok
08:05:06.0342 3796 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
08:05:06.0357 3796 volsnap - ok
08:05:06.0373 3796 vsdatant - ok
08:05:06.0404 3796 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
08:05:06.0420 3796 vsmraid - ok
08:05:06.0482 3796 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
08:05:06.0498 3796 WacomPen - ok
08:05:06.0544 3796 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:05:06.0560 3796 Wanarp - ok
08:05:06.0560 3796 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:05:06.0560 3796 Wanarpv6 - ok
08:05:06.0622 3796 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
08:05:06.0654 3796 Wd - ok
08:05:06.0700 3796 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
08:05:06.0747 3796 Wdf01000 - ok
08:05:06.0825 3796 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
08:05:06.0841 3796 WimFltr - ok
08:05:06.0888 3796 winachsf (5a77ac34a0ffb70ce8b35b524fede9ba) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
08:05:06.0950 3796 winachsf - ok
08:05:07.0028 3796 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
08:05:07.0028 3796 WmiAcpi - ok
08:05:07.0324 3796 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
08:05:07.0324 3796 ws2ifsl - ok
08:05:07.0402 3796 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:05:07.0402 3796 WUDFRd - ok
08:05:07.0465 3796 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
08:05:07.0465 3796 XAudio - ok
08:05:07.0496 3796 MBR (0x1B8) (6403378443eaa23bb8721c6f3bf78513) \Device\Harddisk0\DR0
08:05:07.0527 3796 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:05:07.0527 3796 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:05:07.0527 3796 Boot (0x1200) (6c8cddfc90a1db25a83aea56927e7fb0) \Device\Harddisk0\DR0\Partition0
08:05:07.0527 3796 \Device\Harddisk0\DR0\Partition0 - ok
08:05:07.0543 3796 Boot (0x1200) (1c96d780de0154eb141ad99290a5eb94) \Device\Harddisk0\DR0\Partition1
08:05:07.0543 3796 \Device\Harddisk0\DR0\Partition1 - ok
08:05:07.0558 3796 Boot (0x1200) (6f593f221ea0a96f924e8a65bc97f325) \Device\Harddisk0\DR0\Partition2
08:05:07.0558 3796 \Device\Harddisk0\DR0\Partition2 - ok
08:05:07.0558 3796 ============================================================
08:05:07.0558 3796 Scan finished
08:05:07.0558 3796 ============================================================
08:05:07.0574 4068 Detected object count: 2
08:05:07.0574 4068 Actual detected object count: 2
08:05:45.0282 4068 SafeBoot ( LockedFile.Multi.Generic ) - skipped by user
08:05:45.0282 4068 SafeBoot ( LockedFile.Multi.Generic ) - User select action: Skip
08:05:46.0405 4068 \Device\Harddisk0\DR0\# - copied to quarantine
08:05:46.0405 4068 \Device\Harddisk0\DR0 - copied to quarantine
08:05:46.0592 4068 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
08:05:46.0624 4068 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
08:05:50.0524 4068 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
08:05:50.0618 4068 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
08:05:50.0852 4068 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
08:05:51.0070 4068 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
08:05:51.0132 4068 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
08:05:51.0148 4068 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
08:05:51.0148 4068 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
08:05:51.0164 4068 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
08:05:51.0195 4068 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
08:05:51.0382 4068 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
08:05:51.0600 4068 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:05:51.0616 4068 \Device\Harddisk0\DR0 - ok
08:05:53.0660 4068 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:05:56.0655 0640 Deinitialize success

Broni · Feb 15, 2012

Good.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==================================================================

Download BTKR_RunBox to your desktop.

Double click on downloaded BTKR_RunBox.exe file.
Small RunBox DOS window will open.
Press any key to continue.
Press "1" to select "Run a scan with Bootkit Remover" option.
Press "Enter".
Press "Enter" one more time to generate log.
Click OK, IF any "Warning" message pops up.
Notepad will open with Bootkit Remover log.
Copy the content and post it in your next reply.
In RunBox press "4" then Enter to exit it.

NOTE. In case you lost the log it's also located on your desktop as "scan.txt"

UThant · Feb 15, 2012

aswMBR and BTKR_Runbox logs

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 13:23:25
-----------------------------
13:23:25.411 OS Version: Windows 6.0.6002 Service Pack 2
13:23:25.411 Number of processors: 2 586 0xF0A
13:23:25.412 ComputerName: 1SR-PROG-IT UserName: dwozniak
13:23:31.778 Initialize success
13:30:57.538 AVAST engine defs: 12021500
13:36:34.513 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-8
13:36:34.516 Disk 0 Vendor: ST9120823AS 3.BHC Size: 114473MB BusType: 3
13:36:34.576 Disk 0 MBR read successfully
13:36:34.579 Disk 0 MBR scan
13:36:34.944 Disk 0 unknown MBR code
13:36:34.988 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104715 MB offset 63
13:36:35.060 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8163 MB offset 214458368
13:36:35.086 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1589 MB offset 231184384
13:36:35.234 Disk 0 scanning sectors +234438656
13:36:35.527 Disk 0 scanning C:\Windows\system32\drivers
13:37:28.212 Service scanning
13:37:30.074 Service SafeBoot C:\Windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
13:37:30.910 Modules scanning
13:38:14.178 Disk 0 trace - called modules:
13:38:14.219 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS
13:38:14.229 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8648b7d0]
13:38:14.234 3 CLASSPNP.SYS[88bcb8b3] -> nt!IofCallDriver -> [0x86388378]
13:38:14.239 5 hpdskflt.sys[88badeb7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-8[0x85ab5b98]
13:38:18.412 AVAST engine scan C:\Windows
13:38:34.984 AVAST engine scan C:\Windows\system32
13:47:25.884 AVAST engine scan C:\Windows\system32\drivers
13:47:46.249 AVAST engine scan C:\Users\dwozniak
13:49:31.555 File: C:\Users\dwozniak\AppData\Local\temp\5FD9.tmp **INFECTED** Win32:MalOb-HP [Cryp]
13:53:05.699 AVAST engine scan C:\ProgramData
13:56:35.222 Scan finished successfully
14:01:45.539 Disk 0 MBR has been saved successfully to "C:\Users\dwozniak\Desktop\MBR.dat"
14:01:45.548 The log file has been saved successfully to "C:\Users\dwozniak\Desktop\aswMBR.txt"

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Business Edition Service Pack 2 (build 6002), 32-bit
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 701fc521a455dfd715ca6d2d6afe2b46

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;

Press any key to quit...

