Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 Heavy CPU usage


  • This topic is locked This topic is locked
23 replies to this topic

#1 TampaMCSE

TampaMCSE

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 05 November 2010 - 02:39 PM

One of my user's laptops was having problems. I scanned it with Malwarebytes and found nothing, so i copied his drive to another drive for a backup . Later i found it had almost 3000 malware/trojan infections. I had to use many different scanners. Spyware Doctor found most of them.

I have run Malwarebytes and other scanners in safe mode on my system but still cannot find anything. However, when i am in normal mode something is running in the background. I see hard drive activity and when i click on anything, both core cpu's run to 100 %. When i watch with ProcExp from Sysinternals, i don't see what is running. I am thinking maybe a rootkit.

Below is the DDS text file captured while in safe mode. I have the attach.txt in a zip file attached.

Attached File  Attach.zip   3.71KB   0 downloads*******************************************


DDS (Ver_10-10-21.02) - NTFS_AMD64 NETWORK
Run by David Potter at 10:17:15.15 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.3220 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Users\David Potter\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=0209&m=p-7805u&c=BB
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=0209&m=p-7805u&c=BB
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
mRun: [eRecoveryService]
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\DAVIDP~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\UltraMon.lnk - C:\Windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\PGPTRA~1.LNK - C:\Windows\Installer\{217C5C5A-37CA-4CB5-BE1D-9694832F9DAA}\Icon6560581611.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm
IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
LSP: C:\Windows\system32\PGPlsp.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39905.3250810185
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {03613130-5511-45D5-958D-134619A707E4} = 4.2.2.1,4.2.2.2
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs: PGPmapih.dll
LSA: Notification Packages = scecli PGPpwflt
mRun-x64: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
STS-X64: FencesShlExt Class: {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\DAVIDP~1\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com|http://www.ar15.com/forums/forum.html?b=10&f=17|http://hisz.rsoe.hu/alertmap/index2.php?area=usa&lang=eng|http://www.alpharubicon.com/mrpoyz-cgi-bin/rubicon/entrance.cgi|http://www.instructables.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: C:\Program Files (x86)\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\npunagi2.dll
FF - plugin: C:\Program Files (x86)\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\2.0.40115.0\npctrl.dll
FF - plugin: D:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: D:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll
FF - plugin: D:\Program Files (x86)\Nuance\PDF Reader\Bin\nppdf.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 dlkmdldr;dlkmdldr;C:\Windows\System32\drivers\dlkmdldr.sys [2010-3-17 13424]
R0 pgpfs;PGP File Sharing;C:\Windows\System32\drivers\PGPfsfd.sys [2010-4-1 169592]
R0 Pgpwdefs;Pgpwdefs;C:\Windows\System32\drivers\PGPwdefs.sys [2010-4-1 14456]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-5-13 55856]
R3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;C:\Windows\System32\drivers\NETw5v64.sys [2009-1-12 4730368]
R3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2008-5-13 62424]
R3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2008-6-11 51800]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2008-7-24 392192]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-3-30 135336]
S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-3-30 267432]
S2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-3-30 81072]
S2 Ca1528av;SPCA1528 Video Camera Service;C:\Windows\System32\drivers\Ca1528av.sys [2010-5-19 533760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2009-6-3 72216]
S2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.SYS [2008-4-30 11576]
S2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
S3 Bulk1528;SPCA1528 Still Camera Service;C:\Windows\System32\drivers\Bulk1528.sys [2010-5-19 14848]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2009-1-13 294400]
S3 Commander Service;Commander Service;C:\Program Files (x86)\Seagull\BarTender\8.0\CmdrSrv.exe [2007-8-30 2471280]
S3 DisplayLinkService;DisplayLink Service;C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe [2008-10-20 733544]
S3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\System32\drivers\DisplayLinkUsbPort.sys [2008-10-20 16896]
S3 dlkmd;dlkmd;C:\Windows\System32\drivers\dlkmd.sys [2010-3-17 310896]
S3 EMP_NSWLSV;EMP_NSWLSV;C:\Program Files (x86)\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe [2010-2-1 98304]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 nusbhost;Network USB Host Controller;C:\Windows\System32\drivers\nusbhst.sys [2009-9-27 16384]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2008-12-22 65056]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 ReflectService;Macrium Reflect Image Mounting Service;D:\Program Files\Macrium\Reflect\ReflectService.exe [2008-8-6 291296]
S3 SS1CBAFDV;Wireless USB Cable Association Driver;C:\Windows\System32\drivers\SS1CBAFDV.sys [2008-7-1 22832]
S3 SS1PALHWA;Wireless USB Host Wire-Adapter;C:\Windows\System32\drivers\SS1PALHWA.sys [2008-7-30 203056]
S3 SS1USBPAL;Radio Controller Interface;C:\Windows\System32\drivers\SS1USBPAL.sys [2008-7-30 83760]
S3 T1PExGrp64;T1PExGrp64;C:\Windows\System32\drivers\T1PExGrp64.sys [2010-6-21 30336]
S3 T1PMrGrp64;T1PMrGrp64;C:\Windows\System32\drivers\T1PMrGrp64.sys [2010-6-21 32896]
S3 t1pusb64;Trigger 1+ Graphics Card;C:\Windows\System32\drivers\t1pusb64.sys [2010-6-21 128384]
S3 TeamViewer4;TeamViewer 4;C:\Program Files (x86)\TeamViewer\Version4\TeamViewer_Service.exe [2009-3-23 185640]
S3 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-1-12 185640]
S3 U2VSvr;U2VSvr;C:\Windows\System32\U2VSvr.exe [2010-6-21 270200]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-16 50176]
S3 uvnc_service;uvnc_service;C:\Users\David Potter\Downloads\UltraVNC_105_binX64\winvnc.exe [2008-8-30 1544768]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S3 WiCenterService;WiCenterService;C:\Program Files\Wireless USB Manager\WiCenterService.exe [2008-8-20 24576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2008-1-20 22528]
S3 xVGAUSB64;USB 2.0 VGA DEVICE-1;C:\Windows\System32\drivers\xVGAUSB64.sys [2010-3-17 44800]
S4 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;D:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2008-5-28 92656]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-7-21 89920]
S4 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2009-2-13 24576]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-4-22 136176]

============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-11-01 16:12:17 256609 ----a-w- C:\PROGRA~3\SEC68B1.tmp
2010-10-27 02:13:10 -------- d-----w- C:\PROGRA~3\Geek Squad
2010-10-25 01:04:25 -------- d-----w- C:\Users\DAVIDP~1\AppData\Roaming\JAM Software
2010-10-24 11:53:50 1927680 ----a-w- C:\Windows\System32\gameux.dll
2010-10-24 11:53:50 1696256 ----a-w- C:\Windows\SysWow64\gameux.dll
2010-10-24 11:53:47 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2010-10-24 11:53:47 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2010-10-24 11:53:47 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2010-10-24 11:53:46 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2010-10-15 03:30:08 408064 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
2010-10-15 03:30:08 339968 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
2010-10-15 03:30:08 1915904 ----a-w- C:\Windows\System32\ole32.dll
2010-10-15 03:30:08 1316864 ----a-w- C:\Windows\SysWow64\ole32.dll
2010-10-15 03:30:06 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-10-15 03:30:06 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-10-15 03:30:01 189952 ----a-w- C:\Windows\System32\t2embed.dll
2010-10-15 03:30:01 157184 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-10-15 03:30:00 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-10-15 03:30:00 531968 ----a-w- C:\Windows\SysWow64\comctl32.dll

==================== Find3M ====================

2010-10-14 11:47:52 123066 ----a-w- C:\Windows\SysWow64\PGPlspRollback.reg
2010-09-15 08:50:37 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-09-13 14:32:37 8147968 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-13 13:56:41 8147456 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-08 06:41:05 1147904 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 06:36:53 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 06:36:38 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2010-09-08 06:36:24 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2010-09-08 06:36:23 77312 ----a-w- C:\Windows\System32\iesetup.dll
2010-09-08 06:01:28 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-09-08 05:36:07 479232 ----a-w- C:\Windows\System32\html.iec
2010-09-08 05:04:36 385024 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 04:51:18 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2010-09-08 04:49:56 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 04:26:46 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-09-06 18:28:38 179712 ----a-w- C:\Windows\System32\srvsvc.dll
2010-09-06 18:28:38 12288 ----a-w- C:\Windows\System32\sscore.dll
2010-09-06 18:27:03 17920 ----a-w- C:\Windows\System32\netevent.dll
2010-09-06 16:20:29 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-09-06 16:19:06 17920 ----a-w- C:\Windows\SysWow64\netevent.dll
2010-09-06 15:34:14 451584 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-09-06 15:33:51 175104 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-09-06 15:33:49 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-31 14:57:39 2753024 ----a-w- C:\Windows\System32\win32k.sys
2010-08-26 17:40:08 100352 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2010-08-26 17:40:07 331776 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-08-26 17:40:07 284672 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2010-08-26 16:33:06 173056 ----a-w- C:\Windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- C:\Windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- C:\Windows\apppatch\AcGenral.dll
2010-08-20 16:57:50 1090048 ----a-w- C:\Windows\System32\wmpmde.dll
2010-08-20 16:05:07 867328 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-08-17 14:54:20 273920 ----a-w- C:\Windows\System32\spoolsv.exe
2010-08-10 16:14:20 343040 ----a-w- C:\Windows\System32\schannel.dll
2010-08-10 15:53:15 274944 ----a-w- C:\Windows\SysWow64\schannel.dll

============= FINISH: 10:20:21.46 ===============

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 13 November 2010 - 11:43 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 16 November 2010 - 08:45 AM

etavares,

Thanks for taking the time to review everything. I know how busy everyone is...including me, so i understand about the time delay.

