Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast reports win32 Malware-gen High-Threat


  • This topic is locked This topic is locked
16 replies to this topic

#1 simple.me

simple.me

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 13 July 2011 - 04:19 PM

Problem: Avast reports high threat win32-gen (with no obvious malware symptoms)

System Info:

Avast installed over a year, windows XP-pro, Windows firewall always on, PC used for business by me only-

- no gaming/risky site browsing.

- Connects to business server at times.

- No banking or accounting.



Avast is set to full scan at night installed for over a year.

Windows XP firewall-

Windows auto updates set to “on”.



First Avast report of malware 7/5/2011.

- PC had been offline about a week.

- The cable/internet ISP service was down- tech said the line connections 'fixed" at last service call about a month prior- was issue.

- Techs did not touch PC… just modem & cable.

Once PC online again, Avast performed a program update & virus definition updates. 1. next day Avast reported high threat win32-gen
c:\program files\online services\PeoplePC\ISP5900\Bin\BartShel.exe


2. i think i moved this to chest- thought this was installed by manufacturer & never used ( i am not owner of PC and it is an older Compaq XP media center- plenty of junk installed that i ignore).

3. Avast recommended a boot-time scan (it scans before windows fully loads)

4. boot-time scan reported the following :

1 - High Threat: Win32:Malware-gen.

o c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054917.exe

4- low Threats: PUP: Win32:PUP-gen.

o D:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe|>[Embedded_R#001280]|>%MAINDIR%\...|>[Embedded_I#051f0]

o D:\I386\APPS\APP17286\src\HPPavillion_Spring06.exe|>[Embedded_R#001280]|>%MAINDIR%\...|>[Embedded_I#051f0]

o D:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\...|>[Embedded_I#051f0]

o D:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\...|>[Embedded_I#051f0]



I think.. that I then

1. scanned w/prevex, Malwarebytes & Gmer and all reported no threats detected.

2. I moved items to Avast Virus Chest- assumed I did not really need any of it.

3. From Avast virus Chest Submitted to Virus lab as likely false positive.



Then over next couple of days PC seemed not quite right-

I think that I then I restored the files from the virus chest told Avast to ignore HP files (seemed I had had same issues when installed Avast- and found the HP-ware often sets off av false positives., PC still odd-

Avast re-reported high threat win32-gen

· c:\program files\online services\PeoplePC\ISP5900\Bin\BartShel.exe

o I think I moved this to chest- I know I do not need it.

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054917.exe

So, I began keeping the PC offline and watching more closely & reran Gmer I think.

- No redirects when browsing when online, no difficulty going to malware help sites, or installing running anti-malware programs at any time.. just not quite right feel an avast reports.. and growing uneasiness that what seemed like false positive may be something after all.

Then next day Avast scan reported 2 high threat win32-gen:

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054917.exe

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP281\A0056089.exe



During this period we had thunderstorms and PC lacking battery backup lost power, rebooted itself & lost power again before I could turn it off.



So by now too many things going on with it- so I tried system restore, and ran hard drive, CPU & memory diagnostics to see if installed updates, PC changes or possible crashes resulting in the not quite right feel of the PC.



I saw no significant change. I noticed file deletes taking a long time- even after emptying recycle bin during this period, even when not connected to external sources, internet & PC not busy with other work.

· Removed a mapped/disconnected network drive- that seems to fix slow delete.

Over past day or so went to your site & completed all steps & scans to ask for assistance.

Now Avast reports 4 high threats win32-gen (the 3 in restore may be 3 instances of same file?):

· c:\program files\online services\PeoplePC\ISP5900\Bin\BartShel.exe

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054917.exe

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP281\A0056089.exe

· c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP285\A0058203.exe

I moved all threats to the virus chest and I am keeping the PC offline, except for troubleshooting & help request to Bleeping Computer.

I am Checking business email via webmail on personal PC which reports clean… which shares same internet connection with affected PC, but not networked with it.

Thank yo9u very much for your help!

