Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lsass.exe virus/problem/???


  • This topic is locked This topic is locked
30 replies to this topic

#1 dco4

dco4

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 11 July 2009 - 02:51 PM

A few days ago I guess my computer was infected with something. Now after logging on, I am told there is some error regarding lsass.exe and that shutdown will occur in 60 seconds. I bypassed that by entering in shutdown -a, but that is the only bit of advice that I have received from a variety of online searches which has produced any results. I cannot get an internet connection, search, or open certain programs (iTunes comes to mind.) I have scanned with both MalwareBytes and Superantispyware ( both updated within the past few weeks) but no problems have been detected. Below you will find a HijackThis log. Hopefully that will be enough to get started on this process. As I am using a different computer which actually has internet access, I may take a while to respond to the queries of whoever decides to offer assistance, but I will try to check back semi regularly. Thanks in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:59 PM, on 7/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Documents and Settings\Dave\Desktop\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1546363167-3062639316-2670174690-1006\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1546363167-3062639316-2670174690-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1546363167-3062639316-2670174690-1006\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-1546363167-3062639316-2670174690-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - S-1-5-21-1546363167-3062639316-2670174690-1006 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240345491765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240345429859
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Secure Services Client - Cisco Systems - C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\71\quartus\bin\jtagserver.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10591 bytes

Hello dco4,

I have removed your double posting of this topic,while we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 15 July 2009 - 05:26 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 PM

Posted 19 July 2009 - 08:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 20 July 2009 - 05:19 PM

The problem is still occurring. Whenever I turn on my computer, after logging in I get a message saying that some component has failed to load and that shutdown will ensue. After running shutdown -a, my computer remains on, but with very limited functionality (no internet, no search, can only shut down by pressing the power button, can't log out at all, etc) Here are the files that you asked for, hopefully they get things moving. Thanks for your help.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dave at 18:07:06.51 on Mon 07/20/2009
Internet Explorer: 7.0.5730.11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = google.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071228
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [MPlayer2_FixUp] c:\windows\inf\unregmp2.exe /Fixups
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240345491765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240345429859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: mdc - SsoWindows.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\98ub6eby.default\
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-22 19:44 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-07-20 18:06 17,408 a---h--- c:\windows\system32\rpcnetp.exe
2009-07-20 18:06 17,408 a---h--- c:\windows\system32\rpcnetp.dll
2009-07-20 18:06 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-07 12:24 168,208 a------- c:\windows\system32\guard32.dll
2009-06-07 12:24 24,096 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-07 12:23 132,640 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 22:50 13,160 a------- c:\windows\system32\Upgrd.exe
2009-05-21 22:50 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-21 22:50 56,680 a------- c:\windows\system32\NTAgent.exe
2009-05-02 18:51 34 a------- c:\documents and settings\dave\jagex_runescape_preferences.dat
2009-04-24 10:42 529,858 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-23 10:41 77,803 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-12-28 16:29 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 18:09:04.76 ===============

Attached Files



#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 21 July 2009 - 11:15 AM

Hello dco4, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up. :thumbup2:

Please take note of the following:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
  • If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
  • Please reply to this thread. Do not start a new topic.
Now please give me a bit of time to review your logs, I will get back to you as soon as possible. Note that reviewing your log(s) requires an amount of research, so please be patient. Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 21 July 2009 - 06:01 PM

Hello there, dco4.

Hmm. Have you cut any info out of the DDS log? Please confirm.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


! Peer-to-peer (P2P) program WARNING !
  • Your log shows that you are using a so called peer-to-peer or file sharing program (in your case µTorrent). Programs like this one allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File Sharing, otherwise known as Peer To Peer. (P2P) and Risks of File-Sharing Technology.

    Avoid gaming sites, pirated software, cracking tools, keygens, and P2P file sharing programs:
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious flash ads that install viruses, trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again.

Due to the reasons mentioned above, I would strongly recommend that you uninstall µTorrent. The choice to remove it is entirely up to you, however, but I strongly recommend getting rid of it. If you agree, go to Start > Control Panel > Add or Remove Programs and remove µTorrent. If you do not agree, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.
Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as OpenOffice.

! WARNING: registry tool/cleaner !
  • The following is referring to Uniblue RegistryBooster 2009. Please be aware that BleepingComputer.com staff do NOT recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System.
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side. You should only use registry tools if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not. However, cleaning the registry won't really improve system performance, even though there a lot of orphaned keys. IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.
:) Uninstall a program using Add or Remove Programs:
  • Go to Start -> Control Panel -> Add or Remove Programs.
    • A list of programs installed will be "populated"; this may take a bit of time.
  • Uninstall SearchAssist if it is listed by clicking the entry, selecting the Remove (or Change/Remove) button, and follow the on-screen uninstallation instructions.
    NOTE: Remember that this program may require you to reboot your computer to complete the uninstallation - just let it.