Broni · Feb 15, 2012

Good

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

UThant · Feb 15, 2012

Combofix log

ComboFix 12-02-15.01 - dwozniak 02/15/2012 14:53:05.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.1149 [GMT -5:00]
Running from: c:\users\dwozniak\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRF387.tmp
c:\users\dwozniak\g2mdlhlpx.exe
c:\users\mmasters\g2mdlhlpx.exe
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\vhtmwbun
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\$NtUninstallKB62280$\87212029
c:\windows\system32\zip32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-15 13:56 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-03 15:50 . 2012-02-15 13:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-18 16:46 . 2012-01-18 16:46 -------- d-----w- c:\program files\HTML Help Workshop
2012-01-18 14:49 . 2012-01-18 14:49 -------- d-----w- c:\program files\IBE Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 13:41 . 2011-05-16 15:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 19:52 . 2012-02-15 13:36 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 21:42 . 2011-06-15 08:20 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-16 15:59 . 2012-02-15 13:37 834048 ----a-w- c:\windows\system32\wininet.dll
2011-12-10 20:24 . 2012-01-09 21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59 . 2012-01-11 10:22 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-22 18:39 . 2011-11-22 18:58 220336 ----a-w- c:\windows\lp.exe
2011-11-18 20:23 . 2012-01-11 10:22 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47 . 2012-01-11 10:22 66560 ----a-w- c:\windows\system32\packager.dll
2011-04-14 16:26 . 2011-06-16 15:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-12 115560]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-19 13531680]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-19 92704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-1112\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-3566\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4087\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4092\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4151\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4231\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\bedsales.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4265\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-500\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
2007-03-07 09:40 20531 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-09-19 21:30 66816 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-03-19 18:00 13531680 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-03-19 18:00 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-11-06 20:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 03:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-21 13:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-10 23:12 317128 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
PeerDist REG_MULTI_SZ PeerDistSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
- c:\windows\system32\msfeedssync.exe [2008-05-23 07:33]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.hp.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.10.7
FF - ProfilePath - c:\users\dwozniak\AppData\Roaming\Mozilla\Firefox\Profiles\gqz8wxik.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-27439961.sys
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_06\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-15 15:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*]
"FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*]
"FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
"FVI2BORQSBKVMWHTNYLKBSB6ZB1"=hex:01,00,01,00,00,00,00,00,4f,29,85,7a,b6,3c,ba,
bd,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,8e,ce,17,
8d,3b,5a,3c,de,2b,f8,68,e1,af,05,2d,7f,cb,1e,b7,b4,1e,08,b6,ff,64,4a,ca,04,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\SbHpNp.dll
.
- - - - - - - > 'Explorer.exe'(3080)
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\CWBRXD.EXE
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\PDF Complete\pdfsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-02-15 15:20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-15 20:20
ComboFix2.txt 2010-01-07 21:51
.
Pre-Run: 40,836,898,816 bytes free
Post-Run: 41,488,166,912 bytes free
.
- - End Of File - - CE14F0EF86C8B02F7605F6A6BC505E86

Broni · Feb 15, 2012

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DFFD277A-DF70-B410-AC1E2F7ACB2EF6E1}\{F03E0E06-1B3D-CEE3-10573FC9D15505B4}\{82A99E38-2615-AE8D-106A193CCF03E65A}*]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

UThant · Feb 16, 2012

Second Combofix log

ComboFix 12-02-16.01 - dwozniak 02/16/2012 9:17.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2031.1064 [GMT -5:00]
Running from: c:\users\dwozniak\Desktop\ComboFix.exe
Command switches used :: c:\users\dwozniak\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 13:38 . 2012-02-16 13:39 -------- d-----w- c:\users\TEMP
2012-02-15 20:05 . 2012-02-16 14:29 -------- d-----w- c:\users\dwozniak\AppData\Local\temp
2012-02-15 13:56 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-15 13:36 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-03 15:50 . 2012-02-15 13:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-18 16:46 . 2012-01-18 16:46 -------- d-----w- c:\program files\HTML Help Workshop
2012-01-18 14:49 . 2012-01-18 14:49 -------- d-----w- c:\program files\IBE Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 13:41 . 2011-05-16 15:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-09 21:42 . 2011-06-15 08:20 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-10 20:24 . 2012-01-09 21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59 . 2012-01-11 10:22 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-22 18:39 . 2011-11-22 18:58 220336 ----a-w- c:\windows\lp.exe
2011-11-18 20:23 . 2012-01-11 10:22 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47 . 2012-01-11 10:22 66560 ----a-w- c:\windows\system32\packager.dll
2011-04-14 16:26 . 2011-06-16 15:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-12 115560]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-19 13531680]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-19 92704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-1112\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-3566\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4087\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4092\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4151\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4231\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\bedsales.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-4265\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1415918955-262412770-2076119496-500\Scripts\Logon\0\0]
"Script"=\\halex.local\SysVol\halex.local\scripts\IT.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
2007-03-07 09:40 20531 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-09-19 21:30 66816 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-03-19 18:00 13531680 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-03-19 18:00 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-11-06 20:34 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 03:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-02-21 13:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-10 23:12 317128 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
PeerDist REG_MULTI_SZ PeerDistSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-16 c:\windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
- c:\windows\system32\msfeedssync.exe [2008-05-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
mStart Page = hxxp://www.hp.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.10.10.7
FF - ProfilePath - c:\users\dwozniak\AppData\Roaming\Mozilla\Firefox\Profiles\gqz8wxik.default\
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1415918955-262412770-2076119496-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,f4,ba,44,50,fa,3e,4e,8c,30,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,f4,ba,44,50,fa,3e,4e,8c,30,24,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\SbHpNp.dll
.
Completion time: 2012-02-16 09:32:51
ComboFix-quarantined-files.txt 2012-02-16 14:32
ComboFix2.txt 2012-02-15 20:20
ComboFix3.txt 2010-01-07 21:51
.
Pre-Run: 40,735,719,424 bytes free
Post-Run: 40,732,463,104 bytes free
.
- - End Of File - - 68E09EDDB7F5CA4F05DC1E73E5E268D5

Broni · Feb 16, 2012

Good job

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

UThant · Feb 16, 2012

half the OTL log

OTL logfile created on: 2/16/2012 1:14:13 PM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\dwozniak\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.65% Memory free
4.20 Gb Paging File | 2.66 Gb Available in Paging File | 63.25% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.26 Gb Total Space | 37.94 Gb Free Space | 37.10% Space Free | Partition Type: NTFS
Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
Drive F: | 7.97 Gb Total Space | 0.98 Gb Free Space | 12.31% Space Free | Partition Type: NTFS
Drive H: | 50.01 Gb Total Space | 24.25 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
Drive I: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive J: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive K: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive M: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive P: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive Q: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS

Computer Name: 1SR-PROG-IT | User Name: dwozniak | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/16 13:12:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\dwozniak\Desktop\OTL.exe
PRC - [2011/08/30 12:24:59 | 000,624,056 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2009/04/10 22:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/09/11 19:47:38 | 001,787,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/09/11 19:47:38 | 001,439,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/09/11 19:47:38 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/09/11 19:47:36 | 002,436,536 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/08/28 15:06:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/06/25 13:02:07 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/05/08 10:38:46 | 000,540,448 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
PRC - [2007/04/27 12:58:58 | 000,221,184 | ---- | M] (SafeBoot International) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
PRC - [2007/03/07 04:40:00 | 000,061,489 | ---- | M] (IBM Corporation) -- C:\Windows\cwbrxd.exe
PRC - [2007/02/06 01:44:24 | 000,069,632 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE
PRC - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/05/12 14:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe

========== Modules (No Company Name) ==========

MOD - [2011/10/05 03:52:30 | 000,756,048 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
MOD - [2011/08/30 11:55:00 | 002,469,888 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 8.0\PDFMaker\Common\AdobePDFMakerX.dll
MOD - [2011/06/22 11:46:12 | 000,434,016 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
MOD - [2009/02/26 13:46:56 | 000,064,344 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
MOD - [2007/07/09 21:24:38 | 000,311,296 | ---- | M] () -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
MOD - [2007/02/16 19:40:42 | 005,521,408 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2007/02/16 19:40:40 | 001,466,368 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
SRV - File not found [On_Demand | Stopped] -- -- (LcAgent)
SRV - [2009/10/09 16:57:12 | 000,943,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/01/16 13:52:53 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/09/11 19:47:38 | 001,787,200 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2008/09/11 19:47:38 | 000,312,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2008/09/11 19:47:36 | 002,436,536 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/08/28 15:06:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/06/30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/06/25 13:02:07 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/06 15:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/05/08 10:38:46 | 000,540,448 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2007/04/30 10:28:34 | 000,172,131 | ---- | M] (Hewlett-Packard Ltd) [On_Demand | Stopped] -- C:\Windows\System32\flcdlock.exe -- (FLCDLOCK)
SRV - [2007/04/27 12:58:58 | 000,221,184 | ---- | M] (SafeBoot International) [Auto | Running] -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe -- (HpFkCryptService)
SRV - [2007/03/07 04:40:00 | 000,061,489 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\Windows\cwbrxd.exe -- (Cwbrxd)
SRV - [2007/03/05 12:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
SRV - [2007/02/06 01:44:24 | 000,069,632 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
SRV - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/05/12 14:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2001/02/14 09:00:00 | 000,106,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2012/02/08 03:04:47 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120215.036\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/02/08 03:04:47 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/08 03:04:47 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120215.036\NAVENG.SYS -- (NAVENG)
DRV - [2012/02/03 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/01/26 08:16:49 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/09/11 19:47:40 | 000,317,872 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2008/09/11 19:47:40 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/09/11 19:47:40 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2008/09/11 19:47:32 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/09/11 19:47:32 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/09/11 19:47:32 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/03/19 13:00:00 | 007,438,432 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/02/07 00:13:00 | 000,218,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/19 02:42:12 | 000,045,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2007/11/06 15:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007/10/31 18:36:32 | 002,252,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/06/18 15:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/04/30 19:30:14 | 000,058,240 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCWWAN.sys -- (PTDCWWAN)
DRV - [2007/04/26 21:23:36 | 000,005,808 | ---- | M] (SafeBoot International) [Kernel | System | Running] -- C:\Windows\System32\drivers\rsvlock.sys -- (RsvLock)
DRV - [2007/04/26 21:23:06 | 000,100,095 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SafeBoot.sys -- (SafeBoot)
DRV - [2007/04/23 15:13:44 | 000,030,008 | ---- | M] (Hewlett-Packard Development Company L.P.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DAMDrv.sys -- (DAMDrv)
DRV - [2007/04/15 20:00:06 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/04/10 17:55:28 | 000,140,808 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atswpdrv.sys -- (ATSWPDRV) (****DEBUG****) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/04/01 05:45:30 | 000,039,808 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCVsp.sys -- (PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP)
DRV - [2007/04/01 05:45:26 | 000,041,728 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCMdm.sys -- (PTDCMdm) PANTECH PC Card Drivers (UDP)
DRV - [2007/04/01 05:45:22 | 000,027,520 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDCBus.sys -- (PTDCBus) PANTECH PC Card Composite Device Driver (UDP)
DRV - [2007/03/29 18:54:00 | 000,013,696 | ---- | M] (SafeBoot International) [File_System | Boot | Running] -- C:\Windows\System32\drivers\SbFsLock.sys -- (SbFsLock)
DRV - [2007/02/24 09:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2007/01/05 03:00:02 | 000,027,136 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2007/01/05 03:00:02 | 000,018,944 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2006/12/19 20:08:00 | 000,047,616 | ---- | M] (RICOH Company, Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rismc32.sys -- (rismc32)
DRV - [2006/11/02 03:50:52 | 000,128,104 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 02:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/10/09 15:31:46 | 000,044,720 | ---- | M] (SafeBoot N.V.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SbAlg.sys -- (SbAlg)
DRV - [2006/06/28 12:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2000/09/11 09:00:00 | 000,030,398 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2000/09/11 09:00:00 | 000,014,032 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\GERNUWA.sys -- (Gernuwa)
DRV - [2000/09/11 09:00:00 | 000,010,816 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\awlegacy.sys -- (awlegacy)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
IE - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
IE - HKU\S-1-5-21-1415918955-262412770-2076119496-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web-accelerator@google.com: C:\Program Files\Google\Web Accelerator\firefox [2008/07/03 11:56:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/16 10:43:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/06/16 10:43:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/14 11:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2012/02/15 15:09:04 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (&Google Web Accelerator Helper) - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\..\Toolbar\WebBrowser: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\..\Toolbar\WebBrowser: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-4151\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKU\S-1-5-21-1415918955-262412770-2076119496-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://qliktech.webex.com/client/WBXclient-T27L10NSP30-13034/webex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = halex.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{86CF2016-AF6D-490E-95EB-27B628A2391E}: DhcpNameServer = 10.10.10.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D01079DF-00B7-44C1-9D05-C9DB55A46D35}: DhcpNameServer = 10.10.10.7
O18 - Protocol\Handler\qvp {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll (QlikTech AB)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\Windows\system32\awgina.dll) - C:\Windows\System32\awgina.dll (Symantec Corporation)
O20 - Winlogon\Notify\DeviceNP: DllName - (DeviceNP.dll) - C:\Windows\System32\DeviceNP.dll (Hewlett-Packard Limited)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - File not found
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\Windows\System32\lhacm.acm (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.WMV3 - C:\Windows\System32\wmv9vcm.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/02/16 09:32:57 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/16 09:31:32 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/16 08:41:06 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Roaming\Adobe
[2012/02/16 08:41:06 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Adobe
[2012/02/16 08:39:53 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/02/16 08:39:53 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/02/16 08:39:35 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Roaming\Identities
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\Temporary Internet Files
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Videos
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Pictures
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\Documents\My Music
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\History
[2012/02/16 08:39:00 | 000,000,000 | -HSD | C] -- C:\Users\TEMP\AppData\Local\Application Data
[2012/02/16 08:38:58 | 000,000,000 | --SD | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft
[2012/02/16 08:38:58 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/02/16 08:38:58 | 000,000,000 | R--D | C] -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\temp
[2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Symantec
[2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Microsoft Help
[2012/02/16 08:38:58 | 000,000,000 | ---D | C] -- C:\Users\TEMP\AppData\Local\Microsoft
[2012/02/15 13:14:20 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/02/03 10:50:14 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/01/18 11:46:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HTML Help Workshop
[2012/01/18 11:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\HTML Help Workshop
[2012/01/18 09:49:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HelpNDoc
[2012/01/18 09:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\IBE Software
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/16 13:15:12 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job
[2012/02/16 12:38:15 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/16 12:38:15 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/16 08:59:30 | 000,000,977 | ---- | M] () -- C:\Users\dwozniak\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/02/16 08:57:18 | 000,374,538 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/02/16 08:57:12 | 000,000,065 | -H-- | M] () -- C:\TrackitAudit.id
[2012/02/16 08:57:08 | 000,374,600 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/02/16 08:42:38 | 000,384,183 | ---- | M] () -- C:\Users\TEMP\Desktop\Vista__3-Vista_Problem_Error_Your_user_profile_was_not_loaded_correctly.pdf
[2012/02/16 08:38:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/16 08:37:45 | 2129,977,344 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/16 08:36:11 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/02/15 15:09:04 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/02/15 14:16:46 | 000,436,336 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/15 13:18:36 | 000,652,102 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/15 13:18:36 | 000,123,624 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/15 13:14:56 | 000,001,573 | ---- | M] () -- C:\Windows\ODBC.INI
[2012/02/14 12:35:21 | 000,000,078 | ---- | M] () -- C:\Windows\ricdb.ini
[2012/02/14 12:35:20 | 000,000,097 | ---- | M] () -- C:\Windows\System32\RPCS.ini
[2012/02/14 12:30:43 | 348,072,879 | ---- | M] () -- C:\Windows\MEMORY.DMP
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