------------------------------------------------------------------------------------------------------------


DDS.txt:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by user.name at 16:04:01 on 2011-07-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1053 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Rohos\agent.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Documents and Settings\All Users\Application Data\Boxtools\Toolbox.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.marketplaceleaders.org/blog/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Rohos] c:\program files\rohos\agent.exe
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [Boxoft Tools] "c:\documents and settings\all users\application data\boxtools\Boxofttoolbox.exe" -autorun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [hpqSRMon]
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\patti~1.pot\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\patti~1.pot\startm~1\programs\startup\voip080.lnk - c:\program files\philips\voip080\VOIP080.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\cardminder\CardLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289597001031
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://tra.mlxtempo.com/5.1.01.9919/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{03C2FD26-57E2-4DC5-ACBF-018602FF608C} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user.name\application data\mozilla\firefox\profiles\jy3x0kxd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://rc-nc.com/index.shtml
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\user.name\application data\mozilla\firefox\profiles\jy3x0kxd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-26 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-28 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-28 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 42184]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2009-6-4 193832]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RHDISK;RHDISK;c:\program files\rohos\rhdisk.sys [2010-11-22 33280]
R2 Rohos Disk;Rohos Disk service;c:\program files\rohos\agent.exe [2010-11-22 800880]
R3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2010-11-18 65064]
RUnknown 1498916drv;1498916drv; [x]
RUnknown 16645786;16645786; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz132;cpuz132;\??\c:\docume~1\patti~1.pot\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\patti~1.pot\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-11 10:41:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-11 10:41:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-11 02:47:18 131072 ----a-w- c:\program files\online services\peoplepc\isp5900\isp50\bin\BartShel.exe
2011-07-10 02:26:45 -------- d-----w- c:\program files\A.F.5 Rename your files 1.1
2011-06-27 17:05:58 -------- d-----w- c:\documents and settings\user.name\local settings\application data\PCHealth
2011-06-26 02:18:24 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-25 03:14:34 -------- d-----w- C:\RC-Fileroom
2011-06-25 03:13:01 -------- d-----w- C:\1-RC-Fileroom
2011-06-25 02:21:29 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-25 02:21:29 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-25 01:35:50 -------- d-----w- c:\program files\NirSoft
2011-06-24 00:00:10 114 ----a-w- c:\windows\Printdir.bat
2011-06-23 23:17:16 -------- d-----w- C:\1-RC-Fileroom.1st
2011-06-20 21:00:12 -------- d-----w- c:\documents and settings\user.name\application data\Fujitsu
2011-06-20 21:00:02 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-06-20 21:00:02 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-06-17 19:12:26 -------- d-----w- c:\program files\ABBYY FineReader for ScanSnap
2011-06-16 22:34:38 -------- d-----w- c:\program files\KnowledgeLake
2011-06-16 22:28:38 476672 ----a-w- c:\windows\system32\s1100u.dll
2011-06-16 22:28:38 3559424 ----a-w- c:\windows\system32\ippi5s1100.dll
2011-06-16 22:28:38 2269184 ----a-w- c:\windows\system32\ijl5s1100.dll
2011-06-16 22:27:19 35328 ----a-w- c:\windows\system32\pfdvmn.dll
2011-06-16 22:27:19 32768 ----a-w- c:\windows\system32\chksti.dll
2011-06-16 22:27:19 31232 ----a-w- c:\windows\system32\pfusti.dll
2011-06-16 22:26:57 69632 ----a-w- c:\windows\system32\PFUIRT.dll
2011-06-16 22:26:57 393216 ----a-w- c:\windows\system32\PFUP60.dll
2011-06-16 22:26:57 249856 ----a-w- c:\windows\system32\PFURT.dll
2011-06-16 22:17:17 -------- d-----w- c:\documents and settings\user.name\application data\PFU
2011-06-16 22:15:06 279552 ----a-w- c:\windows\system32\S1300u.dll
2011-06-16 22:15:06 264192 ----a-w- c:\windows\system32\s300u.dll
2011-06-16 22:15:06 24064 ----a-w- c:\windows\system32\Fjmcusb.dll
2011-06-16 22:15:06 21504 ----a-w- c:\windows\system32\fj52usb.dll
2011-06-16 22:15:06 1990656 ----a-w- c:\windows\system32\ippi5s300.dll
2011-06-16 22:15:06 1990656 ----a-w- c:\windows\system32\ippi5s1300.dll
2011-06-16 22:15:06 1302528 ----a-w- c:\windows\system32\ijl5s300.dll
2011-06-16 22:15:06 1302528 ----a-w- c:\windows\system32\ijl5s1300.dll
2011-06-16 22:14:58 69632 ----a-w- c:\windows\system32\distortion.dll
2011-06-16 22:14:55 -------- d-----w- c:\windows\SSDriver
2011-06-16 22:14:19 -------- d-----w- c:\program files\common files\PFU
2011-06-16 22:14:06 -------- d-----w- c:\program files\PFU
2011-06-16 07:19:57 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-06-15 23:52:27 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-25 05:42:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-26 19:12:21 86016 ----a-w- c:\windows\SOUNDMAN.EXE
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 16:07:22.71 ===============