    This Add or Remove Programs entry seems to be adware. Also see this reference: Adware-SearchAssist. This page also labels the program as malware and recommends uninstalling the program.
:) Create logs with random's system information tool (RSIT):
  • Download random's system information tool (RSIT) by random/random from the link below and save it to your Desktop.
  • Double-click RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.RSIT will now start its scan.
  • When the scan is complete, two logs will open in Notepad (if not, they both can be found in the C:\rsit folder):
    • log.txt <- will be maximized
    • info.txt <- will be minimized;
    please copy (Ctrl+A, then Ctrl+C) and paste (Ctrl+V) the entire contents of both logs in your next reply.
:thumbup2: Scan for rootkits with GMER:
  • Download GMER from one of the following locations and save it to your Desktop:
  • Disconnect from the Internet and close all running programs and open windows (so that you have nothing open and are at the Desktop).
  • VERY IMPORTANT: Temporarily disable any real-time active protection so your security programs will not conflict with GMER's driver.
  • Double-click on the randomly named GMER exe file (i.e., n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    NOTE: If you downloaded the zipped version, extract the file to its own folder (such as C:\gmer) first prior to double-clicking on gmer.exe:
    Posted ImageGMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. IMPORTANT: Do NOT use the computer while the scan is in progress!
  • If you receive a WARNING about rootkit activity and are asked to fully scan your system, click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

    NOTES:
    * If you encounter any problems, try running GMER in Safe Mode.
    * Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries!


So in your next reply, please post the entire contents of:
  • RSIT's log.txt
  • RSIT's info.txt
  • the GMER log
NOTE: As these log files may be rather large, use several posts if necessary to include everything in the requested logs. Make sure you post entire logs and please do not modify any things within. :cool:

Can you also please let me know if you have installed Absolute Software's Computrace yourself? Do you know of its presence on your PC?

With Computrace, your IT staff can centrally track devices, automate hardware and software inventory, remotely delete data and help get back stolen computers.

Is this a business computer?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 23 July 2009 - 12:08 PM

To the best of my knowledge the DDS log is complete. If you want, I could rerun the scan.

Computrace, to the best of my knowledge, refers to Computrace Lojack, which I had installed on my computer when I bought it. So to answer the question, yes I am aware of its presence, and it seems to be safe.

I uninstalled utorrent as well as SearchAssist, but that is about the extent of what I was able to do.

While running rsit, at the point where it says that it is running hijackthis, I got a notification saying: "The instruction at "0x837da103" referenced memory at"0x837da103". The memory could not be "read"."
Clicking ok on this window then ends the rsit scan, with no logs being completed. Additionally, running gmer yields the following error: "Gmer device error \\.\aujasnkj: the system cannot find the file specified. and no log is produced. Let me know what steps to take from here. If you would like, I could provide the exact text of the original error messages I get upon turning on the computer. Just let me know.

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 23 July 2009 - 02:34 PM

Hello, dco4!

OK, let's try the following.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Clean out some temporary data with ATF Cleaner:
  • Download ATF Cleaner by Atribune and save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program[checkbox name="Windows Vista?"] (XP), or right-click and select Run as administrator (Vista)[/checkbox].
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

    If you use the Mozilla Firefox browser:
  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use the Opera browser:
  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Exit button on the Main menu to close the program.

    For technical support, double-click the e-mail address located at the bottom of each menu.
:) Rename RSIT.exe to rs.com, then try running RSIT again.

If that does not work, then please provide me the logs from OTL instead:

  • Download OldTimer's OTL from the download link below and save it to your Desktop.
  • Double-click the OTL icon on your Desktop (OTL.exe) to run OTL.
  • Click the blue "Scan All Users" checkbox.
  • Push the blue Run Scan button.
  • When the scan is complete, two logs will open in Notepad (they can be found on the Desktop):
    • OTL.Txt <- will be opened
    • Extras.Txt <- will be minimized;
    please copy (Ctrl+A, then Ctrl+C) and paste (Ctrl+V) the entire contents of both logs in your next reply.

:thumbup2: Rename the name of the GMER executable file to something with random numbers (for example, ijfe835da.exe) and try running GMER again (following the instructions of my previous post).

If that does not work, then please download and run a scan with RootRepeal instead:

  • Download RootRepeal from the download link below and save it to your Desktop.
  • Extract the contents of RootRepeal.zip to your Desktop.
  • Double-click the extracted RootRepeal.exe on your Desktop to run RootRepeal.
  • Click the Report tab.
  • Click the Scan button.
  • Check all six boxes:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click Ok.
  • Check the box for your main system drive (usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. NOTE: This may take some time.
  • Once the scan completes, click the Save Report button. Save the log as RootRepeal.txt to the Desktop.
  • Post the log's entire contents in your next reply.



Thanks!

Edited by htv8, 23 July 2009 - 02:37 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 23 July 2009 - 07:01 PM

Alright, steps 1 and 2 went off without a hitch (well, RSIT still didn't work, but OTL was fine) but I was unable to get GMER or RootRepeal to work. RootRepeal said something along the lines of "be sure to be logged into an admin account." Unfortunately, whatever is causing the problems with my computer has also made it so that I am not logged into an actual account (When the computer automatically locks after I have been away for a while, it still requires the password associated with my login to get back on, but on the start menu, there is no indication that it recognizes me, and all processes are being run by "unknown" on task manager), so anything requiring admin type priviledges probably will not work at this stage.