I don't think i have resolved the original problem. I am still having noticeable delays when opening and saving data with either Notepad +, Excel or other programs. I also notice an unusual amount of hard drive activity and during Read/Write actions the CPU guages on my Sidebar are hitting 100 % on both processors. When i first noticed the problem i checked Task Manager and noticed two processes running: Com Surrogate (dllhost.exe) and RunDLL32.exe (rundll32.exe). When i kill the process , everything starts up much faster. I have looked with Autoruns and cannot find what is using these two processes. Hopefully, you are better at finding it than i am.

Last weekend, i physically removed the hard drives and scanned them with another laptop. On both drives i found a variety of trojan agents and droppers and some spyware. Sorry, i don't have the log file right now of what was found.

I have run the OTL tool and have one log file , but your instructions mention two files. Do i need to run it again ?

I have run the Defogger and GMER. When i ran GMER, all the scan options on the right side were greyed out, except for Services, Registry and Files. Should i have run this in Safe Mode ?

=========================== OTL LOG ========================

OTL logfile created on: 11/16/2010 7:50:47 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\David Potter\Downloads\BleepinComputer
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
12.00 Gb Paging File | 10.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0g:\pagefile.sys 4096 7103 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.37 Gb Total Space | 164.59 Gb Free Space | 57.48% Space Free | Partition Type: NTFS
Drive D: | 291.09 Gb Total Space | 118.34 Gb Free Space | 40.65% Space Free | Partition Type: NTFS
Drive G: | 7.00 Gb Total Space | 2.94 Gb Free Space | 41.95% Space Free | Partition Type: NTFS
Drive K: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive M: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive N: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive O: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive P: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive Q: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive S: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive T: | 57.81 Gb Total Space | 47.06 Gb Free Space | 81.41% Space Free | Partition Type: NTFS
Drive U: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive V: | 57.81 Gb Total Space | 47.06 Gb Free Space | 81.41% Space Free | Partition Type: NTFS
Drive W: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive X: | 56.14 Gb Total Space | 8.77 Gb Free Space | 15.63% Space Free | Partition Type: NTFS
Drive Y: | 70.73 Gb Total Space | 23.80 Gb Free Space | 33.66% Space Free | Partition Type: NTFS

Computer Name: POTTERGATEWAY | User Name: David Potter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/16 07:48:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\David Potter\Downloads\BleepinComputer\OTL.exe
PRC - [2010/11/05 09:34:27 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/05 09:34:26 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/11/05 09:34:26 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/01 13:56:44 | 000,135,288 | ---- | M] (PGP Corporation) -- C:\Windows\SysWOW64\PGPserv.exe
PRC - [2009/12/21 07:00:50 | 000,081,920 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
PRC - [2008/04/15 20:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 20:54:40 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/03/14 12:09:56 | 002,938,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2008/01/22 19:13:08 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2008/01/09 09:38:44 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
PRC - [2007/10/29 13:30:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2007/10/04 17:39:42 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe


========== Modules (SafeList) ==========

MOD - [2010/11/16 07:48:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\David Potter\Downloads\BleepinComputer\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2010/04/01 13:56:44 | 000,064,120 | ---- | M] (PGP Corporation) -- C:\Windows\SysWOW64\PGPmapih.dll
MOD - [2010/02/14 01:53:56 | 000,210,432 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\RTSUltraMonHookX32.dll
MOD - [2010/02/14 01:52:06 | 000,325,120 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMonResButtons.dll
MOD - [2009/04/11 01:28:21 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msi.dll
MOD - [2009/04/11 01:21:38 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\GdiPlus.dll
MOD - [2008/01/20 21:49:15 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc_os.dll
MOD - [2006/11/02 04:46:13 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc.dll
MOD - [2006/11/02 04:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msiltcfg.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/08/26 16:25:34 | 000,270,200 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysNative\U2VSvr.exe -- (U2VSvr)
SRV:64bit: - [2008/10/20 11:33:24 | 000,733,544 | ---- | M] (DisplayLink Corp.) [On_Demand | Stopped] -- C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe -- (DisplayLinkService)
SRV:64bit: - [2008/08/20 13:01:26 | 000,024,576 | ---- | M] (Stonestreet One) [On_Demand | Stopped] -- C:\Program Files\Wireless USB Manager\WiCenterService.exe -- (WiCenterService)
SRV:64bit: - [2008/07/16 17:00:00 | 000,024,576 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe -- (ETService)
SRV:64bit: - [2008/05/07 18:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Disabled | Stopped] -- C:\Windows\SysNative\Crypserv.exe -- (Crypkey License)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/11/07 08:11:22 | 004,466,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV:64bit: - [2007/10/18 17:37:22 | 000,412,672 | ---- | M] (Conexant Systems, Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\xaudio64.exe -- (XAudioService)
SRV:64bit: - [2006/11/02 06:16:05 | 000,046,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\rundll32.exe -- (yksvc)
SRV - [2010/11/05 09:34:27 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/11/05 09:34:26 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/01 13:56:44 | 000,135,288 | ---- | M] (PGP Corporation) [Auto | Running] -- C:\Windows\SysWOW64\PGPserv.exe -- (PGPserv)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/12 09:57:44 | 000,185,640 | ---- | M] (TeamViewer GmbH) [On_Demand | Stopped] -- C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2009/07/07 09:44:10 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/03/23 04:35:14 | 000,185,640 | ---- | M] (TeamViewer GmbH) [On_Demand | Stopped] -- C:\Program Files (x86)\TeamViewer\Version4\TeamViewer_Service.exe -- (TeamViewer4)
SRV - [2009/03/12 08:27:14 | 001,544,768 | ---- | M] (UltraVNC) [On_Demand | Stopped] -- C:\Users\David Potter\Downloads\UltraVNC_105_binX64\winvnc.exe -- (uvnc_service)
SRV - [2008/08/06 10:34:54 | 000,291,296 | ---- | M] () [On_Demand | Stopped] -- D:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService)
SRV - [2008/05/28 09:07:12 | 000,092,656 | ---- | M] () [Disabled | Stopped] -- D:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe -- (CEEBC40A-FDED-4C59-B354-939132350B01)
SRV - [2008/05/09 15:35:48 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) [On_Demand | Stopped] -- C:\Program Files (x86)\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe -- (EMP_NSWLSV)
SRV - [2008/05/05 17:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/04/15 20:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/03/18 15:52:32 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/12/21 12:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/09/28 15:06:42 | 000,168,296 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/08/30 19:06:56 | 002,471,280 | ---- | M] (Seagull Scientific) [On_Demand | Stopped] -- C:\Program Files (x86)\Seagull\BarTender\8.0\CmdrSrv.exe -- (Commander Service)
SRV - [2007/02/12 03:43:44 | 000,065,536 | ---- | M] (O2Micro International) [On_Demand | Stopped] -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash)
SRV - [2006/11/09 14:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\OEM\factory\WisINT15.SYS -- (WisINT15)
DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2010/11/05 09:34:27 | 000,081,584 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\DRIVERS\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2010/07/12 13:36:10 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/04/16 07:33:36 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/04/01 13:56:44 | 000,169,592 | ---- | M] (PGP Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\Drivers\PGPfsfd.sys -- (pgpfs)
DRV:64bit: - [2010/04/01 13:56:44 | 000,050,296 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\Drivers\PGPsdk.sys -- (PGPsdkDriver)
DRV:64bit: - [2010/04/01 13:56:44 | 000,014,456 | ---- | M] (PGP Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\Pgpwdefs.sys -- (Pgpwdefs)
DRV:64bit: - [2010/03/02 11:35:01 | 000,116,568 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avipbb.sys -- (avipbb)
DRV:64bit: - [2010/02/03 08:43:13 | 000,087,384 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2009/12/28 15:36:00 | 000,128,384 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\t1pusb64.sys -- (t1pusb64)
DRV:64bit: - [2009/12/28 12:58:56 | 000,032,896 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\T1PMrGrp64.sys -- (T1PMrGrp64)
DRV:64bit: - [2009/12/09 17:55:06 | 000,030,336 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\T1PExGrp64.sys -- (T1PExGrp64)
DRV:64bit: - [2009/12/03 06:00:00 | 000,103,224 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\WibuKey64.sys -- (WIBUKEY)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/09 00:14:20 | 000,015,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NuidFltr.sys -- (NuidFltr)
DRV:64bit: - [2009/03/08 22:00:57 | 000,868,848 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\sptd.sys -- (sptd)
DRV:64bit: - [2008/12/22 12:47:38 | 000,065,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2008/12/17 21:46:12 | 000,533,760 | ---- | M] (Digital Camera) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\Drivers\Ca1528av.sys -- (Ca1528av)
DRV:64bit: - [2008/10/20 11:33:57 | 000,310,896 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dlkmd.sys -- (dlkmd)
DRV:64bit: - [2008/10/20 11:33:57 | 000,016,896 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\DisplayLinkUsbPort.sys -- (DisplayLinkUsbPort)
DRV:64bit: - [2008/10/20 11:33:57 | 000,013,424 | ---- | M] (DisplayLink Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\dlkmdldr.sys -- (dlkmdldr)
DRV:64bit: - [2008/08/21 09:11:36 | 000,648,320 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emBDA64.sys -- (USB28xxBGA)
DRV:64bit: - [2008/08/21 09:11:36 | 000,392,320 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emOEM64.sys -- (USB28xxOEM)
DRV:64bit: - [2008/07/30 15:20:50 | 000,083,760 | ---- | M] (Stonestreet One) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\SS1USBPAL.SYS -- (SS1USBPAL)
DRV:64bit: - [2008/07/30 15:16:02 | 000,203,056 | ---- | M] (Stonestreet One) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\SS1PALHWA.SYS -- (SS1PALHWA)
DRV:64bit: - [2008/07/24 17:46:08 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2008/07/24 17:45:20 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2008/07/24 13:03:00 | 000,392,192 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
DRV:64bit: - [2008/07/01 17:18:42 | 000,022,832 | ---- | M] (Stonestreet One) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\SS1CBAFDV.SYS -- (SS1CBAFDV)
DRV:64bit: - [2008/06/28 22:43:02 | 000,014,848 | ---- | M] (SunPlus) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\Bulk1528.sys -- (Bulk1528)
DRV:64bit: - [2008/06/26 19:24:20 | 000,020,520 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV:64bit: - [2008/06/11 20:29:30 | 000,051,800 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2sdx64.sys -- (O2SDRDR)
DRV:64bit: - [2008/06/02 02:50:04 | 000,264,192 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2008/05/12 23:48:38 | 000,062,424 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2mdx64.sys -- (O2MDRDR)
DRV:64bit: - [2008/05/06 15:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wdcsam64.sys -- (WDC_SAM)
DRV:64bit: - [2008/04/27 17:38:12 | 004,730,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64) Intel®
DRV:64bit: - [2008/04/15 20:54:16 | 000,388,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)
DRV:64bit: - [2008/03/25 18:51:16 | 001,487,872 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2008/03/25 18:47:06 | 000,294,400 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2008/03/25 18:45:44 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2008/03/25 15:24:44 | 000,165,760 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tosrfbd.sys -- (tosrfbd)
DRV:64bit: - [2008/03/25 12:54:26 | 000,049,152 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tosporte.sys -- (tosporte)
DRV:64bit: - [2008/03/19 10:38:46 | 000,088,192 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Tosrfhid.sys -- (Tosrfhid)
DRV:64bit: - [2008/03/17 12:12:26 | 000,028,664 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\ckldrv.sys -- (NetworkX)
DRV:64bit: - [2008/02/14 09:41:14 | 000,044,800 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xvgausb64.sys -- (xVGAUSB64)
DRV:64bit: - [2008/01/22 19:58:12 | 000,056,320 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfsnd.sys -- (TosRfSnd)
DRV:64bit: - [2008/01/20 21:46:57 | 000,286,720 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTAZL6.SYS -- (HSFHWAZL)
DRV:64bit: - [2008/01/20 21:46:57 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2008/01/20 21:46:55 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2008/01/17 22:31:30 | 000,320,560 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2007/11/29 08:45:58 | 000,044,800 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\tosrfbnp.sys -- (tosrfbnp)
DRV:64bit: - [2007/10/18 17:37:10 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.sys -- (XAudio)
DRV:64bit: - [2007/10/18 13:25:00 | 000,051,328 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tosrfusb.sys -- (Tosrfusb)
DRV:64bit: - [2007/10/02 10:43:08 | 000,076,160 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\tosrfcom.sys -- (Tosrfcom)
DRV:64bit: - [2007/03/15 10:04:50 | 000,016,384 | ---- | M] (SerComm) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nusbhst.sys -- (nusbhost)
DRV:64bit: - [2007/03/08 21:19:00 | 000,012,800 | ---- | M] (GARMIN Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\grmnusb.sys -- (grmnusb)
DRV:64bit: - [2006/11/02 15:01:26 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\Drivers\SSPORT.sys -- (SSPORT)
DRV:64bit: - [2006/11/02 11:27:00 | 000,054,072 | ---- | M] (Samsung Electronics) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\Drivers\DgiVecp.sys -- (DgiVecp)
DRV:64bit: - [2006/09/18 16:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2006/06/19 00:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV:64bit: - [2005/07/13 05:43:00 | 000,028,160 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tosrfnds.sys -- (tosrfnds)
DRV - [2008/11/14 01:11:42 | 000,020,512 | ---- | M] (Realtime Soft Ltd) [Kernel | Auto | Running] -- C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys -- (UltraMonUtility)
DRV - [2008/07/16 16:56:06 | 000,017,952 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\int15_64.sys -- (int15)
DRV - [2008/02/14 09:41:14 | 000,044,800 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\xVGAUSB64.sys -- (xVGAUSB64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=0209&m=p-7805u&c=BB
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=0209&m=p-7805u&c=BB


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7C 53 89 19 B5 BD CA 01 [binary data]
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2865923304-96210281-3424886279-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com|http://www.ar15.com/forums/forum.html?b=10&f=17|http://hisz.rsoe.hu/alertmap/index2.php?area=usa&lang=eng|http://www.alpharubicon.com/mrpoyz-cgi-bin/rubicon/entrance.cgi|http://www.instructables.com/"
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {398e77b8-2304-11dc-8314-0800200c9a66}:0.3.13
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files (x86)\mozilla firefox\components [2010/08/24 07:35:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files (x86)\mozilla firefox\plugins [2010/08/24 07:35:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/06/11 13:25:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2010/09/30 08:51:23 | 000,000,000 | ---D | M]