UThant · Feb 16, 2012

2nd half OTL log

========== Files Created - No Company Name ==========

[2012/02/16 08:42:38 | 000,384,183 | ---- | C] () -- C:\Users\TEMP\Desktop\Vista__3-Vista_Problem_Error_Your_user_profile_was_not_loaded_correctly.pdf
[2012/02/16 08:39:58 | 000,000,988 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/02/16 08:39:52 | 000,000,983 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/02/16 08:39:43 | 000,000,807 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetMeeting.lnk
[2012/02/16 08:39:32 | 000,000,954 | ---- | C] () -- C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2012/02/03 09:37:54 | 2129,977,344 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/09 16:21:14 | 000,008,660 | -HS- | C] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
[2011/06/16 13:00:51 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/01/14 16:42:22 | 000,000,256 | ---- | C] () -- C:\Windows\System32\pool.bin
[2010/03/12 15:04:49 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2010/01/07 16:38:39 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2010/01/07 16:38:39 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2010/01/07 16:38:39 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/01/07 16:38:39 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/01/07 16:38:39 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/10/20 13:21:02 | 000,000,030 | ---- | C] () -- C:\Windows\Ppcswin.ini
[2009/10/20 13:18:41 | 000,000,030 | ---- | C] () -- C:\Windows\–ÖTwpcswin.ini
[2009/10/20 13:18:41 | 000,000,030 | ---- | C] () -- C:\Windows\±’pwpcswin.ini
[2009/09/10 09:29:42 | 000,000,078 | ---- | C] () -- C:\Windows\ricdb.ini
[2009/09/10 09:29:38 | 000,000,097 | ---- | C] () -- C:\Windows\System32\RPCS.ini
[2009/06/04 11:51:47 | 000,000,065 | ---- | C] () -- C:\ProgramData\TrackitAudit.id
[2009/06/03 12:05:04 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/06/03 12:04:51 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/03 12:03:29 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/06/03 12:03:29 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/01/16 13:52:53 | 000,000,000 | ---- | C] () -- C:\Windows\eDrawingOfficeAutomator.INI
[2008/09/02 07:14:38 | 000,000,030 | ---- | C] () -- C:\Windows\Sèupcswin.ini
[2008/09/02 07:14:38 | 000,000,030 | ---- | C] () -- C:\Windows\12¹vpcswin.ini
[2008/09/01 11:34:41 | 000,000,030 | ---- | C] () -- C:\Windows\SèSwpcswin.ini
[2008/09/01 11:34:41 | 000,000,030 | ---- | C] () -- C:\Windows\12Ývpcswin.ini
[2008/08/27 07:33:05 | 000,000,030 | ---- | C] () -- C:\Windows\SèÌupcswin.ini
[2008/08/27 07:33:05 | 000,000,030 | ---- | C] () -- C:\Windows\12Lvpcswin.ini
[2008/08/25 07:15:49 | 000,000,030 | ---- | C] () -- C:\Windows\12fwpcswin.ini
[2008/08/18 08:06:01 | 000,000,030 | ---- | C] () -- C:\Windows\SèRwpcswin.ini
[2008/08/18 08:06:01 | 000,000,030 | ---- | C] () -- C:\Windows\127vpcswin.ini
[2008/08/14 08:27:37 | 000,000,030 | ---- | C] () -- C:\Windows\SèÉupcswin.ini
[2008/08/14 08:27:37 | 000,000,030 | ---- | C] () -- C:\Windows\12Ýupcswin.ini
[2008/08/11 09:01:25 | 000,000,030 | ---- | C] () -- C:\Windows\Sèçvpcswin.ini
[2008/08/11 09:01:25 | 000,000,030 | ---- | C] () -- C:\Windows\12šupcswin.ini
[2008/08/08 10:16:38 | 000,000,030 | ---- | C] () -- C:\Windows\Sè$vpcswin.ini
[2008/08/08 10:16:38 | 000,000,030 | ---- | C] () -- C:\Windows\12Ivpcswin.ini
[2008/08/08 07:27:58 | 000,000,030 | ---- | C] () -- C:\Windows\Sè#wpcswin.ini
[2008/08/08 07:27:58 | 000,000,030 | ---- | C] () -- C:\Windows\12ávpcswin.ini
[2008/08/06 06:53:26 | 000,000,030 | ---- | C] () -- C:\Windows\SèEwpcswin.ini
[2008/08/06 06:53:26 | 000,000,030 | ---- | C] () -- C:\Windows\12}wpcswin.ini
[2008/08/06 06:53:25 | 000,000,030 | ---- | C] () -- C:\Windows\Lpcswin.ini
[2008/08/05 09:44:40 | 000,000,030 | ---- | C] () -- C:\Windows\12Twpcswin.ini
[2008/06/10 13:33:27 | 000,000,000 | ---- | C] () -- C:\Windows\obsi32.INI
[2008/06/10 13:32:33 | 000,000,301 | ---- | C] () -- C:\Windows\cdkey.ini
[2008/06/10 13:31:31 | 000,319,488 | ---- | C] () -- C:\Windows\test2.exe
[2008/06/10 13:29:30 | 000,006,522 | ---- | C] () -- C:\Windows\ONBASE.INI
[2008/05/16 10:58:04 | 000,012,632 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2008/05/13 11:06:22 | 000,172,032 | ---- | C] () -- C:\Windows\System32\cwbrw.dll
[2008/05/13 11:06:22 | 000,024,576 | ---- | C] () -- C:\Windows\System32\cwbsv.dll
[2008/05/13 11:06:22 | 000,016,384 | ---- | C] () -- C:\Windows\System32\cwbad.dll
[2008/05/13 11:06:21 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbnl.dll
[2008/05/13 11:06:21 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbco.dll
[2008/04/11 10:23:09 | 000,000,026 | ---- | C] () -- C:\Windows\lvdbed.INI
[2008/04/10 12:43:43 | 000,374,600 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/04/10 12:43:43 | 000,374,538 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/04/02 12:55:24 | 000,000,205 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/02/29 17:00:39 | 000,001,573 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/02/29 16:53:29 | 000,000,234 | ---- | C] () -- C:\Windows\netop.ini
[2008/02/11 16:51:04 | 000,055,808 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008/01/29 12:04:09 | 000,024,630 | ---- | C] () -- C:\Windows\System32\cwbunplp.exe
[2008/01/29 12:04:00 | 000,126,976 | ---- | C] () -- C:\Windows\cwbzip.exe
[2008/01/29 12:04:00 | 000,020,529 | ---- | C] () -- C:\Windows\System32\cwbwiz.dll
[2008/01/29 12:04:00 | 000,020,480 | ---- | C] () -- C:\Windows\System32\cwbsy.dll
[2008/01/29 12:04:00 | 000,016,384 | ---- | C] () -- C:\Windows\System32\cwbnldlg.dll
[2008/01/11 16:07:47 | 000,012,860 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2008/01/11 14:54:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/01/11 14:54:36 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/01/11 14:54:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/01/11 14:54:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/01/11 14:54:36 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/01/11 14:54:36 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/11/06 15:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2007/04/30 10:31:14 | 000,274,432 | ---- | C] () -- C:\Windows\System32\flcdlmsg.dll
[2007/04/26 21:23:06 | 000,100,095 | ---- | C] () -- C:\Windows\System32\drivers\SafeBoot.sys
[2007/01/19 09:30:56 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/01/05 03:00:02 | 000,018,944 | ---- | C] () -- C:\Windows\System32\hpservice.exe
[2006/11/09 16:07:03 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2006/11/09 16:06:34 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 000,436,336 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:33:01 | 000,652,102 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,123,624 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/09/19 01:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 01:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 05:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/12/21 17:57:36 | 000,139,264 | ---- | C] () -- C:\Windows\System32\nsldap32v50.dll
[2005/12/21 17:57:04 | 000,024,576 | ---- | C] () -- C:\Windows\System32\nsldappr32v50.dll
[2005/12/21 17:54:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\nsldapssl32v50.dll
[1999/06/18 08:06:00 | 000,031,232 | ---- | C] () -- C:\Windows\System32\ftp4w32.dll
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL
[1998/05/06 21:10:00 | 000,069,632 | R--- | C] () -- C:\Windows\System32\ODMA32.dll