That being said, here are the two OTL files:

1) OTL.txt

OTL logfile created on: 7/23/2009 7:43:25 PM - Run 1
OTL by OldTimer - Version 3.0.10.0 Folder = C:\Documents and Settings\Dave\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.77% Memory free
3.84 Gb Paging File | 3.26 Gb Available in Paging File | 85.04% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.04 Gb Total Space | 45.93 Gb Free Space | 43.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7.45 Gb Total Space | 7.40 Gb Free Space | 99.40% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVESCOMPUTER
Current User Name: DAVESCOMPUTER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/06/07 12:22:58 | 00,692,496 | ---- | M] () -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2007/03/30 15:26:12 | 03,891,200 | ---- | M] (Cisco Systems) -- C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
PRC - [2007/08/06 03:08:06 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2007/10/09 06:17:44 | 00,024,064 | -H-- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
PRC - [2007/10/09 06:17:40 | 01,921,024 | -H-- | M] (Dell Inc.) -- C:\WINDOWS\System32\bcmwltry.exe
PRC - [2008/07/07 09:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/05/21 22:50:53 | 00,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/07/10 00:21:56 | 00,851,968 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/07/09 23:58:30 | 00,162,328 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2007/07/09 23:58:34 | 00,137,752 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2007/08/28 16:54:58 | 00,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\OEM02Mon.exe
PRC - [2007/10/09 06:17:44 | 02,183,168 | -H-- | M] (Dell Inc.) -- C:\WINDOWS\System32\WLTRAY.exe
PRC - [2007/07/10 00:03:06 | 00,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/11/02 16:05:50 | 00,282,624 | -H-- | M] (Knowles Acoustics) -- C:\WINDOWS\System32\KADxMain.exe
PRC - [2006/10/03 13:37:04 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2007/07/09 23:58:38 | 00,252,440 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxsrvc.exe
PRC - [2006/11/05 13:22:16 | 00,221,184 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
PRC - [2007/04/16 18:10:26 | 00,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2006/12/10 22:52:38 | 00,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2007/08/24 08:00:48 | 00,033,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2006/10/12 03:10:54 | 00,049,263 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
PRC - [2009/06/07 12:23:12 | 01,794,320 | ---- | M] () -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2007/10/11 11:49:50 | 00,465,136 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
PRC - [2009/06/30 20:27:53 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2006/11/03 20:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/11/05 12:55:48 | 00,010,752 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
PRC - [2006/10/03 13:35:42 | 00,221,184 | ---- | M] (Macrovision Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/10/03 13:39:58 | 00,512,000 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2006/10/12 03:10:54 | 00,241,775 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
PRC - [2009/07/23 18:51:40 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Dave\Desktop\ATF-Cleaner.exe
PRC - [2009/07/23 18:52:46 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/07 09:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/08/06 03:08:06 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [On_Demand | Stopped])
SRV - [2007/08/06 03:08:06 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2007/03/30 15:26:12 | 03,891,200 | ---- | M] (Cisco Systems) -- C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe -- (Cisco Secure Services Client [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/06/07 12:22:58 | 00,692,496 | ---- | M] () -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent [Auto | Running])
SRV - [2007/10/11 11:49:46 | 00,076,016 | ---- | M] () -- C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe -- (DellAMBrokerService [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/08/04 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/20 00:52:32 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
SRV - [2007/01/20 00:52:32 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
SRV - [2004/10/22 05:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/01/06 14:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2007/04/25 23:19:46 | 00,167,936 | ---- | M] () -- c:\altera\71\quartus\bin\jtagserver.exe -- (JTAGServer [Auto | Stopped])
SRV - [2007/08/11 20:05:27 | 03,093,872 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2006/11/08 17:35:36 | 00,043,520 | -H-- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/08 17:35:38 | 00,053,248 | -H-- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - File not found -- -- (PSEXESVC [On_Demand | Stopped])
SRV - [2006/11/05 13:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2006/11/05 13:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2009/05/21 22:50:53 | 00,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.exe -- (Rpcnet [Auto | Running])
SRV - [2007/09/07 22:33:32 | 02,532,736 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService [Auto | Stopped])
SRV - [2007/09/07 22:35:04 | 00,234,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC [On_Demand | Stopped])
SRV - [2006/09/14 16:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2007/09/06 03:55:38 | 02,177,464 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [On_Demand | Stopped])
SRV - [2004/08/04 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2007/10/09 06:17:44 | 00,024,064 | -H-- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 15:51:56 | 00,005,248 | -H-- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2007/02/10 07:03:58 | 00,007,680 | -H-- | M] (Altera Corporation) -- C:\WINDOWS\System32\drivers\pgdhdlc.sys -- (AlteraByteBlaster [Auto | Stopped])
DRV - [2004/08/04 01:07:44 | 00,043,008 | -H-- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2005/08/12 19:50:46 | 00,016,128 | -H-- | M] (Dell Inc) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV [System | Running])
DRV - [2001/08/17 15:52:00 | 00,026,496 | -H-- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 15:51:58 | 00,014,848 | -H-- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2007/10/09 06:17:42 | 01,123,328 | -H-- | M] (Broadcom Corp.) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2007/07/10 17:07:56 | 00,045,568 | -H-- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2009/06/07 12:23:59 | 00,132,640 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])
DRV - [2009/06/07 12:24:14 | 00,024,096 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])