[2010/01/24 19:42:02 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Extensions
[2010/01/24 19:42:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/03/11 09:29:50 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Extensions_old
[2009/03/11 09:29:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Extensions_old\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/11/14 16:14:37 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions
[2009/06/12 08:57:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/22 11:36:09 | 000,000,000 | ---D | M] (Minimap Addon) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\{398e77b8-2304-11dc-8314-0800200c9a66}
[2009/08/26 07:23:15 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/06/23 08:36:57 | 000,000,000 | ---D | M] (IE Tab) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/07/02 07:49:53 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2009/08/06 07:45:59 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\extensions\firebug@software.joehewitt.com
[2009/02/06 13:12:47 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles_old\f2q3unu0.default\extensions
[2009/03/11 09:29:50 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox_old\Profiles\7to0cjlc.default\extensions
[2010/03/09 12:32:24 | 000,001,819 | ---- | M] () -- C:\Users\David Potter\AppData\Roaming\Mozilla\Firefox\Profiles\bxuv4b3w.default\searchplugins\bing.xml
[2010/11/13 17:24:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions
[2010/07/20 07:46:42 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/07/20 08:30:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/18 08:12:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2009/11/05 15:40:15 | 000,393,216 | ---- | M] (Invenda Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll
[2009/11/19 16:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2009/11/19 16:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\David Potter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010/07/29 08:42:24 | 000,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8:64bit: - Extra context menu item: Edit with Altova X&MLSpy - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm ()
O8 - Extra context menu item: Edit with Altova X&MLSpy - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm ()
O9 - Extra Button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm ()
O9 - Extra 'Tools' menuitem : Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - D:\Program Files (x86)\Altova\XMLSpy2010\spy.htm ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysNative\PGPlsp.dll (PGP Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\SysNative\PGPlsp.dll (PGP Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWow64\PGPlsp.dll (PGP Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\SysWow64\PGPlsp.dll (PGP Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} Reg Error: Key error. (KClient.ActiveX.1)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB (compid Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39905.3250810185 (Update Class)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.56.7 4.2.2.1
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (PGPmapih.dll) - C:\Windows\SysWow64\PGPmapih.dll (PGP Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O22:64bit: - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll (Stardock)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/07 14:12:19 | 000,000,000 | ---D | M] - S:\autorun -- [ NTFS ]
O32 - AutoRun File - [2007/09/26 14:10:08 | 000,052,224 | ---- | M] () - Y:\AUTO ClaimForm bLANK.doc -- [ NTFS ]
O32 - AutoRun File - [2005/08/08 12:50:40 | 000,042,496 | ---- | M] () - Y:\AUTO ClaimForm.doc -- [ NTFS ]
O33 - MountPoints2\{030f6f36-2808-11df-ac9b-001bdc0ff1ba}\Shell\AutoRun\command - "" = H:\InstallSeagateManager.exe -- File not found
O33 - MountPoints2\{030f6f3a-2808-11df-ac9b-001bdc0ff1ba}\Shell\AutoRun\command - "" = setup.exe
O33 - MountPoints2\{0982e55b-a47d-11df-8e39-001bdc0ff1ba}\Shell\AutoRun\command - "" = I:\Get_Started_for_Win.exe -- File not found
O33 - MountPoints2\{0af2769c-12a9-11de-96d7-001d72f1dd57}\Shell\AutoRun\command - "" = H:\StartPortableApps.exe -- File not found
O33 - MountPoints2\{408c3384-09b5-11df-815d-001bdc0ff1ba}\Shell - "" = AutoRun
O33 - MountPoints2\{408c3384-09b5-11df-815d-001bdc0ff1ba}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{5b562342-3953-11df-a057-001d72f1dd57}\Shell\AutoRun\command - "" = H:\SETUP.EXE -- File not found
O33 - MountPoints2\{5b562342-3953-11df-a057-001d72f1dd57}\Shell\configure\command - "" = H:\SETUP.EXE -- File not found
O33 - MountPoints2\{5b562342-3953-11df-a057-001d72f1dd57}\Shell\install\command - "" = H:\SETUP.EXE -- File not found
O33 - MountPoints2\{c26d73cd-11c4-11de-b789-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{c26d73cd-11c4-11de-b789-806e6f6e6963}\Shell\AutoRun\command - "" = F:\mri.exe -- File not found
O33 - MountPoints2\{e19a5194-1c94-11df-a066-001d72f1dd57}\Shell - "" = AutoRun
O33 - MountPoints2\{e19a5194-1c94-11df-a066-001d72f1dd57}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{e79b1b16-30f8-11df-b8ba-001bdc0ff1ba}\Shell - "" = AutoRun
O33 - MountPoints2\{e79b1b16-30f8-11df-b8ba-001bdc0ff1ba}\Shell\AutoRun\command - "" = I:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


MsConfig:64bit - Services: "aspnet_state"
MsConfig:64bit - Services: "CEEBC40A-FDED-4C59-B354-939132350B01"
MsConfig:64bit - StartUpReg: Desktop Software - hkey= - key= - C:\Program Files (x86)\Common Files\supportsoft\bin\bcont.exe File not found
MsConfig:64bit - StartUpReg: IndexSearch - hkey= - key= - C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
MsConfig:64bit - StartUpReg: LogMeIn GUI - hkey= - key= - D:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe File not found
MsConfig:64bit - StartUpReg: PaperPort PTD - hkey= - key= - C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
MsConfig:64bit - StartUpReg: PPort11reminder - hkey= - key= - C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
MsConfig:64bit - StartUpReg: SSBkgdUpdate - hkey= - key= - C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
MsConfig:64bit - State: "startup" - Reg Error: Key error.