Attached File  attach.txt   24.03KB   0 downloads

Attached Files

  • Attached File  Ark.txt   388.37KB   3 downloads


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 19 July 2011 - 02:40 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 19 July 2011 - 04:09 PM

Hi Shannon2012,

i understand delay in reply, no problem... I am grateful for your help! :)

requested reports as follows:
==================================================
OTL.txt
=================================================
OTL logfile created on: 7/19/2011 4:28:06 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\user.name\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 56.67% Memory free
3.78 Gb Paging File | 2.97 Gb Available in Paging File | 78.57% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 140.48 Gb Total Space | 69.60 Gb Free Space | 49.54% Space Free | Partition Type: NTFS
Drive D: | 8.56 Gb Total Space | 0.56 Gb Free Space | 6.49% Space Free | Partition Type: FAT32
Drive F: | 298.09 Gb Total Space | 5.88 Gb Free Space | 1.97% Space Free | Partition Type: NTFS

Computer Name: WS10 | User Name: user.name | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/19 16:23:43 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user.name\Desktop\OTL.exe
PRC - [2011/07/04 07:43:54 | 003,493,720 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/05/27 08:52:30 | 000,624,056 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2011/05/25 17:29:54 | 001,951,112 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
PRC - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2011/04/15 14:56:36 | 001,038,336 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\sfzone\SafeZoneBrowser.exe
PRC - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2011/03/18 01:24:50 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2011/02/15 11:25:48 | 000,488,952 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/02/15 11:25:42 | 000,738,808 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/01/04 17:22:44 | 002,760,192 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Boxtools\Toolbox.exe
PRC - [2010/11/18 23:21:11 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/11/02 17:57:38 | 000,800,880 | ---- | M] (Tesline-Service SRL) -- C:\Program Files\Rohos\agent.exe
PRC - [2010/07/01 11:15:14 | 001,840,472 | ---- | M] (Iomega, an EMC company) -- C:\Program Files\EMC Corporation\v.Clone\vClone.exe
PRC - [2010/07/01 11:11:10 | 000,013,312 | ---- | M] () -- C:\Program Files\EMC Corporation\v.Clone\QuikSync\QuikSync.exe
PRC - [2009/10/22 04:44:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2009/10/22 04:44:18 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\vmware-authd.exe
PRC - [2009/10/22 04:44:08 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2009/10/22 04:43:30 | 000,064,048 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\hqtray.exe
PRC - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2009/06/04 15:34:34 | 000,193,832 | ---- | M] (Cirque Corporation) -- C:\Program Files\GlidePoint\glidesvc.exe
PRC - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/03 11:16:30 | 000,663,552 | ---- | M] (Philips) -- C:\Program Files\Philips\VOIP080\VOIP080.exe
PRC - [2006/08/01 17:14:47 | 000,036,903 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
PRC - [2006/08/01 16:57:49 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2006/06/15 00:11:09 | 000,053,248 | ---- | M] (Alcor Micro, Corp.) -- C:\WINDOWS\system32\DrvMon.exe
PRC - [2005/08/03 02:19:16 | 000,077,312 | ---- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
PRC - [2005/08/03 02:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