DRV - [2001/08/17 15:51:54 | 00,006,656 | -H-- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 15:52:16 | 00,179,584 | -H-- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2007/08/23 20:29:10 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\System32\DRIVERS\datunidr.sys -- (datunidr [Auto | Running])
DRV - [2006/08/18 15:17:46 | 00,035,096 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLABMFSM.SYS -- (DLABMFSM [Auto | Running])
DRV - [2006/08/18 15:17:40 | 00,032,472 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2006/08/11 12:35:18 | 00,012,920 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2006/08/18 15:18:08 | 00,009,400 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLADResM.SYS -- (DLADResM [Auto | Running])
DRV - [2006/08/18 15:17:38 | 00,104,472 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2006/08/18 15:17:42 | 00,026,008 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2006/08/18 15:17:38 | 00,014,520 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2006/08/11 12:35:16 | 00,028,184 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS -- (DLARTL_M [System | Running])
DRV - [2006/08/18 15:17:44 | 00,094,648 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2006/08/18 15:17:44 | 00,097,848 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2006/07/21 13:21:26 | 00,099,176 | -H-- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2006/08/11 13:05:58 | 00,051,768 | -H-- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2006/11/02 14:31:38 | 00,103,168 | -H-- | M] (Knowles Acoustics) -- C:\WINDOWS\System32\drivers\dxec02.sys -- (DXEC02 [On_Demand | Running])
DRV - [2001/08/17 14:12:10 | 00,117,760 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2009/02/25 05:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/02/25 05:00:00 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2004/08/12 19:45:54 | 00,137,728 | -H-- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2006/12/06 02:02:28 | 00,049,920 | RH-- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2006/12/06 02:02:28 | 00,016,496 | RH-- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2006/12/06 02:02:29 | 00,021,568 | RH-- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2007/07/16 22:26:46 | 00,209,152 | -H-- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
DRV - [2007/07/16 22:26:46 | 00,989,696 | -H-- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/07/09 23:58:42 | 05,707,744 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2007/05/08 22:22:58 | 00,277,784 | -H-- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2009/06/07 12:24:15 | 00,082,080 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])
DRV - [2007/07/16 22:26:46 | 00,012,672 | -H-- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2001/08/17 15:52:12 | 00,017,280 | -H-- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2008/08/20 22:41:33 | 00,021,395 | -H-- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\Mtghouse.sys -- (Mtghouse [Auto | Running])
DRV - [2009/06/16 04:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090708.002\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/16 04:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090708.002\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2004/08/04 00:29:56 | 01,897,408 | -H-- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2007/08/28 16:54:56 | 00,235,520 | -H-- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\OEM02Dev.sys -- (OEM02Dev [On_Demand | Running])
DRV - [2007/08/28 16:55:06 | 00,007,424 | -H-- | M] (EyePower Games Pte. Ltd.) -- C:\WINDOWS\System32\DRIVERS\OEM02Vfx.sys -- (OEM02Vfx [On_Demand | Running])
DRV - [2005/09/18 19:02:52 | 00,005,632 | ---- | M] () -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter [On_Demand | Stopped])
DRV - [2004/08/04 07:00:00 | 00,017,792 | -H-- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/10/05 18:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys -- (PTproct [On_Demand | Running])
DRV - [2006/08/16 05:00:00 | 00,036,592 | -H-- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 15:52:20 | 00,040,320 | -H-- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 15:52:20 | 00,045,312 | -H-- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 15:52:18 | 00,049,024 | -H-- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/07/10 16:22:18 | 00,032,256 | -H-- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2007/07/10 16:22:20 | 00,043,520 | -H-- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys -- (rimsptsk [Auto | Running])
DRV - [2007/07/10 16:22:22 | 00,037,376 | -H-- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys -- (rismxdp [Auto | Running])
DRV - [2009/03/31 19:35:17 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2008/12/04 14:50:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
DRV - [2008/12/04 14:50:02 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | -H-- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/02/10 07:05:48 | 00,076,288 | -H-- | M] (Rainbow Technologies, Inc.) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel [Auto | Running])
DRV - [2004/08/04 01:07:44 | 00,041,088 | -H-- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2007/02/10 07:06:08 | 00,026,120 | -H-- | M] (Rainbow Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS -- (Sntnlusb [On_Demand | Stopped])
DRV - [2001/08/17 16:07:44 | 00,019,072 | -H-- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2007/07/31 02:17:26 | 00,418,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2007/08/14 17:54:00 | 00,250,416 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2007/08/14 17:54:00 | 00,277,040 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2007/08/14 17:54:00 | 00,025,136 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2007/07/10 00:03:04 | 01,222,840 | -H-- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2001/08/17 16:07:34 | 00,016,256 | -H-- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 16:07:36 | 00,032,640 | -H-- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2008/08/20 22:37:48 | 00,136,496 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2007/01/09 16:46:26 | 00,027,576 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Stopped])
DRV - [2007/01/09 16:46:26 | 00,191,544 | -H-- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2001/08/17 16:07:40 | 00,028,384 | -H-- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 16:07:42 | 00,030,688 | -H-- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2007/07/10 00:21:54 | 00,202,912 | -H-- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2001/08/17 15:52:22 | 00,036,736 | -H-- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2007/07/16 22:26:46 | 00,730,112 | -H-- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071228