Drivers32:64bit: aux - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midimapper - midimap.dll (Microsoft Corporation)
Drivers32:64bit: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32:64bit: MSVideo8 - VfWWDM32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.I420 - File not found
Drivers32:64bit: VIDC.IYUV - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.SP54 - File not found
Drivers32:64bit: VIDC.SP55 - File not found
Drivers32:64bit: VIDC.SP56 - File not found
Drivers32:64bit: VIDC.SP57 - File not found
Drivers32:64bit: VIDC.SP58 - File not found
Drivers32:64bit: VIDC.UYVY - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YUY2 - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVU9 - tsbyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVYU - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: wave - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wavemapper - msacm32.drv (Microsoft Corporation)
Drivers32: aux - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi3 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi4 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\SysWow64\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer4 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.clmp3enc - C:\Program Files (x86)\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.imaadpcm - C:\Windows\SysWow64\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\Windows\SysWow64\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\SysWow64\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\SysWow64\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\Windows\SysWow64\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\SysWow64\DivX.dll (DivX, Inc.)
Drivers32: vidc.i420 - C:\Windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.iyuv - C:\Windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\SysWow64\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\SysWow64\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.SP40 - C:\Windows\SysWow64\sp40_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP41 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP42 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP43 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP44 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP45 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP46 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: VIDC.SP47 - C:\Windows\SysWow64\sp4x_32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\Windows\SysWow64\DivX.dll (DivX, Inc.)
Drivers32: vidc.yvu9 - C:\Windows\SysWow64\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave4 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\SysWow64\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/11/12 22:33:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/11/11 17:13:06 | 000,000,000 | ---D | C] -- C:\Users\David Potter\Desktop\PDF Files To Convert
[2010/11/08 15:47:51 | 000,000,000 | ---D | C] -- C:\Users\David Potter\Documents\Tharo
[2010/11/08 15:47:34 | 000,000,000 | ---D | C] -- C:\Users\David Potter\AppData\Roaming\Tharo
[2010/11/08 15:46:09 | 002,450,432 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WibuKe64.cpl
[2010/11/08 15:45:57 | 000,022,016 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.les
[2010/11/08 15:45:57 | 000,022,016 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.les
[2010/11/08 15:45:57 | 000,022,016 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.lbr
[2010/11/08 15:45:57 | 000,021,504 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.lit
[2010/11/08 15:45:57 | 000,020,992 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.ljp
[2010/11/08 15:45:57 | 000,020,992 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.ljp
[2010/11/08 15:45:57 | 000,015,360 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.lcn
[2010/11/08 15:45:57 | 000,015,360 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.lcn
[2010/11/08 15:45:56 | 000,451,584 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WibuXpm4J64.dll
[2010/11/08 15:45:56 | 000,430,080 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\wibuKJni64.dll
[2010/11/08 15:45:56 | 000,418,304 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkExt64.dll
[2010/11/08 15:45:56 | 000,356,352 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WibuXpm4J32.dll
[2010/11/08 15:45:56 | 000,333,824 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkExt32.dll
[2010/11/08 15:45:56 | 000,022,528 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.lde
[2010/11/08 15:45:56 | 000,022,528 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.lde
[2010/11/08 15:45:56 | 000,022,016 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.lfr
[2010/11/08 15:45:56 | 000,022,016 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.lfr
[2010/11/08 15:45:56 | 000,021,504 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.lit
[2010/11/08 15:45:54 | 000,344,576 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\wibuKJni.dll
[2010/11/08 15:45:11 | 000,016,896 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\drivers\Wibukey2_64.sys
[2010/11/08 15:45:09 | 000,169,984 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\WkWin64.dll
[2010/11/08 15:45:09 | 000,150,528 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysWow64\WkWin32.dll
[2010/11/08 15:45:09 | 000,103,224 | ---- | C] (WIBU-SYSTEMS AG) -- C:\Windows\SysNative\drivers\WibuKey64.sys
[2010/11/08 15:44:57 | 000,000,000 | ---D | C] -- C:\Program Files\WIBU-SYSTEMS
[2010/11/08 15:44:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WIBU-SYSTEMS
[2010/11/08 15:44:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WIBUKEY
[2010/11/08 15:44:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Tharo
[2010/11/04 10:23:37 | 000,000,000 | ---D | C] -- C:\Users\David Potter\Documents\MMX
[2010/10/26 21:13:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Geek Squad
[2010/10/24 20:04:25 | 000,000,000 | ---D | C] -- C:\Users\David Potter\AppData\Roaming\JAM Software
[1 C:\Users\David Potter\AppData\Local\*.tmp files -> C:\Users\David Potter\AppData\Local\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/16 07:47:06 | 000,872,710 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/11/16 07:47:06 | 000,722,542 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/11/16 07:47:06 | 000,150,806 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/11/16 07:45:01 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/16 07:42:01 | 000,002,399 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UltraMon.lnk
[2010/11/16 07:41:32 | 008,400,848 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/11/16 07:41:24 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/16 07:39:51 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/16 07:39:51 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/16 07:39:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/15 17:37:39 | 000,000,579 | ---- | M] () -- C:\Users\David Potter\Desktop\Breaking News Latest News Current News - FOXNews.com.url
[2010/11/15 17:34:58 | 000,001,726 | -H-- | M] () -- C:\Users\David Potter\Documents\Default.rdp
[2010/11/15 16:55:59 | 000,002,571 | ---- | M] () -- C:\Users\David Potter\Desktop\Food Storage Planner.lnk
[2010/11/15 15:56:33 | 000,002,656 | ---- | M] () -- C:\Users\David Potter\Desktop\Deep Winter.url
[2010/11/15 15:40:35 | 000,032,925 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-15-10.pdf
[2010/11/15 15:30:24 | 000,002,121 | ---- | M] () -- C:\Users\David Potter\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/11/15 15:28:07 | 000,011,316 | ---- | M] () -- C:\Users\David Potter\Documents\MWM_52089.pdf
[2010/11/15 12:59:31 | 000,000,034 | -H-- | M] () -- C:\Windows\sys2111
[2010/11/15 12:59:31 | 000,000,034 | -H-- | M] () -- C:\Windows\stmp718
[2010/11/15 12:59:31 | 000,000,034 | -H-- | M] () -- C:\Windows\kds100
[2010/11/15 12:59:31 | 000,000,034 | -H-- | M] () -- C:\Windows\drvr192
[2010/11/15 12:58:41 | 000,002,535 | ---- | M] () -- C:\Users\David Potter\Desktop\BarTender.lnk
[2010/11/14 14:25:28 | 008,400,848 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/11/13 00:11:07 | 000,000,318 | ---- | M] () -- C:\Users\David Potter\Desktop\Hello world from HandyBobSolar! « HandyBob's Blog.url
[2010/11/12 23:41:21 | 002,740,224 | ---- | M] () -- C:\Users\David Potter\Desktop\EDI_Batch_Log_local.xls
[2010/11/12 13:51:01 | 000,000,236 | ---- | M] () -- C:\Users\David Potter\Desktop\The Daily Beck- Watch The Glenn Beck Show- November 11th, 2010 Puppet Master Exposed The Final Chapter.url
[2010/11/12 13:22:26 | 000,007,119 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-12-10.pdf
[2010/11/12 10:08:26 | 000,000,211 | ---- | M] () -- C:\Users\David Potter\Desktop\Google.url
[2010/11/11 11:52:00 | 010,727,667 | ---- | M] () -- C:\Users\David Potter\Documents\TRANSACREGISTER JAN2009.pdf
[2010/11/11 11:03:12 | 000,013,118 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-11.pdf
[2010/11/10 22:44:45 | 304,880,466 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/11/10 15:59:25 | 000,060,416 | ---- | M] () -- C:\Users\David Potter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/10 13:12:25 | 000,019,188 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-10-10.pdf
[2010/11/10 13:01:29 | 000,025,602 | ---- | M] () -- C:\Users\David Potter\Documents\MWM_52072.pdf