========== LOP Check ==========

[2009/02/20 08:07:29 | 000,000,000 | ---D | M] -- C:\Users\bjones.HALEX\AppData\Roaming\SampleView
[2008/07/11 12:27:45 | 000,000,000 | ---D | M] -- C:\Users\cstapleton\AppData\Roaming\IBM
[2008/07/11 12:37:30 | 000,000,000 | ---D | M] -- C:\Users\cstapleton\AppData\Roaming\webex
[2010/08/05 16:02:59 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Centra
[2008/08/11 15:35:37 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/01/16 13:57:22 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\EDrawings
[2008/09/04 11:41:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\IBM
[2009/01/30 09:36:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\InterVideo
[2010/05/26 10:18:30 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Numara Software
[2011/10/17 08:56:43 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\QlikTech
[2011/01/26 15:00:05 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Research In Motion
[2010/08/05 16:04:52 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\Saba
[2008/08/28 14:04:26 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\SampleView
[2009/04/09 10:19:35 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\VSee
[2011/11/03 10:18:21 | 000,000,000 | ---D | M] -- C:\Users\dwozniak\AppData\Roaming\webex
[2008/05/21 07:45:55 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\LinkedIn
[2008/05/07 14:17:22 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\PeerNetworking
[2008/03/26 12:29:28 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\SampleView
[2008/02/27 13:20:24 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\Smith Micro
[2008/07/01 13:47:25 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\VSee
[2008/05/23 09:28:13 | 000,000,000 | ---D | M] -- C:\Users\mmasters\AppData\Roaming\webex
[2012/02/16 08:36:10 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/02/16 13:15:12 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{58B35616-60A8-422E-BAE4-5E4705BF0CE2}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/04/29 22:28:42 | 000,204,722 | ---- | M] () -- C:\1_043010.DBF
[2011/02/08 12:50:34 | 000,000,389 | ---- | M] () -- C:\AS400.KMP
[2010/03/01 13:55:59 | 000,001,368 | ---- | M] () -- C:\aujetran.fdf
[2009/01/29 10:04:41 | 035,745,976 | ---- | M] (Online Media Technologies Ltd. ) -- C:\AVSVideoReMaker.exe
[2009/04/10 22:36:38 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/11/09 08:00:46 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/08/03 07:56:47 | 000,000,584 | ---- | M] () -- C:\Ciam_LogFile.log
[2012/02/16 09:32:52 | 000,014,135 | ---- | M] () -- C:\ComboFix.txt
[2008/01/30 11:20:19 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/08/08 15:46:43 | 000,000,000 | ---- | M] () -- C:\C_USERPART
[2009/02/18 16:33:49 | 000,270,848 | ---- | M] () -- C:\Eric Presentation - Cost Cutting - short.ppt
[2009/06/01 07:59:14 | 000,031,744 | ---- | M] () -- C:\HD Incoming Interchange Analysis week ending 052909.xls
[2012/02/16 08:37:45 | 2129,977,344 | -HS- | M] () -- C:\hiberfil.sys
[2008/03/19 12:40:54 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/03/19 12:40:54 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/02/16 08:37:38 | 2443,730,944 | -HS- | M] () -- C:\pagefile.sys
[2008/05/23 12:40:49 | 000,000,627 | ---- | M] () -- C:\pdinstl.log
[2012/01/10 08:23:02 | 000,000,366 | ---- | M] () -- C:\rkill.log
[2012/01/09 16:41:35 | 000,083,918 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_09.01.2012_16.40.39_log.txt
[2012/01/10 08:24:14 | 000,000,348 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_10.01.2012_08.24.08_log.txt
[2012/02/03 10:50:22 | 000,086,370 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_03.02.2012_10.46.09_log.txt
[2012/01/10 08:32:53 | 000,083,316 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_10.01.2012_08.32.24_log.txt
[2012/02/15 08:05:56 | 000,087,852 | ---- | M] () -- C:\TDSSKiller.2.7.12.0_15.02.2012_08.04.26_log.txt
[2012/02/16 08:57:12 | 000,000,065 | -H-- | M] () -- C:\TrackitAudit.id

< %systemroot%\Fonts\*.com >
[2006/11/02 07:37:19 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:37:19 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:19 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/06/03 12:16:10 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | -H-- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/01/19 02:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006/11/02 07:36:30 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/05/23 10:43:23 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/11/19 10:33:49 | 000,000,365 | -HS- | M] () -- C:\Users\dwozniak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/02/14 15:50:20 | 000,302,592 | ---- | M] () -- C:\Users\dwozniak\Desktop\4yvc7ogp.exe
[2012/02/15 13:23:13 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\dwozniak\Desktop\aswMBR.exe
[2012/02/15 14:02:49 | 000,568,832 | ---- | M] () -- C:\Users\dwozniak\Desktop\BTKR_RunBox.exe
[2012/02/16 09:12:59 | 004,405,806 | R--- | M] (Swearware) -- C:\Users\dwozniak\Desktop\ComboFix.exe
[2012/02/16 13:12:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\dwozniak\Desktop\OTL.exe
[2012/02/15 08:04:02 | 002,061,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\dwozniak\Desktop\tdsskiller.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2006/11/02 07:36:17 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2012/02/16 08:19:01 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
[2012/02/16 08:19:01 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
[2012/02/16 08:13:00 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
[2012/02/16 08:13:01 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2008/07/21 09:03:11 | 000,000,402 | -HS- | M] () -- C:\Users\dwozniak\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2012/01/09 16:35:18 | 000,008,660 | -HS- | M] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
[2011/10/24 09:57:03 | 000,012,860 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/02/16 08:57:18 | 000,374,538 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/06/04 11:51:47 | 000,000,065 | ---- | M] () -- C:\ProgramData\TrackitAudit.id

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoRebootWithLoggedOnUsers" = 1
"AutoInstallMinorUpdates" = 1
"IncludeRecommendedUpdates" = 1
"AUPowerManagement" = 1
"NoAUShutdownOption" = 0
"NoAutoUpdate" = 0
"AUOptions" = 4
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 13
"UseWUServer" = 1
"RescheduleWaitTimeEnabled" = 1
"RescheduleWaitTime" = 15
"DetectionFrequencyEnabled" = 1
"DetectionFrequency" = 22
"RebootWarningTimeoutEnabled" = 1
"RebootWarningTimeout" = 30
"RebootRelaunchTimeoutEnabled" = 1
"RebootRelaunchTimeout" = 60