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071228
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3071228
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = google.com
IE - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\S-1-5-21-1546363167-3062639316-2670174690-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\S-1-5-21-1546363167-3062639316-2670174690-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {61FD08D8-A2CB-46c0-B36D-3F531AC53C12}:1.3.2008052801
FF - prefs.js..extensions.enabledItems: {2e61e246-e640-4c56-b1ed-f146dbed48cd}:0.7.3
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.24
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/01/29 03:42:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/04/23 21:17:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/04/23 21:17:46 | 00,000,000 | ---D | M]

[2008/10/01 19:24:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Extensions
[2008/06/17 17:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/10/01 19:24:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Extensions\songbird@songbirdnest.com
[2009/07/03 19:08:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Firefox\Profiles\98ub6eby.default\extensions
[2008/06/17 17:36:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Firefox\Profiles\98ub6eby.default\extensions\{2e61e246-e640-4c56-b1ed-f146dbed48cd}
[2008/07/05 12:27:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Firefox\Profiles\98ub6eby.default\extensions\{61FD08D8-A2CB-46c0-B36D-3F531AC53C12}
[2008/07/05 12:27:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dave\Application Data\mozilla\Firefox\Profiles\98ub6eby.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2008/01/16 13:00:03 | 00,002,520 | ---- | M] () -- C:\Documents and Settings\Dave\Application Data\Mozilla\FireFox\Profiles\98ub6eby.default\searchplugins\mozilla-add-ons.xml
[2008/07/05 12:27:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/12/14 02:19:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/12/14 02:19:40 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008/12/14 02:19:40 | 00,134,656 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/12/14 02:19:49 | 00,065,536 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 21:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2008/02/04 18:49:18 | 00,663,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/04/23 21:17:45 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/04/23 21:17:45 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/04/23 21:17:45 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/04/23 21:17:45 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/04/23 21:17:45 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/04/23 21:17:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/04/23 21:17:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2005/08/09 14:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll
[2008/12/14 02:19:57 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/14 02:19:57 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/14 02:19:57 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/14 02:19:57 | 00,002,642 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/14 02:19:57 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/14 02:19:57 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/14 02:19:57 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()
O4 - HKLM..\Run: [DELL Webcam Manager] File not found
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\System32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006..\Run: [DellAutomatedPCTuneUp] File not found
O4 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006..\Run: [Uniblue RegistryBooster 2009] File not found
O4 - HKU\.DEFAULT..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Dave\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-1546363167-3062639316-2670174690-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1240345491765 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1240345429859 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\mdc: DllName - SsoWindows.dll - C:\WINDOWS\System32\SsoWindows.dll (Cisco Systems)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe ()
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/07/23 19:42:57 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe
[2009/07/23 19:42:32 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\rs.com
[2009/07/23 19:39:34 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Dave\Desktop\ATF-Cleaner.exe
[2009/07/23 12:52:17 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\e1n08i9b.exe
[2009/07/23 12:46:22 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\RSIT.exe
[2009/01/01 15:13:10 | 00,017,408 | -H-- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2008/12/22 02:16:47 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/12/22 02:16:19 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/12/18 14:35:39 | 00,168,208 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2008/04/30 17:04:31 | 00,008,192 | -H-- | C] ( ) -- C:\WINDOWS\System32\cshost.dll
[2008/04/17 14:09:31 | 00,176,235 | -H-- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/01/12 15:26:28 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/12/28 16:52:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/12/28 16:41:43 | 00,198,144 | -H-- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2007/12/28 16:38:41 | 00,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/12/28 16:30:40 | 00,139,264 | -H-- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/12/28 16:30:39 | 00,753,664 | -H-- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/12/28 16:00:13 | 00,910,304 | -H-- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/12/28 16:00:13 | 00,204,800 | -H-- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2007/12/28 16:00:11 | 00,016,480 | -H-- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/12/28 15:58:32 | 00,001,121 | -H-- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/11/07 06:25:58 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\px.ini
[2006/11/06 18:49:36 | 00,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/09/17 01:36:50 | 00,520,192 | -H-- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 01:36:50 | 00,204,800 | -H-- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/07/06 13:53:56 | 00,003,584 | -H-- | C] () -- C:\WINDOWS\System32\wceprv.dll
[2004/08/10 15:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:01:18 | 00,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:51:28 | 00,000,617 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/10 14:51:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1997/06/13 22:56:08 | 00,056,832 | -H-- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Files - Modified Within 30 Days ==========

[43 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/07/23 19:38:30 | 00,017,408 | -H-- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2009/07/23 18:52:46 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe
[2009/07/23 18:51:40 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Dave\Desktop\ATF-Cleaner.exe
[2009/07/23 12:37:28 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\e1n08i9b.exe
[2009/07/23 12:36:40 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\RSIT.exe
[2009/07/23 12:36:40 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\rs.com
[2009/07/20 18:06:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/20 18:06:06 | 00,017,408 | -H-- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2009/07/20 18:06:05 | 00,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2009/07/20 18:05:42 | 00,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/20 18:05:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/20 18:05:14 | 21,370,38848 | -HS- | M] () -- C:\hiberfil.sys
[2009/07/11 22:50:28 | 00,002,237 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\pcspim.exe.lnk
[2009/07/10 23:25:03 | 00,032,256 | ---- | M] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/10 23:12:08 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\iTunes.lnk
[2009/07/09 18:11:38 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Microsoft Office Excel 2007.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 22528 bytes -> C:\WINDOWS\System32\autochk.exe:BAK
< End of report >