[2010/11/10 12:39:31 | 000,011,236 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-10.pdf
[2010/11/10 09:51:56 | 000,000,284 | ---- | M] () -- C:\Users\David Potter\Desktop\10 - Circuit 30a Transfer Switch With Bonus Trim Kit, Tools, Ct El at Sportsman's Guide.url
[2010/11/09 13:36:15 | 000,015,489 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-09-10.pdf
[2010/11/09 12:41:14 | 000,005,956 | ---- | M] () -- C:\Users\David Potter\Documents\Remove_Health_Monitor.pdf
[2010/11/09 12:00:29 | 000,017,175 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-9.pdf
[2010/11/09 09:26:44 | 000,036,355 | ---- | M] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Tampa.pdf
[2010/11/09 09:26:26 | 000,036,270 | ---- | M] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Milan.pdf
[2010/11/09 09:26:07 | 000,036,393 | ---- | M] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Tville.pdf
[2010/11/09 09:25:48 | 000,036,546 | ---- | M] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Miami.pdf
[2010/11/09 09:25:27 | 000,068,491 | ---- | M] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10.pdf
[2010/11/08 23:30:59 | 000,000,291 | ---- | M] () -- C:\Users\David Potter\Desktop\30310A Pro-Tran Product Details Reliance Controls Corporation.url
[2010/11/08 16:14:38 | 000,054,509 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-08-10.pdf
[2010/11/08 15:44:26 | 000,001,853 | ---- | M] () -- C:\Users\Public\Desktop\EASYLABEL.lnk
[2010/11/08 11:27:29 | 000,011,167 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-8mod.pdf
[2010/11/08 11:03:49 | 000,030,882 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-8.pdf
[2010/11/05 12:47:28 | 000,034,923 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-05-10.pdf
[2010/11/05 09:34:27 | 000,081,584 | ---- | M] (Avira GmbH) -- C:\Windows\SysNative\drivers\avgntflt.sys
[2010/11/05 09:29:54 | 000,002,413 | ---- | M] () -- C:\Users\David Potter\Desktop\Skype.lnk
[2010/11/04 13:02:49 | 000,024,186 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-04-10.pdf
[2010/11/04 07:36:43 | 001,136,330 | ---- | M] () -- C:\Users\David Potter\Documents\Acronis_2011_Image_Instructions.pdf
[2010/11/03 14:45:30 | 000,010,463 | ---- | M] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-03-10.pdf
[2010/11/03 11:30:08 | 000,026,439 | ---- | M] () -- C:\Users\David Potter\Documents\HF_Packing_Slip.pdf
[2010/11/03 08:11:11 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\LogConfigTemp.xml
[2010/11/02 15:28:29 | 000,091,648 | ---- | M] () -- C:\Users\David Potter\Documents\Blank_Check_Formatter.xls
[2010/11/02 14:33:30 | 000,000,314 | ---- | M] () -- C:\Users\David Potter\Desktop\WSRZ-FM Player.url
[2010/10/29 10:37:41 | 000,000,271 | ---- | M] () -- C:\Users\David Potter\Desktop\Inverter Fuses & Breakers.url
[2010/10/29 10:31:47 | 000,001,609 | ---- | M] () -- C:\Users\David Potter\Desktop\Armageddon Medicine - How to be your own doctor in 2012 and beyond.url
[2010/10/28 14:43:04 | 000,000,817 | ---- | M] () -- C:\Users\David Potter\Desktop\procexp.exe - Shortcut.lnk
[2010/10/28 11:25:20 | 000,000,223 | ---- | M] () -- C:\Users\David Potter\Desktop\Welcome to OTHERPOWER.COM.url
[2010/10/28 11:20:17 | 000,001,011 | ---- | M] () -- C:\Users\David Potter\Desktop\TeamViewer 5.lnk
[2010/10/28 11:20:13 | 000,001,011 | ---- | M] () -- C:\Users\David Potter\Desktop\TeamViewer 4.lnk
[2010/10/27 14:07:46 | 000,000,292 | ---- | M] () -- C:\Users\David Potter\Desktop\UPSProblems UPS Technical Problems-Issues-Questions.url
[2010/10/26 21:17:58 | 000,000,925 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
[2010/10/26 12:38:10 | 000,545,280 | ---- | M] () -- C:\Users\David Potter\Desktop\dds.scr
[2010/10/26 12:19:34 | 000,001,460 | ---- | M] () -- C:\Users\David Potter\AppData\Local\d3d9caps64.dat
[2010/10/26 08:56:09 | 000,012,055 | ---- | M] () -- C:\Users\David Potter\Documents\Page7.pdf
[2010/10/25 08:22:16 | 000,000,281 | ---- | M] () -- C:\Users\David Potter\Desktop\North to Alaska - TimeBomb 2000.url
[2010/10/21 16:02:10 | 001,441,561 | ---- | M] () -- C:\Users\David Potter\Documents\Atlanta_Inventory.xlsx
[2010/10/21 15:19:23 | 000,207,360 | ---- | M] () -- C:\Users\David Potter\Documents\Stephen Gould of Duluth 7-15-10.xls
[2010/10/20 07:43:21 | 000,360,831 | ---- | M] () -- C:\Users\David Potter\Documents\dl_five_tips_crapware.pdf
[2010/10/19 15:27:18 | 000,054,208 | ---- | M] () -- C:\Users\David Potter\Documents\JMI Voter Guide.pdf
[2010/10/19 14:33:43 | 000,000,246 | ---- | M] () -- C:\Users\David Potter\Desktop\Work of Fiction – EU Trip, Part 1, Days 1-5 SHTeconomy.com.url
[2010/10/19 11:32:36 | 000,159,232 | ---- | M] () -- C:\Users\David Potter\Documents\C Squared Inc 7-15-10.xls
[2010/10/19 10:53:31 | 000,036,889 | ---- | M] () -- C:\Users\David Potter\Documents\WW_12826-99995-020.pdf
[2010/10/18 11:13:43 | 000,001,066 | ---- | M] () -- C:\Users\David Potter\Desktop\Conversations on Life And Limb.url
[2010/10/18 09:00:52 | 000,000,254 | ---- | M] () -- C:\Users\David Potter\Desktop\AfterShock Chapter 1.url
[2010/10/18 07:37:56 | 000,053,760 | ---- | M] () -- C:\Users\David Potter\Documents\ATL_ProdSched2.xls
[2010/10/17 21:52:47 | 000,456,136 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[1 C:\Users\David Potter\AppData\Local\*.tmp files -> C:\Users\David Potter\AppData\Local\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/15 15:40:35 | 000,032,925 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-15-10.pdf
[2010/11/15 15:28:07 | 000,011,316 | ---- | C] () -- C:\Users\David Potter\Documents\MWM_52089.pdf
[2010/11/13 00:11:02 | 000,000,318 | ---- | C] () -- C:\Users\David Potter\Desktop\Hello world from HandyBobSolar! « HandyBob's Blog.url
[2010/11/12 13:22:26 | 000,007,119 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-12-10.pdf
[2010/11/11 20:29:24 | 000,000,236 | ---- | C] () -- C:\Users\David Potter\Desktop\The Daily Beck- Watch The Glenn Beck Show- November 11th, 2010 Puppet Master Exposed The Final Chapter.url
[2010/11/11 18:37:57 | 002,740,224 | ---- | C] () -- C:\Users\David Potter\Desktop\EDI_Batch_Log_local.xls
[2010/11/11 11:52:00 | 010,727,667 | ---- | C] () -- C:\Users\David Potter\Documents\TRANSACREGISTER JAN2009.pdf
[2010/11/11 11:03:21 | 000,013,118 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-11.pdf
[2010/11/10 22:44:45 | 304,880,466 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/11/10 13:12:25 | 000,019,188 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-10-10.pdf
[2010/11/10 13:01:29 | 000,025,602 | ---- | C] () -- C:\Users\David Potter\Documents\MWM_52072.pdf
[2010/11/10 12:39:39 | 000,011,236 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-10.pdf
[2010/11/09 13:36:15 | 000,015,489 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-09-10.pdf
[2010/11/09 12:41:33 | 000,005,956 | ---- | C] () -- C:\Users\David Potter\Documents\Remove_Health_Monitor.pdf
[2010/11/09 12:00:39 | 000,017,175 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-9.pdf
[2010/11/09 09:26:51 | 000,036,355 | ---- | C] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Tampa.pdf
[2010/11/09 09:26:32 | 000,036,270 | ---- | C] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Milan.pdf
[2010/11/09 09:26:14 | 000,036,393 | ---- | C] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Tville.pdf
[2010/11/09 09:25:55 | 000,036,546 | ---- | C] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10 Miami.pdf
[2010/11/09 09:25:32 | 000,068,491 | ---- | C] () -- C:\Users\David Potter\Documents\Nov MTD 11-5-10 Top 10.pdf
[2010/11/08 23:31:59 | 000,000,284 | ---- | C] () -- C:\Users\David Potter\Desktop\10 - Circuit 30a Transfer Switch With Bonus Trim Kit, Tools, Ct El at Sportsman's Guide.url
[2010/11/08 23:30:59 | 000,000,291 | ---- | C] () -- C:\Users\David Potter\Desktop\30310A Pro-Tran Product Details Reliance Controls Corporation.url
[2010/11/08 16:14:38 | 000,054,509 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-08-10.pdf
[2010/11/08 15:45:57 | 000,020,480 | ---- | C] () -- C:\Windows\SysNative\WkWin64.lhu
[2010/11/08 15:44:26 | 000,001,853 | ---- | C] () -- C:\Users\Public\Desktop\EASYLABEL.lnk
[2010/11/08 11:27:40 | 000,011,167 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-8mod.pdf
[2010/11/08 11:04:01 | 000,030,882 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip_11-8.pdf
[2010/11/05 12:47:28 | 000,034,923 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-05-10.pdf
[2010/11/04 13:02:49 | 000,024,186 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-04-10.pdf
[2010/11/04 07:37:06 | 001,136,330 | ---- | C] () -- C:\Users\David Potter\Documents\Acronis_2011_Image_Instructions.pdf
[2010/11/03 14:45:30 | 000,010,463 | ---- | C] () -- C:\Users\David Potter\Documents\AAP_RBC_LBX_11-03-10.pdf
[2010/11/03 11:30:16 | 000,026,439 | ---- | C] () -- C:\Users\David Potter\Documents\HF_Packing_Slip.pdf
[2010/11/02 14:33:30 | 000,000,314 | ---- | C] () -- C:\Users\David Potter\Desktop\WSRZ-FM Player.url
[2010/10/29 10:31:47 | 000,001,609 | ---- | C] () -- C:\Users\David Potter\Desktop\Armageddon Medicine - How to be your own doctor in 2012 and beyond.url
[2010/10/28 14:43:04 | 000,000,817 | ---- | C] () -- C:\Users\David Potter\Desktop\procexp.exe - Shortcut.lnk
[2010/10/28 13:24:24 | 000,002,656 | ---- | C] () -- C:\Users\David Potter\Desktop\Deep Winter.url
[2010/10/28 11:20:17 | 000,001,011 | ---- | C] () -- C:\Users\David Potter\Desktop\TeamViewer 5.lnk