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E0258CAE

< End of report >

UThant · Feb 16, 2012

Extras log

OTL Extras logfile created on: 2/16/2012 1:14:14 PM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\dwozniak\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 0.85 Gb Available Physical Memory | 42.65% Memory free
4.20 Gb Paging File | 2.66 Gb Available in Paging File | 63.25% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.26 Gb Total Space | 37.94 Gb Free Space | 37.10% Space Free | Partition Type: NTFS
Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
Drive F: | 7.97 Gb Total Space | 0.98 Gb Free Space | 12.31% Space Free | Partition Type: NTFS
Drive H: | 50.01 Gb Total Space | 24.25 Gb Free Space | 48.50% Space Free | Partition Type: NTFS
Drive I: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive J: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive K: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive M: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive P: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive Q: | 558.78 Gb Total Space | 120.77 Gb Free Space | 21.61% Space Free | Partition Type: NTFS

Computer Name: 1SR-PROG-IT | User Name: dwozniak | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DisabledInterfaces" = {D01079DF-00B7-44C1-9D05-C9DB55A46D35},{86CF2016-AF6D-490E-95EB-27B628A2391E}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DisabledInterfaces" = {D01079DF-00B7-44C1-9D05-C9DB55A46D35},{86CF2016-AF6D-490E-95EB-27B628A2391E}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{12802776-20C7-4A05-9D47-3C5F75C0D355}" = lport=3389 | protocol=6 | dir=in | app=system |
"{2ED6612D-3992-46B9-8E46-50BB65F836CB}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{3FD5D9AE-CFE5-4BD1-87BC-5F49D8787EED}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{42F7A520-D64D-402A-B8E2-8A8FDE95B863}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{43D6EEBD-1CA2-4041-BF5A-CB8AE3A74A77}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{495C4BD9-C0A4-475F-A5A3-65B9AD8277A2}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe |
"{4EC70035-630F-4031-B2D5-130FFB6DDAC3}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
"{5175AE39-88E2-4A0E-8BDF-C91B1A81372B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5511D978-26D0-4544-AA17-2763ED68E2DA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{58DA459D-6F79-4D8F-B308-2DF98718B880}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{5E0C3F29-3F4F-4C5D-9D99-5D035E1024DF}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
"{6B5B9057-54E9-4464-A598-A84B259E7093}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{73F5CB90-79A7-493A-BEA7-0CDE0B3017D4}" = lport=5358 | protocol=6 | dir=in | app=system |
"{74A9EFA8-AC0E-4971-9D6E-1A0EF89B43EF}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{883B150B-C51C-4407-84DA-79F8632B100A}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{89A92230-A4DD-4E5B-8EF7-9448517942D6}" = rport=5358 | protocol=6 | dir=out | app=system |
"{89DF70BB-0834-4F67-81F7-77CDF9ED8403}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{996E19E8-A3E1-4057-AF99-C2EB650591F5}" = rport=5357 | protocol=6 | dir=out | app=system |
"{9A73AD10-3BB4-4DE9-A309-2A88E64D0617}" = lport=5357 | protocol=6 | dir=in | app=system |
"{9C2D5096-1CEC-4526-8DCE-94F6271BA4DF}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{AE3239F9-E441-4BE7-87A8-1CE60DF0DB09}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{B6FD6B91-1320-4FB3-BFE6-5B938B6DEECF}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{C9C27580-7B13-4B50-B356-18E210303423}" = lport=3587 | protocol=6 | dir=in | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{C9EBFF3B-1B44-4A74-AE69-E122B7C6D573}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\netproj.exe |
"{CA33C307-B457-4DB8-AC9C-73916B8F2501}" = rport=3587 | protocol=6 | dir=out | svc=p2psvc | app=%systemroot%\system32\svchost.exe |
"{CE429DAD-5BAD-4F9B-A4F2-251226C8E431}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\netproj.exe |
"{D1B2CADB-65D4-47A2-9B2A-D37DFEBCB401}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D70C66C4-1BC7-47F5-9B55-28783A92348B}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{E697546B-E2BF-4CA0-889B-950C507F0059}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{EF388B75-643C-475A-AE5D-D1D926367FE8}" = lport=5722 | protocol=6 | dir=in | svc=dfsr | app=%systemroot%\system32\dfsr.exe |
"{F08150F3-DFFB-42D2-A565-30FF41AEDEE0}" = rport=5722 | protocol=6 | dir=out | svc=dfsr | app=%systemroot%\system32\dfsr.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03E04F68-89C8-487C-A3E6-76ED7C882BA1}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{0E18D78B-C2C9-4AA5-94BA-3A0E5739CAF7}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{23687BFB-2C93-49DF-9F15-89895370EE69}" = protocol=6 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
"{2ED4F4D8-52EE-4FBA-A9CC-C48BCA19D724}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{396212BC-1174-43C6-A74D-6A3DC81ADF9E}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{4E2A68A1-E8CE-4923-86C6-C02826A88873}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{5855F152-47F7-4344-BCA8-36BFB69A88D4}" = protocol=6 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
"{73380F58-4D22-4E87-9B9B-C94DB4D75089}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{83CF79D7-44A1-455E-992A-BE41F1272113}" = protocol=17 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
"{903BE726-6436-4C87-A81E-A522708225AE}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{956C4957-1CE7-421E-A3C4-F4470321A054}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{A0317A65-7332-416A-BBFC-F6ABD77EB680}" = protocol=6 | dir=in | app=%systemroot%\system32\netproj.exe |
"{A12D6D05-B45F-4705-8F7D-7F6D3E4D535E}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{A2EE0EC3-6AAF-4E2A-A67E-B1E62DB3E2ED}" = protocol=6 | dir=out | app=%systemroot%\system32\netproj.exe |
"{A4492290-08D3-48F4-A41A-053CEE320439}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{AF17B684-819B-44AC-8334-8E1157730BE0}" = protocol=6 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{AF8C0DA5-2D05-4877-95DF-FEBC0957F637}" = protocol=6 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{B057DA81-626C-4285-AA72-24AB72E55607}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{B3831B2B-1701-4611-BC23-44024A135CF2}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{C55FDAFD-1076-4759-B98D-D5D33C34637E}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{D3258AD2-ECA8-4A85-A0FC-6ADF36D10679}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{DDB39332-D3EE-4156-ABE7-7A1F54F6ACCA}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{EBBF4DB1-0429-470C-B2C3-52484AD95434}" = protocol=17 | dir=out | app=%programfiles%\windows collaboration\wincollab.exe |
"{ECC4C522-DB45-4E1B-A78D-A20C6136146B}" = protocol=17 | dir=in | app=%programfiles%\windows collaboration\wincollab.exe |
"{EE1E2EBF-CD81-435A-894A-111B5A0A6CFA}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{EFCC0A8B-962E-41D8-BB77-5DB67BDB0A22}" = protocol=17 | dir=in | app=c:\program files\numara software\remote\guest\ngstw32.exe |
"TCP Query User{15882214-7457-4300-9688-6EEFD7361B63}C:\program files\ibm\client access\cwbunnav.exe" = protocol=6 | dir=in | app=c:\program files\ibm\client access\cwbunnav.exe |
"TCP Query User{1BF0C776-9048-4DC1-9E25-C2B64C8BA95B}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