2)extras.txt

OTL Extras logfile created on: 7/23/2009 7:43:25 PM - Run 1
OTL by OldTimer - Version 3.0.10.0 Folder = C:\Documents and Settings\Dave\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.77% Memory free
3.84 Gb Paging File | 3.26 Gb Available in Paging File | 85.04% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.04 Gb Total Space | 45.93 Gb Free Space | 43.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7.45 Gb Total Space | 7.40 Gb Free Space | 99.40% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVESCOMPUTER
Current User Name: DAVESCOMPUTER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)

[HKEY_USERS\S-1-5-21-1546363167-3062639316-2670174690-1006\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Disabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Disabled:DNA -- ()
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Disabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec AntiVirus\Smc.exe:*:Disabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec AntiVirus\SNAC.EXE:*:Disabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Disabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{20159B36-3A64-49AB-B3AA-FE6DE1D93C7C}" = Computrace
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{32A3A4F4-B792-11D6-A78A-00B0D0150090}" = J2SE Development Kit 5.0 Update 9
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{38B39865-D988-4945-9A22-6107B8B40953}" = C4200
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{50CE21D8-0F44-4f3f-A392-7F9AD3194DEF}" = PS_AIO_Software
"{56094E08-F03C-4C05-9054-8E0417ADE028}" = Cisco Secure Services Client
"{5C7A0869-B0DC-486C-9174-BB21B8A38406}" = Quartus II 7.1 Web Edition
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{8641C1CB-03B3-41d4-8DEC-79826A4B5C0E}" = HP Photosmart All-In-One Software 8.0
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B668B2B8-70D4-4754-A890-17C1DDDA9418}" = PS_AIO_Software_min
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D10227CA-792C-4517-872A-8AF5DB472D48}" = PCSpim
"{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}" = IntelliSonic Speech Enhancement
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E3030F57-9E6B-4E36-95B6-F7B4DBDEB8FB}" = HP Smart Web Printing 1.0
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E65CA2A8-1F2A-4400-AE55-FFD43D3B6980}" = c4200_Help
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}" = Symantec Endpoint Protection
"{FE0C305A-37EE-4499-B4CF-0182E37B20C4}" = PS_AIO_ProductContext
"{FE34691C-4298-4667-9758-D7F534DD0B94}" = Dell Automated PC TuneUp
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"7-Zip" = 7-Zip 4.62
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"Audacity_is1" = Audacity 1.2.6
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"COMODO Internet Security" = COMODO Internet Security
"Creative OEM002" = Laptop Integrated Webcam Driver (1.03.02.0719)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"ENTERPRISER" = Microsoft Office Enterprise 2007
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LastFM_is1" = Last.fm 1.5.4.24567
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2008a" = MATLAB R2008a
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.3)" = Mozilla Firefox (3.0.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PeerGuardian_is1" = PeerGuardian 2.0
"Pidgin" = Pidgin
"PrimoPDF4.0.1" = PrimoPDF
"Rainbow Sentinel Driver" = Sentinel System Driver
"RollerCoaster Tycoon Setup" = RolllayN
"SynTPDeinstKey" = Dell Touchpad
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"winscp3_is1" = WinSCP 4.0.6
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80040205 from line 464 of d:\comxp_sp2\com\com1x\src\events\tier2\notify.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4617
Description = The COM+ Event System raised an unexpected exception 800703E6 at address
0x7C812A6B. Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80040205 from line 464 of d:\comxp_sp2\com\com1x\src\events\tier2\notify.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4617
Description = The COM+ Event System raised an unexpected exception 800703E6 at address
0x7C812A6B. Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80040205 from line 464 of d:\comxp_sp2\com\com1x\src\events\tier2\notify.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4617
Description = The COM+ Event System raised an unexpected exception 800703E6 at address
0x7C812A6B. Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80040205 from line 464 of d:\comxp_sp2\com\com1x\src\events\tier2\notify.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4617
Description = The COM+ Event System raised an unexpected exception 800703E6 at address
0x7C812A6B. Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80040205 from line 464 of d:\comxp_sp2\com\com1x\src\events\tier2\notify.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 7/20/2009 6:06:22 PM | Computer Name = DAVESCOMPUTER | Source = Winlogon | ID = 1015
Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
status code c06d007e. The machine must now be restarted.

[ OSession Events ]
Error - 4/3/2008 3:32:51 PM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6211.1000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 5383 seconds with 3240 seconds of active time. This session ended with a
crash.

Error - 12/10/2008 10:00:12 PM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 1912 seconds with 900 seconds of active time. This session ended with a
crash.