[2010/10/28 11:20:13 | 000,001,011 | ---- | C] () -- C:\Users\David Potter\Desktop\TeamViewer 4.lnk
[2010/10/27 14:07:46 | 000,000,292 | ---- | C] () -- C:\Users\David Potter\Desktop\UPSProblems UPS Technical Problems-Issues-Questions.url
[2010/10/26 12:38:07 | 000,545,280 | ---- | C] () -- C:\Users\David Potter\Desktop\dds.scr
[2010/10/26 08:56:21 | 000,012,055 | ---- | C] () -- C:\Users\David Potter\Documents\Page7.pdf
[2010/10/25 08:22:16 | 000,000,281 | ---- | C] () -- C:\Users\David Potter\Desktop\North to Alaska - TimeBomb 2000.url
[2010/10/21 15:20:00 | 000,159,232 | ---- | C] () -- C:\Users\David Potter\Documents\C Squared Inc 7-15-10.xls
[2010/10/21 15:19:38 | 000,034,304 | ---- | C] () -- C:\Users\David Potter\Documents\Stephen Gould of Ala 7-15-10.xls
[2010/10/21 15:19:22 | 000,207,360 | ---- | C] () -- C:\Users\David Potter\Documents\Stephen Gould of Duluth 7-15-10.xls
[2010/10/20 07:43:21 | 000,360,831 | ---- | C] () -- C:\Users\David Potter\Documents\dl_five_tips_crapware.pdf
[2010/10/19 15:27:18 | 000,054,208 | ---- | C] () -- C:\Users\David Potter\Documents\JMI Voter Guide.pdf
[2010/10/19 14:33:43 | 000,000,246 | ---- | C] () -- C:\Users\David Potter\Desktop\Work of Fiction – EU Trip, Part 1, Days 1-5 SHTeconomy.com.url
[2010/10/19 10:53:57 | 000,036,889 | ---- | C] () -- C:\Users\David Potter\Documents\WW_12826-99995-020.pdf
[2010/10/18 07:37:56 | 000,053,760 | ---- | C] () -- C:\Users\David Potter\Documents\ATL_ProdSched2.xls
[2010/08/26 08:03:35 | 000,000,074 | ---- | C] () -- C:\Windows\Crypkey.ini
[2010/08/26 08:03:33 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2010/08/26 08:03:24 | 000,178,176 | ---- | C] () -- C:\Windows\SysWow64\StellarProfile.dll
[2010/08/06 15:46:32 | 000,000,002 | -HS- | C] () -- C:\Users\David Potter\AppData\Roaming\evf2
[2010/07/12 23:52:59 | 000,000,152 | ---- | C] () -- C:\Windows\HRDLog001.INI
[2010/07/10 23:22:55 | 000,004,154 | ---- | C] () -- C:\Users\David Potter\AppData\Roaming\SAS7_000.DAT
[2010/06/28 11:36:07 | 000,201,488 | ---- | C] () -- C:\Windows\SysWow64\MACD32.DLL
[2010/06/28 11:36:07 | 000,144,144 | ---- | C] () -- C:\Windows\SysWow64\MASE32.DLL
[2010/06/28 11:36:07 | 000,141,584 | ---- | C] () -- C:\Windows\SysWow64\MAMC32.DLL
[2010/06/28 11:36:07 | 000,063,248 | ---- | C] () -- C:\Windows\SysWow64\MASD32.DLL
[2010/06/28 11:36:07 | 000,033,040 | ---- | C] () -- C:\Windows\SysWow64\MA32.DLL
[2010/06/21 07:45:19 | 000,430,080 | ---- | C] () -- C:\Windows\SysWow64\UDLL.dll
[2010/06/21 07:45:19 | 000,204,800 | ---- | C] () -- C:\Windows\SysWow64\t1psvr.dll
[2010/06/21 07:45:19 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\mctudll.dll
[2010/06/21 07:37:05 | 000,000,680 | ---- | C] () -- C:\Users\David Potter\AppData\Local\d3d9caps.dat
[2010/05/19 12:38:35 | 000,014,115 | ---- | C] () -- C:\Windows\twspmm.ini
[2010/04/14 13:21:02 | 000,014,379 | ---- | C] () -- C:\Windows\tw5a.ini
[2010/04/14 13:21:02 | 000,000,149 | ---- | C] () -- C:\Windows\Setup5a.ini
[2010/04/11 00:55:23 | 000,000,581 | ---- | C] () -- C:\Windows\avpr.ini
[2010/04/01 13:56:44 | 000,000,280 | ---- | C] () -- C:\Windows\SysWow64\PGPsdk.dll.sig
[2010/03/30 09:40:46 | 000,435,718 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_vcredistMSI10EB.txt
[2010/03/30 09:40:46 | 000,011,690 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_vcredistUI10EB.txt
[2010/02/09 08:52:36 | 000,000,035 | ---- | C] () -- C:\Windows\iltwain.ini
[2010/01/26 22:45:24 | 000,001,460 | ---- | C] () -- C:\Users\David Potter\AppData\Local\d3d9caps64.dat
[2010/01/25 11:58:06 | 000,462,848 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
[2009/11/17 09:45:03 | 000,031,049 | ---- | C] () -- C:\Users\David Potter\AppData\Roaming\UserTile.png
[2009/07/21 14:25:51 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/07/21 14:25:05 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/13 08:19:31 | 000,412,570 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_vcredistMSI7828.txt
[2009/07/13 08:19:31 | 000,011,474 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_vcredistUI7828.txt
[2009/07/07 09:50:07 | 000,000,000 | ---- | C] () -- C:\Windows\3230303930343037.ini
[2009/07/07 09:44:10 | 000,000,000 | ---- | C] () -- C:\Windows\eDrawingOfficeAutomator.INI
[2009/07/07 08:45:20 | 000,000,016 | ---- | C] () -- C:\ProgramData\.7486160831680234
[2009/07/03 22:39:05 | 000,031,567 | ---- | C] () -- C:\Windows\maxlink.ini
[2009/06/25 12:43:32 | 000,741,376 | ---- | C] () -- C:\Users\David Potter\AppData\Local\filesync.metadata
[2009/06/01 16:01:59 | 000,000,000 | ---- | C] () -- C:\Windows\tosOBEX.INI
[2009/03/11 22:50:13 | 000,000,100 | ---- | C] () -- C:\Users\David Potter\AppData\Local\fusioncache.dat
[2009/03/11 12:08:04 | 000,000,032 | ---- | C] () -- C:\Windows\CD_Start64.INI
[2009/03/08 23:11:38 | 000,000,000 | ---- | C] () -- C:\Windows\bartend.INI
[2009/03/08 20:54:10 | 000,060,416 | ---- | C] () -- C:\Users\David Potter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/08 20:26:24 | 000,186,328 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_SqlPubWiz.msi619A.txt
[2009/03/08 20:26:22 | 000,284,670 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WinSDK_RefInt_x64_MSI6193.txt
[2009/03/08 20:26:18 | 000,549,942 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WinSDK_NetFxTools_x64_MSI6186.txt
[2009/03/08 20:26:13 | 000,441,336 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WinSDK_Win32Tools_x64_MSI6173.txt
[2009/03/08 20:25:48 | 005,360,228 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WinSDK_Build_x64_MSI6124.txt
[2009/03/08 20:25:44 | 000,653,968 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WinSDK_Tools_x64_MSI6117.txt
[2009/03/08 20:25:16 | 002,487,260 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_CrystalReports2007_x64_MSI60BC.txt
[2009/03/08 20:23:29 | 004,637,534 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_CrystalReports2007_MSI5F5E.txt
[2009/03/08 20:23:22 | 001,250,032 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_RDBG_AMD64_MSI5F47.txt
[2009/03/08 20:22:46 | 000,812,242 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/03/08 20:20:33 | 000,290,028 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_64bitEmulator_MSI5D20.txt
[2009/03/08 20:20:12 | 005,144,776 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WMSP_5_0_MSI5CDB.txt
[2009/03/08 20:19:44 | 007,059,734 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_WMPPC_5_0_MSI5C80.txt
[2009/03/08 20:19:37 | 000,731,126 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_SSCEDeviceRuntime_MSI5C69.txt
[2009/03/08 20:19:35 | 000,329,004 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_SQLCEToolsForVS2007_MSI5C62.txt
[2009/03/08 20:19:31 | 000,356,252 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_SSCERuntime_MSI5C55.txt
[2009/03/08 20:19:16 | 000,844,658 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_VSTOR_MSI5C24.txt
[2009/03/08 20:19:04 | 001,046,860 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_NETCFSetupv35_MSI5BFD.txt
[2009/03/08 20:18:53 | 001,013,260 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_NETCFSetupv2_MSI5BD9.txt
[2009/03/08 20:09:21 | 051,760,430 | ---- | C] () -- C:\Users\David Potter\AppData\Local\VSMsiLog548D.txt
[2009/03/08 20:08:01 | 002,872,162 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_Dexplorer90_retMSI5388.txt
[2009/03/08 20:07:57 | 000,355,140 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_PreReq_AMD64_MSI537B.txt
[2009/03/08 20:07:54 | 000,841,016 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_VC_MinRed_MSI5371.txt
[2009/03/08 20:05:50 | 000,190,994 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_depcheck_VS_PRO_90.txt
[2009/03/08 20:05:37 | 000,677,484 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_install_vs_procore_90.txt
[2009/03/08 20:05:37 | 000,115,814 | ---- | C] () -- C:\Users\David Potter\AppData\Local\uxeventlog.txt
[2009/03/08 20:05:37 | 000,000,002 | ---- | C] () -- C:\Users\David Potter\AppData\Local\dd_error_vs_procore_90.txt
[2009/03/08 19:53:27 | 000,000,654 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/03/08 19:37:43 | 000,255,344 | ---- | C] () -- C:\Windows\SysWow64\imagxpr3.dll
[2009/03/08 19:37:43 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\Eztw32.dll
[2009/03/08 18:09:03 | 000,000,051 | ---- | C] () -- C:\Windows\tninfo.ini
[2009/02/13 14:16:38 | 008,400,848 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/02/13 14:06:25 | 008,400,848 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/10/07 12:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 12:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/06/05 11:58:26 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/01/20 21:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2007/12/21 15:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\SysWow64\TosBtAcc.dll
[2007/12/21 12:27:30 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\DM510.dll
[2007/08/23 11:55:34 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/07/22 20:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\TosCommAPI.dll
[2004/05/24 17:04:56 | 000,147,456 | ---- | C] () -- C:\Windows\SysWow64\lttls13n.dll
[2004/05/24 17:03:20 | 000,708,608 | ---- | C] () -- C:\Windows\SysWow64\ltcry13n.dll
[2004/05/24 17:01:02 | 000,118,784 | ---- | C] () -- C:\Windows\SysWow64\lfkodak.dll
[2004/05/24 17:00:48 | 000,338,944 | ---- | C] () -- C:\Windows\SysWow64\lffpx7.dll