========== Modules (SafeList) ==========

MOD - [2011/07/19 16:23:43 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user.name\Desktop\OTL.exe
MOD - [2011/07/04 07:43:51 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2011/05/14 01:17:40 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
MOD - [2011/05/14 01:12:34 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll
MOD - [2011/02/15 11:25:56 | 000,640,504 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2006/08/01 17:14:43 | 000,024,613 | ---- | M] (BackWeb) -- C:\Documents and Settings\user.name\Local Settings\Temp\IadHide5.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 07:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2011/02/15 11:25:48 | 000,488,952 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2010/12/31 09:39:54 | 008,133,120 | ---- | M] () [On_Demand | Stopped] -- c:\wamp\bin\mysql\mysql5.5.8\bin\mysqld.exe -- (wampmysqld)
SRV - [2010/12/31 09:39:42 | 000,020,549 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- c:\wamp\bin\apache\apache2.2.17\bin\httpd.exe -- (wampapache)
SRV - [2010/11/18 23:21:11 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/11/02 17:57:38 | 000,800,880 | ---- | M] (Tesline-Service SRL) [Auto | Running] -- C:\Program Files\Rohos\agent.exe -- (Rohos Disk)
SRV - [2010/07/01 11:11:10 | 000,013,312 | ---- | M] () [Auto | Running] -- C:\Program Files\EMC Corporation\v.Clone\QuikSync\QuikSync.exe -- (QuikSync)
SRV - [2009/10/22 04:44:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2009/10/22 04:44:18 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2009/10/22 04:44:08 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009/10/12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009/06/04 15:34:34 | 000,193,832 | ---- | M] (Cirque Corporation) [Auto | Running] -- C:\Program Files\GlidePoint\glidesvc.exe -- (GlidePoint)
SRV - [2008/10/15 18:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/03/20 17:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2005/08/03 02:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/02/15 11:25:36 | 000,026,872 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010/07/01 11:10:14 | 000,012,672 | ---- | M] (Windows ® Win 7 DDK provider) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\QslFsFltr.sys -- (QslFsFltr)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/02/03 16:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/11/03 13:30:12 | 000,022,576 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Virtual Disk Development Kit\bin\vstor2-mntapi10.sys -- (vstor2-mntapi10)
DRV - [2009/10/22 04:45:06 | 000,032,688 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2009/10/22 04:45:02 | 000,853,936 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2009/10/22 04:45:00 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2009/10/22 04:45:00 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2009/10/22 04:44:58 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2009/10/22 03:47:52 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2009/10/22 00:13:32 | 000,016,560 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2009/10/16 16:06:29 | 000,065,064 | ---- | M] (Cirque Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\glideusb.sys -- (glideusb)
DRV - [2009/10/12 14:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009/07/24 11:43:26 | 000,033,280 | ---- | M] (Tesline-Service SRL) [Kernel | Auto | Running] -- C:\Program Files\Rohos\rhdisk.sys -- (RHDISK)
DRV - [2008/02/27 14:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/06/14 14:04:12 | 004,299,264 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/03/03 18:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 18:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/06 14:20:50 | 000,241,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2005/12/06 14:20:40 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSX_DP)
DRV - [2005/06/29 20:03:18 | 000,175,104 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/03/09 17:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 10:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.marketplaceleaders.org/blog/
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://rc-nc.com/index.shtml"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledItems: {75CEEE46-9B64-46f8-94BF-54012DE155F0}:0.4.8
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {68836a21-fc7d-4ea1-a065-7efabd99d414}:3.02
FF - prefs.js..extensions.enabledItems: rankchecker@seobook.com:1.8.4
FF - prefs.js..extensions.enabledItems: {c75a27d8-4529-449f-b67b-aba65d7a1c0a}:0.6
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.2
FF - prefs.js..extensions.enabledItems: sroussey@illumination-for-developers.com:1.1.6
FF - prefs.js..extensions.enabledItems: yslow@yahoo-inc.com:2.1.0
FF - prefs.js..extensions.enabledItems: seodoctor@prelovac.com:1.5.2
FF - prefs.js..extensions.enabledItems: {11b496ea-481a-11dc-8314-0800200c9a66}:1.2.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.608
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2321: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2379: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1483: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011/07/11 06:46:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011/07/17 17:53:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/24 22:21:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/27 12:53:56 | 000,000,000 | ---D | M]