Error - 3/18/2009 12:12:54 AM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 42 seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/19/2009 12:27:48 AM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 36 seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/19/2009 12:43:43 AM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 65 seconds with 60 seconds of active time. This session ended with a crash.

Error - 4/18/2009 7:56:43 PM | Computer Name = DAVESCOMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session
lasted 45 seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/10/2009 7:12:29 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register
with DCOM within the required timeout.

Error - 7/10/2009 11:07:22 PM | Computer Name = DAVESCOMPUTER | Source = W32Time | ID = 39452676
Description = The time provider 'NtpServer' failed to start due to the following
error: Invalid access to memory location. (0x800703E6)

Error - 7/10/2009 11:13:30 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register
with DCOM within the required timeout.

Error - 7/11/2009 1:05:24 PM | Computer Name = DAVESCOMPUTER | Source = W32Time | ID = 39452676
Description = The time provider 'NtpServer' failed to start due to the following
error: Invalid access to memory location. (0x800703E6)

Error - 7/11/2009 1:05:58 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 7/11/2009 1:06:41 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 7/20/2009 6:06:08 PM | Computer Name = DAVESCOMPUTER | Source = W32Time | ID = 39452676
Description = The time provider 'NtpServer' failed to start due to the following
error: Invalid access to memory location. (0x800703E6)

Error - 7/20/2009 6:12:02 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register
with DCOM within the required timeout.

Error - 7/23/2009 12:43:41 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 7/23/2009 12:45:30 PM | Computer Name = DAVESCOMPUTER | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.


< End of report >

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 24 July 2009 - 02:02 PM

Hello there, dco4.

First of all, I have to say that solving the problems you are encountering can be a bit tricky. As of now, I don't know what's causing these problems and because I am not very familiar with problems like these, I have to do extra research. This could mean that the response time to you could be a bit longer than usual. Besides, fixing this will likely take more time in general as we have to "try" some things (because I don't know what's actually going on as of yet). Hope you understand. :cool:

[..] RootRepeal said something along the lines of "be sure to be logged into an admin account." Unfortunately, whatever is causing the problems with my computer has also made it so that I am not logged into an actual account (When the computer automatically locks after I have been away for a while, it still requires the password associated with my login to get back on, but on the start menu, there is no indication that it recognizes me, and all processes are being run by "unknown" on task manager), so anything requiring admin type priviledges probably will not work at this stage.
[..]

Thanks for letting me know. OTL was able to run because it apparently did recognize you being logged in as an Administrator.

Now let's try the following.



Before we begin, you should save the GMER/RootRepeal instructions (see my second post and third post) in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Some of the instructions will need to be carried out in Safe Mode where Internet access is not available, and thus you will be unable to access this thread at that time.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Let's have a look at your user accounts and permissions by running SWWhoAmI:
  • Download SWWhoAmI from the download link below and save it to your Desktop.
  • Download the attached export.bat file to your Desktop as well.Attached File  export.bat   104bytes   13 downloads
  • Locate export.bat on your Desktop and double-click on it.Notepad (Output.txt) will now open up with the results (some text and numbers).
  • Copy the entire contents of that Notepad file and post them here as a reply to this post.
:) Reboot your computer into Safe Mode.
Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard. Make sure you choose neither the "Safe Mode with Networking" nor the "Safe Mode with Command Prompt" options. We want simply "Safe Mode".
Login with your usual account (not "Administrator").

:thumbup2: When in Safe Mode, try again to scan for rootkits with GMER. If GMER again doesn't want to run, try RootRepeal once more.



So in your next reply, please post the following:
  • the SWWhoAmI results (Output.txt)
  • the GMER log (or the RootRepeal report)
Hope this works. :) If it doesn't, I think we have to try something more powerful...
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 26 July 2009 - 01:28 PM

alright, GMER ran in safe mode. I did root repeal too, because GMER's results seemed a little light. I figure that it would be better to have both just in case GMER wasn't enough.

whoami results:

Users on this computer:
Is Admin? | Username
------------------

Integer overflow


Unknown response from NetUserGetInfo: 2138


GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-26 12:33:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 8A833180 ZwEnumerateKey
Code 8A839260 ZwFlushInstructionCache
Code 8A8899DE IofCallDriver
Code 8A9B41DE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A8899E3
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A9B41E3
PAGE ntoskrnl.exe!ZwEnumerateKey 80578EE4 5 Bytes JMP 8A833184
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805873DB 5 Bytes JMP 8A839264

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[272] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\winlogon.exe[272] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[272] Secur32.dll!LsaLogonUser 77FE33D8 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[272] USER32.dll!SwitchDesktop 7E429496 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[272] USER32.dll!SwitchDesktop + 4 7E42949A 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[272] USERENV.dll!LoadUserProfileW 769CA2C7 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[272] USERENV.dll!LoadUserProfileW + 4 769CA2CB 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[272] USERENV.dll!UnloadUserProfile 76A1D4A7 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[320] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\lsass.exe[332] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0066000A
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[652] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0063000A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[744] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00E2000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Root Repeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/26 12:34
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7667000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF74C0000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: aujasnkj.sys
Image Path: C:\DOCUME~1\Dave\LOCALS~1\Temp\aujasnkj.sys
Address: 0xB9CC3000 Size: 81664 File Visible: No Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF789F000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79B1000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7577000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF76B7000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF789B000 Size: 9344 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
Address: 0xF799B000 Size: 6016 File Visible: - Signed: -
Status: -