========== LOP Check ==========

[2009/11/18 22:51:55 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Adersoft
[2009/03/12 13:31:11 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\CookWare Deluxe 4.2
[2009/03/08 22:08:38 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\DAEMON Tools
[2009/03/08 22:12:26 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\DAEMON Tools Lite
[2009/03/08 22:08:38 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\DAEMON Tools Pro
[2009/11/05 15:40:42 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\E-centives
[2009/07/27 13:21:23 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\fhnetwork.com
[2009/03/22 23:08:36 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\GARMIN
[2009/03/11 08:13:04 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\GlobalSCAPE
[2009/04/02 08:05:16 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\gtopala
[2009/03/08 19:34:48 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\IMSI
[2010/10/24 20:04:25 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\JAM Software
[2010/11/08 08:21:35 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\KeePass
[2009/07/03 22:35:58 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\LinkManager 4.0
[2010/07/10 21:46:35 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Nuance
[2009/07/03 22:50:46 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\OneTouch 4.0
[2009/11/17 09:45:03 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\PeerNetworking
[2009/10/19 19:21:20 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\PGP Corporation
[2009/07/03 22:47:42 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\ScanSoft
[2009/03/26 22:03:03 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Scooter Software
[2009/03/18 12:52:16 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\SDetective
[2010/07/12 23:52:58 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Simon Brown, HB9DRV
[2010/03/07 00:42:57 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Softland
[2009/09/01 12:12:55 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Stardock
[2010/11/02 10:38:49 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\TeamViewer
[2010/11/08 15:47:34 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Tharo
[2010/01/24 19:42:01 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Thunderbird
[2010/01/07 12:09:44 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Toshiba
[2009/03/22 21:28:02 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\TrueCrypt
[2009/12/06 10:11:29 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Wireless Print Server Utiltiy
[2010/06/30 09:46:32 | 000,000,000 | ---D | M] -- C:\Users\David Potter\AppData\Roaming\Zeon
[2010/11/15 17:40:53 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 06:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtmsft.dll
[2009/03/08 06:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtrans.dll
[2006/04/17 10:56:50 | 001,207,808 | ---- | M] (Dmitry Streblechenko) Unable to obtain MD5 -- C:\Windows\SysWOW64\PhoenixDll.dll

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2009/06/03 11:01:53 | 000,001,024 | ---- | M] () -- C:\.rnd
[2007/06/02 12:07:08 | 000,001,601 | ---- | M] () -- C:\agntclient.log
[2010/10/06 15:36:01 | 000,012,996 | ---- | M] () -- C:\bar.emf
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2009/01/12 21:36:02 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010/08/26 08:05:36 | 000,000,132 | ---- | M] () -- C:\CKINFO.TXT
[2005/01/03 08:37:18 | 000,000,017 | -H-- | M] () -- C:\initrd.pam
[2008/08/25 07:24:04 | 000,000,954 | -H-- | M] () -- C:\IPH.PH
[2006/12/08 13:35:20 | 000,000,067 | -H-- | M] () -- C:\kernel.pam
[2009/02/13 13:49:53 | 000,000,165 | ---- | M] () -- C:\Labelprint.log
[2009/03/06 13:18:09 | 000,132,442 | ---- | M] () -- C:\log.txt
[2010/08/05 08:26:16 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2010/11/16 07:39:26 | 308,232,191 | -HS- | M] () -- C:\pagefile.sys
[2009/02/13 13:51:46 | 000,000,163 | ---- | M] () -- C:\power2go.log
[2007/06/02 11:24:38 | 000,000,000 | -H-- | M] () -- C:\ProgramData.LOG1
[2007/06/02 11:24:38 | 000,000,000 | -H-- | M] () -- C:\ProgramData.LOG2
[2008/07/10 17:39:44 | 004,560,718 | ---- | M] () -- C:\sys5aapn.dsn
[2007/06/10 20:49:19 | 000,000,445 | -H-- | M] () -- C:\T4Metrics.log
[2009/02/11 17:24:15 | 000,000,021 | ---- | M] () -- C:\tmuninst.ini
[2007/07/14 13:51:52 | 000,390,438 | ---- | M] () -- C:\vcredist_x86.log
[2009/11/03 18:14:25 | 000,000,018 | ---- | M] () -- C:\vendor

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< >

========== Files - Unicode (All) ==========
[2010/09/24 22:06:19 | 000,000,265 | ---- | M] ()(C:\Users\David Potter\Desktop\YouTube - ?TheYankeeprepper's Channel??.url) -- C:\Users\David Potter\Desktop\YouTube - TheYankeeprepper's Channel‎.url
[2010/08/06 16:02:35 | 000,000,269 | ---- | M] ()(C:\Users\David Potter\Desktop\YouTube - ?Yankeesbannedvideo's Channel??.url) -- C:\Users\David Potter\Desktop\YouTube - Yankeesbannedvideo's Channel‎.url
[2010/08/06 16:02:35 | 000,000,269 | ---- | C] ()(C:\Users\David Potter\Desktop\YouTube - ?Yankeesbannedvideo's Channel??.url) -- C:\Users\David Potter\Desktop\YouTube - Yankeesbannedvideo's Channel‎.url
[2010/08/06 16:01:58 | 000,000,265 | ---- | C] ()(C:\Users\David Potter\Desktop\YouTube - ?TheYankeeprepper's Channel??.url) -- C:\Users\David Potter\Desktop\YouTube - TheYankeeprepper's Channel‎.url

========== Alternate Data Streams ==========

@Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:F35A93AD
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:0CFF5F08

< End of report >


GMER is still running, i will post that log in a minute

#4 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 16 November 2010 - 09:21 AM

etavares,

Attached is the GMER log file.

I await your reply....when you have a chance to get to it ; )

Attached Files



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 17 November 2010 - 09:15 PM

Hello, TampaMCSE.

GMER will do that on 64 bit machines. Nothing to worry about.

Let's try this.



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 2

Download Process Explorer and save it to your desktop.

When you get the CPU usage issue again, run Process Explorer. If the UAC prompts you, let it run.

Expand the tree in the let pane until you find the process dllhost.exe or rundll32.exe that is tying up your processor (listed in the CPU column).
If possible, expand it and report back the process running under that. There likely will not be one since autoruns isn't finding one.

With Process Explorer, you can hover over the process in the left pane and you'll get more information. So, find that highly running process, hoever over it and let me know what the "services" are listed in the popup. That will help to narrow it down.




etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 20 November 2010 - 05:01 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 22 November 2010 - 08:50 AM

Yes, still with you. Been a crazy week at work , with double the amount of EDI files to process. This weekend was nothing but computer client calls. I will run the malwarebytes tonight and post log.

I ran the malwarebytes scan in safe mode previously, when i had the hard drive removed and was scanning with another computer. If found a few trojan.agents and downloaders which it cleaned up.

You didn't mention in your instructions, whether you wanted this in safe mode or normal mode. Unless i hear from you otherwise, i will assume safe mode and then let it reboot back to normal mode to finish the removal process.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 22 November 2010 - 07:09 PM

Either mode is fine as long as MBAM will run in that mode. Please don't forget the process explorer...once we pin down the root cause, we'll have a good plan of attack.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 23 November 2010 - 09:54 AM

MBAM log. Scan in Safe Mode with Networking. Scan was clean.

Results of Process Explorer attached. When I hovered over the Comm Surrogate and Rundll32 It showed the following:

svchost.exe 1020 Host Process for Windows Services Microsoft Corporation:
dllhost.exe 1804 COM Surrogate Microsoft Corporation Service - DCom Server Process Launcher, Plug-n-Play
WmiPrvSe.exe

nvvsvc.exe 384 NVIDIA Driver Helper Service, Version 179.48 NVIDIA Corporation
Rundll32.exe WinHostProcess(Rundll32) NVidia Driver Helper Service


rundll32.exe 2384 Windows host process (Rundll32) Microsoft Corporation Service - Marvell Yukon Service

Waiting on your reply. (Well, not really "waiting", but you know what i mean... ;^) )


===============================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5176

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18975

11/23/2010 9:12:44 AM
mbam-log-2010-11-23 (09-12-44).txt

Scan type: Quick scan
Objects scanned: 167022
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 23 November 2010 - 06:18 PM

Were those processes using high CPU usage at that time? The text file shows them not tying up the CPU. If it is those particular svchost.exe...you may want to try rolling back or updating your NVidia graphics drivers.

Edited by etavares, 23 November 2010 - 06:19 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 23 November 2010 - 06:23 PM

it's hard to grab it right when the cpu peaks.....but those are the two processes.

I've tried rolling back the video and then a few weeks later, the driver updates again. It's been an ongoing issue with this Gateway laptop, but other than that,it's been a great tool.

If you dont see anything else, i will just have to live with the issue.

Thanks for all your help on this.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 23 November 2010 - 06:38 PM

Does it stop when you roll the driver back?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 28 November 2010 - 09:09 AM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 TampaMCSE

TampaMCSE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 28 November 2010 - 10:46 PM

Sorry, been busy with the holiday and doing side clients during my off days. I will roll back the video tomorrow and see what it does.

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 29 November 2010 - 06:28 PM

Ok...if it does, then autoupdates, we can try to prevent that from occurring. Diagnosing the root cause for this can sometimes be tricky.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users