"TCP Query User{422E9B91-ED88-4DD4-8D8D-1FEC85A30AA2}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{746C512D-9604-4A58-A576-C7EF8B11A339}C:\program files\microsoft office\office12\winword.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\winword.exe |
"TCP Query User{8A4F66C2-533E-43A6-8AC3-9E19352EFC31}C:\windows\system32\ftp.exe" = protocol=6 | dir=in | app=c:\windows\system32\ftp.exe |
"TCP Query User{A7136C4D-C01D-459E-B7A5-1102CF36CAEB}C:\windows\system32\mstsc.exe" = protocol=6 | dir=in | app=c:\windows\system32\mstsc.exe |
"TCP Query User{B4DB7EB0-A571-4BA6-835A-369E9C384E0A}C:\program files\netmeeting\conf.exe" = protocol=6 | dir=in | app=c:\program files\netmeeting\conf.exe |
"TCP Query User{D694F9BC-C2C5-4EC8-8276-24BEB30C6FC9}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
"TCP Query User{E844CADE-11D5-45EE-9E68-D1B6F4021376}C:\windows\sminst\scheduler.exe" = protocol=6 | dir=in | app=c:\windows\sminst\scheduler.exe |
"TCP Query User{FCEBC868-EEF7-4581-A0ED-74FA1F09014B}C:\program files\ibm\client access\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\client access\jre\bin\javaw.exe |
"UDP Query User{481CFA5C-6039-4600-8A51-8BD86BB1C3CA}C:\program files\ibm\client access\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\client access\jre\bin\javaw.exe |
"UDP Query User{5287FCEC-98ED-45D6-8390-216CACCC7BED}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{86179435-CC93-48C5-A650-D5DDEF713585}C:\program files\ibm\client access\cwbunnav.exe" = protocol=17 | dir=in | app=c:\program files\ibm\client access\cwbunnav.exe |
"UDP Query User{8D1D9860-6284-4892-BBB7-468C1B060A72}C:\program files\microsoft office\office12\winword.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\winword.exe |
"UDP Query User{949F259E-45D4-4230-81F1-2F93864035BB}C:\windows\system32\ftp.exe" = protocol=17 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{AA23BCC5-CCA6-48D6-A8D0-5E781FF532B7}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |
"UDP Query User{C24D06BF-57BC-4C4F-85F0-96FC85729AD1}C:\program files\netmeeting\conf.exe" = protocol=17 | dir=in | app=c:\program files\netmeeting\conf.exe |
"UDP Query User{D7680A78-34CB-4120-BF65-F376EBABFB2A}C:\windows\system32\mstsc.exe" = protocol=17 | dir=in | app=c:\windows\system32\mstsc.exe |
"UDP Query User{DB761AF5-8708-4D19-8417-3BC81E355831}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |
"UDP Query User{F630D4F5-EA23-4BEC-BE2B-58B62686BB71}C:\windows\sminst\scheduler.exe" = protocol=17 | dir=in | app=c:\windows\sminst\scheduler.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000038-C690-11DB-9900-000E0CBD0225}" = Numara Remote Control Guest
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{033F6F4A-040B-42AE-B4B0-34E1344CFB51}" = AccessToCSV
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 23
"{27161A23-6B1A-4147-B2F4-1EC3ED5C4A85}" = DBU
"{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup & Recovery Manager Installer
"{41846938-6A9E-488B-9E37-21F7D814ECFA}" = mpmri
"{49C27FB0-CEEF-4A11-8114-0BFE336D3884}" = Symantec Endpoint Protection
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{521F72F4-FFE4-4959-AA88-EED06125211F}" = HP Notebook Accessories Product Tour
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{55B52830-024A-443E-AF61-61E1E71AFA1B}" = Device Access Manager for HP ProtectTools
"{584B0895-8EF3-4175-8E80-1B68BFA04636}" = HP Help and Support
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6A1975EB-27E6-491D-94BC-6355FA25F40F}" = Google Web Accelerator
"{6A9AFDFF-AF78-4642-8903-6B20B794D85D}" = LABELVIEW 8.10.05
"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
"{70CEFEBA-F757-4DBE-8A21-027C326137CE}" = Application Installer 4.00.B14
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73726B45-FD55-4AA8-852F-4AB3285E6CAC}" = mp
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F82FE45-E5B5-45D5-AD1D-2CF381E0512F}" = Cisco ASDM Launcher
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{871DF2BE-41D2-4334-AC33-839AF16FC8FE}" = Cisco Systems VPN Client 5.0.02.0090
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_OUTLOOKR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_OUTLOOKR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_OUTLOOKR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_OUTLOOKR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_OUTLOOKR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_OUTLOOKR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{93D44E47-EBE0-43FC-A427-8AC3CD026536}" = Vista Default Settings
"{997FF31A-80C9-4B92-8F80-10953D2AE9A3}" = QlikView x86
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A7FE99B6-E077-4F52-BC6A-E24C338F3C23}" = Crystal Reports XI Release 2 .NET 2005 Server
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP 12
"{ADA35685-E6DC-42F2-807E-312AD0D18AA6}" = HP User Guides 0061
"{B05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{BBE5C83E-4DC5-494F-8A23-3AAE242E94C2}" = HP Easy Setup - Frontend
"{C5EDCC75-41E1-4510-B533-7B2ABA37BE45}" = ESU for Microsoft Vista
"{C74D0FA0-1D49-464F-A707-B427EE3385C1}" = BIOS Configuration for HP ProtectTools
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32067CD-7409-4792-BFA0-1469BCD8F0C8}" = HP Wireless Assistant
"{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1
"{DA546462-1AD9-4435-8E06-C7C74D1F4E4B}" = ProData RDR
"{DB6F07FF-A436-453a-B685-F6C1F4F09D22}" = PANTECH PC Card Software
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
"{F843AC27-704C-4731-A590-F57841B488F2}" = Drive Encryption for HP ProtectTools
"{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FF2528E6-45F9-45D0-9531-6F369AC7B886}" = OnBase Runtime CD Client CD #254742
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Standard" = Adobe Acrobat 8.3.1 Standard
"Adobe Acrobat 8 Standard_831" = Adobe Acrobat 8.3.1 - CPSID_83708
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AVS DVDMenu Editor_is1" = AVS DVDMenu Editor 1.2.1.20
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.2
"AVS4YOU Video ReMaker_is1" = AVS Video ReMaker 2.4
"CCleaner" = CCleaner (remove only)
"CentraClient" = Centra Client
"ClientAccessExpress" = IBM iSeries Access for Windows
"ClientAccessExpressSP" = IBM iSeries Access for Windows SI29771
"CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpZ1379z" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"filehippo.com" = filehippo.com Update Checker
"HelpNDoc_is1" = HelpNDoc 3.3.0.123 Personal Edition
"HTML Help Workshop" = HTML Help Workshop
"L0phtCrack 6" = L0phtCrack 6
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"NetMeeting" = NetMeeting 3.01
"Network Viewer v2.2 (002)" = Network Viewer v2.2 (002)
"NVIDIA Drivers" = NVIDIA Drivers
"OUTLOOKR" = Microsoft Office Outlook 2007
"PDF Complete" = PDF Complete
"PROHYBRIDR" = 2007 Microsoft Office system
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROSet" = Intel(R) Network Connections Drivers
"RealVNC_is1" = VNC Free Edition 4.1.2
"Shortcut Explorer_is1" = Shortcut Explorer 3.0
"STANDARDR" = Microsoft Office Standard 2007
"Stay-Linked Administrator" = Stay-Linked Administrator
"Stay-Linked Server for iSeries Installation Wizard" = Stay-Linked Server for iSeries Installation Wizard
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TightVNC_is1" = TightVNC 1.3.9
"VLC media player" = VLC media player 1.1.4
"VZAccess Manager" = VZAccess Manager
"WinPcapInst" = WinPcap 4.0.2
"winscp3_is1" = WinSCP 4.2.9
"WinZip" = WinZip
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/29/2011 10:23:56 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
Description = SocketManager: unknown listener event: 0