Name: DLARTL_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
Address: 0xF7727000 Size: 21280 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: DRVMCDB.SYS
Address: 0xF784F000 Size: 90080 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBA35F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xBA7A5000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A9A000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xBA377000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7877000 Size: 128896 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79AD000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA7B5000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000 Size: 134272 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xBA653000 Size: 155648 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7587000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF77EF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA53C000 Size: 9600 File Visible: - Signed: -
Status: -

Name: hjgruifiysrrsn.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruifiysrrsn.sys
Address: 0xBA48A000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF79A9000 Size: 8192 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7697000 Size: 52736 File Visible: - Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xF7402000 Size: 778240 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF76A7000 Size: 41856 File Visible: - Signed: -
Status: -

Name: inspect.sys
Image Path: inspect.sys
Address: 0xF7974000 Size: 75392 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7817000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xBA599000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7838000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7807000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBA6B4000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42240 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF780F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA7A1000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA7E5000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NDIS.SYS
Address: 0xF7A22000 Size: 182912 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF774F000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A9C000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7657000 Size: 61056 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7647000 Size: 35680 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF76C7000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xF7687000 Size: 57344 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xBA63F000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xBA5EE000 Size: 331776 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9D57000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7865000 Size: 73472 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79A3000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xBA5BC000 Size: 202912 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7717000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76D7000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xBA540000 Size: 364160 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF779F000 Size: 31616 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7999000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7747000 Size: 27264 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF76E7000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xBA679000 Size: 143360 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF776F000 Size: 26496 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF77FF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF775F000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xBA4D2000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF77D7000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA7A9000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 26 July 2009 - 05:22 PM

Hello dco4, and thanks for the logs. :thumbup2:



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the steps in the exact order in which they are mentioned below and do not miss any step out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Download and run sUBs' ComboFix (in Normal Mode):
  • Please download ComboFix from any of the links below and save it to your Desktop.
  • Rename ComboFix.exe to open.exe.
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double-click open.exe to launch ComboFix and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed.".
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

    NOTE: If the renamed ComboFix doesn't want to run in Normal Mode, please try running it in Safe Mode instead!

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again.


If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 27 July 2009 - 05:15 PM

Hey. I haven't yet run combofix, but I thought I'd let you know that I am not actually able to get online on the infected computer, so I won't be able to download the recovery console (unless I can just download it on this machine(Vista) which is what I've been doing for everything else). Is there a check that I can run to see if I already have it on my machine before running combofix? Can I just start Combofix and stop it if it is unable to locate the recovery console on my machine? I'll wait for your response so I don't end up accidentally permanently ruining my computer.

Edited by dco4, 27 July 2009 - 07:07 PM.


#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 28 July 2009 - 02:12 PM

Hello dco4.

Thanks for letting me know that you are not able to get online with the infected machine. Because the Recovery Console is an important security and safety feature which you really do need to have installed, please disregard the instructions of my previous post and follow those listed below.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the steps in the exact order in which they are mentioned below and do not miss any step out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.
  • Remove any copies of ComboFix.exe that you have saved.
    :thumbup2:
  • Download ComboFix from any of the links below and save it to your Desktop.:)
  • Rename ComboFix.exe to open.exe.
    :)
  • Click on the following link to go to Microsoft's website: http://support.microsoft.com/kb/310994
  • At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the Service Pack level that you have installed. (If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download.) IMPORTANT: When you click on the link to download the file, make sure you save it directly to your Desktop (save as it's originally named!)
    Posted Image
    If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:
    • Go to Start -> Run...
    • Type the following in the "Open:" field: sysdm.cpl
    • Click on the OK button or hit Enter
      • A screen will appear showing information about your installation. Under the "System:" category you should see your Windows version and the installed Service Pack.

  • Transfer all files you just downloaded, to the Desktop of the infected computer.
    :cool:
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
    :)
  • Referring to the picture below, drag the setup package on top of the ComboFix icon (open.exe in your case) and let your mouse button go. This will start ComboFix.Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once installed, you should see a screen prompt that says "The Recovery Console was successfully installed.".
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again.




Let me know how it goes. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 dco4

dco4
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 29 July 2009 - 04:47 PM

I did what you said and started to run combofix. Before the scan started, it was unable to detect several files that I guess were supposed to be there. This also happened during the scan, and it is now apparently stalled, saying that it can't perform a deep scan without administrative priviledges. It has been at this point for about 25 or 30 minutes, but I don't want to click on anything because I'm not sure if it is scanning anything or is actually totally stalled. It seems like without my computer recognizing that I am logged into an account, I can't do anything. Should I try running it in safe mode, or are we getting to the point where I should prepare for some sort of drastic measures?

#15 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:50 AM

Posted 30 July 2009 - 02:04 AM

Try performing the above instructions in Safe Mode if ComboFix doesn't want to work within Normal mode. If you need them, instructions on how to start Windows into Safe Mode can be found here. Let me know how it goes. :thumbup2:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users