Error - 7/29/2011 10:24:55 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
Description = SConnection: AuthFailureException: No password configured for VNC
Auth

Error - 7/29/2011 1:31:54 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = WinVNC4 | ID = 1
Description = SocketManager: unknown listener event: 0

Error - 8/11/2011 1:11:34 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
Description =

Error - 8/11/2011 1:23:41 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
Description =

Error - 8/11/2011 1:23:42 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Windows Search Service | ID = 3013
Description =

Error - 8/16/2011 1:39:36 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6002.18005 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 2bb8 Start Time: 01cc5c1976fc844b Termination Time: 0

Error - 9/2/2011 4:56:17 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = EventSystem | ID = 4609
Description =

Error - 9/15/2011 3:10:21 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 9/24/2011 7:15:23 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

[ OSession Events ]
Error - 8/5/2008 10:58:34 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 22
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/10/2008 12:14:57 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1821
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 9/10/2008 12:46:42 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 33
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/1/2009 4:02:28 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 21669
seconds with 3600 seconds of active time. This session ended with a crash.

Error - 3/24/2011 9:23:52 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 2916
seconds with 180 seconds of active time. This session ended with a crash.

Error - 3/28/2011 11:39:00 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 12770
seconds with 2700 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/15/2012 4:08:54 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
Description =

Error - 2/15/2012 4:16:35 PM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7022
Description =

Error - 2/16/2012 9:13:43 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7009
Description =

Error - 2/16/2012 9:13:43 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
Description =

Error - 2/16/2012 9:39:09 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7009
Description =

Error - 2/16/2012 9:39:09 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7000
Description =

Error - 2/16/2012 10:14:57 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7034
Description =

Error - 2/16/2012 10:16:32 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
Description =

Error - 2/16/2012 10:22:31 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
Description =

Error - 2/16/2012 10:29:31 AM | Computer Name = 1SR-PROG-IT.halex.local | Source = Service Control Manager | ID = 7030
Description =

< End of report >

UThant · Feb 16, 2012

How is the computer doing?

Better than I am at this point. CPU usage is down to between 6 and 10% but memory is still around 56% and climbs occasionally. Still have one monster svchost.exe running around 69 Mb. Vista also could not log my profile on properly this morning after I shut the machine down for the night last night and logged me on with a temporary profile. I had to do a registry edit to restore the registry value for my normal profile in order to get it back and then still had to rebuild my Outlook ost file and settings. Quite the pain, if you know what I mean.

Broni · Feb 16, 2012

memory is still around 56% and climbs occasionally

That's normal. Vista handles RAM differently than the previous Windows versions.
As long as CPU usage stays low you're fine.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O37 - HKU\.DEFAULT\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = Jsk] -- "C:\Users\dwozniak\AppData\Local\bcr.exe" -a "%1" %*
[2012/01/09 16:21:14 | 000,008,660 | -HS- | C] () -- C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E0258CAE


:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" =-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" =-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" =-

:Files

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

==================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

===================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

UThant · Feb 17, 2012

Four more logs

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\Jsk\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\Jsk\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\ProgramData\40tba47kkb2171lnees71eeati0bs13liv4t81w3s43bvh moved successfully.
ADS C:\ProgramData\TEMP:E0258CAE deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring deleted successfully.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: arg

User: bjones

User: bjones.HALEX

User: bpi

User: cstapleton

User: Default

User: Default User

User: dwozniak

User: mbassett

User: mmasters

User: Public

User: stemple

User: tdjackson

User: TEMP

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: arg

User: bjones

User: bjones.HALEX

User: bpi

User: cstapleton

User: Default

User: Default User

User: dwozniak

User: mbassett

User: mmasters

User: Public

User: stemple

User: tdjackson

User: TEMP

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: arg

User: bjones

User: bjones.HALEX

User: bpi

User: cstapleton

User: Default

User: Default User

User: dwozniak

User: mbassett

User: mmasters

User: Public

User: stemple

User: tdjackson

User: TEMP

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.32.0 log created on 02162012_143607

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Symantec Endpoint Protection
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
CCleaner (remove only)
Java(TM) 6 Update 31
Java(TM) SE Runtime Environment 6
Adobe Flash Player 11.1.102.55
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````
Farbar Service Scanner Version: 14-02-2012
Ran by dwozniak (administrator) on 16-02-2012 at 14:57:07
Running from "C:\Users\dwozniak\Desktop"
Microsoft® Windows Vista™ Business Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Yahoo IP returend error: Yahoo IP is offline

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-11-11 13:02] - [2009-10-09 16:55] - 0584704 ____A (Microsoft Corporation) 0D4A07E5AC9998E4B251D603C96D4F20

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****
C:\TDSSKiller_Quarantine\15.02.2012_08.04.27\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan

Broni · Feb 17, 2012

Uninstall Java(TM) SE Runtime Environment 6 .

==============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

UThant · Feb 20, 2012

Posting last OTL log for this thread, I hope

OTL log is below. Broni, thanks very much for your work on this issue. You have been very professional and I appreciate your time and efforts on my behalf.
Don Wozniak
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: arg
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: bjones
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: bjones.HALEX
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: bpi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: cstapleton
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: dwozniak
->Temp folder emptied: 53375 bytes
->Temporary Internet Files folder emptied: 48432732 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 9613 bytes

User: mbassett
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: mmasters
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: stemple
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: tdjackson
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 46.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: arg

User: bjones

User: bjones.HALEX
->Flash cache emptied: 0 bytes

User: bpi

User: cstapleton

User: Default

User: Default User

User: dwozniak
->Flash cache emptied: 0 bytes

User: mbassett

User: mmasters
->Flash cache emptied: 0 bytes

User: Public

User: stemple

User: tdjackson

User: TEMP

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: arg

User: bjones

User: bjones.HALEX
->Java cache emptied: 0 bytes

User: bpi

User: cstapleton

User: Default

User: Default User

User: dwozniak
->Java cache emptied: 0 bytes

User: mbassett

User: mmasters
->Java cache emptied: 0 bytes

User: Public

User: stemple

User: tdjackson

User: TEMP

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.32.0 log created on 02202012_074012

Files\Folders moved on Reboot...
C:\Users\dwozniak\AppData\Local\Temp\ExchangePerflog_8484fa316751ae68cfcccd43.dat moved successfully.
File\Folder C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{86B22137-A1D7-4948-B774-0B5C5B4D2840}.tmp not found!
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD4400E4-BBD9-484A-B09E-51597C84C5AE}.tmp moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E6040D79-7497-4AE5-A0DB-1B9A9BF89979}.tmp moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJXLSCGE\918[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJXLSCGE\partner[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W2ZTT7LL\partner[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\712808C8\net[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\712808C8\showthread[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21K37DZN\partner[1].htm moved successfully.
C:\Users\dwozniak\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

Broni · Feb 20, 2012

Way to go!!

Good luck and stay safe

Solved Svchost.exe using inordinate amount of CPU and memory

Posts: 55 +0

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 55 +0

Posts: 55 +0

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Posts: 55 +0

Posts: 56,041 +517

Similar threads