[2011/03/16 08:59:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Extensions
[2011/03/16 08:59:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Extensions\prism@developer.mozilla.org
[2011/07/17 19:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions
[2011/01/23 00:18:25 | 000,000,000 | ---D | M] (Screengrab) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2011/07/17 19:29:25 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2011/01/08 17:54:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/07/11 06:39:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{68836a21-fc7d-4ea1-a065-7efabd99d414}
[2011/07/17 17:17:25 | 000,000,000 | ---D | M] (ZoneAlarm Security Community Toolbar) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
[2011/01/28 15:49:24 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2011/02/21 02:23:54 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\user.name\Application Data\Mozilla\Firefox\Profiles\jy3x0kxd.default\extensions\LogMeInClient@logmein.com
[2011/06/13 20:57:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/01 16:09:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/01 00:03:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/08 17:52:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/13 20:57:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\{11B496EA-481A-11DC-8314-0800200C9A66}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\{68836A21-FC7D-4EA1-A065-7EFABD99D414}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\{75CEEE46-9B64-46F8-94BF-54012DE155F0}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\{C75A27D8-4529-449F-B67B-ABA65D7A1C0A}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\RANKCHECKER@SEOBOOK.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\SEODOCTOR@PRELOVAC.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\SROUSSEY@ILLUMINATION-FOR-DEVELOPERS.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\user.name\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JY3X0KXD.DEFAULT\EXTENSIONS\YSLOW@YAHOO-INC.COM.XPI
[2011/07/11 06:46:12 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\WEBREP\FF
[2011/02/01 00:01:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/24 22:21:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/06 10:42:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/11/21 09:23:46 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/01/14 00:42:38 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe (The Eraser Project)
O4 - HKLM..\Run: [ftutil2] C:\WINDOWS\System32\ftutil2.dll (Promise Technology, Inc.)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VMware hqtray] C:\Program Files\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008..\Run: [Boxoft Tools] C:\Documents and Settings\All Users\Application Data\Boxtools\Boxofttoolbox.exe ()
O4 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe (Alcor Micro, Corp.)
O4 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008..\Run: [Rohos] C:\Program Files\Rohos\agent.exe (Tesline-Service SRL)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk = C:\Program Files\PFU\CardMinder\CardLauncher.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk = C:\Program Files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\user.name\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\user.name\Start Menu\Programs\Startup\VOIP080.lnk = C:\Program Files\Philips\VOIP080\VOIP080.exe (Philips)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]
O7 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - File not found
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289597001031 (MUWebControl Class)
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} http://tra.mlxtempo.com/5.1.01.9919/Control/IRCSharc.cab (GeacRevw Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/31 00:02:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 00:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Loaderw.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/19 16:23:33 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user.name\Desktop\OTL.exe
[2011/07/19 16:03:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Local Settings\Application Data\vClone
[2011/07/19 11:20:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Application Data\VMware
[2011/07/19 11:20:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\v.Clone
[2011/07/19 11:19:08 | 000,059,952 | R--- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vnetinst.dll
[2011/07/19 11:19:08 | 000,016,560 | R--- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\vmnetadapter.sys
[2011/07/19 11:19:02 | 000,334,384 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vmnetdhcp.exe
[2011/07/19 11:18:58 | 000,395,824 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vmnat.exe
[2011/07/19 11:18:57 | 000,026,288 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\vmnetuserif.sys
[2011/07/19 11:18:53 | 000,018,736 | R--- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\vmnet.sys
[2011/07/19 11:18:47 | 000,760,368 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\vnetlib.dll
[2011/07/19 11:18:32 | 000,023,216 | ---- | C] (VMware, Inc.) -- C:\WINDOWS\System32\drivers\VMkbd.sys
[2011/07/19 11:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\VMware
[2011/07/19 11:18:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VMware
[2011/07/19 11:17:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VMware
[2011/07/19 11:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\VMware
[2011/07/19 11:15:54 | 000,000,000 | ---D | C] -- C:\Program Files\VMware
[2011/07/19 11:15:27 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2011/07/19 11:12:01 | 000,000,000 | ---D | C] -- C:\Program Files\EMC Corporation
[2011/07/17 17:19:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\-My Documents\ForceField Shared Files
[2011/07/17 17:18:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Application Data\CheckPoint
[2011/07/17 17:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/07/17 17:17:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Local Settings\Application Data\ZoneAlarm_Security
[2011/07/17 17:17:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Local Settings\Application Data\Temp
[2011/07/17 17:17:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Local Settings\Application Data\Conduit
[2011/07/17 17:17:02 | 000,000,000 | ---D | C] -- C:\Program Files\ZoneAlarm_Security
[2011/07/17 17:16:54 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2011/07/17 17:16:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm
[2011/07/17 17:16:46 | 000,058,368 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2011/07/17 17:16:42 | 000,104,448 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2011/07/17 17:16:42 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2011/07/17 17:16:33 | 000,043,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2011/07/17 17:16:31 | 001,238,528 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2011/07/17 17:16:31 | 000,110,080 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2011/07/17 17:16:30 | 000,302,592 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2011/07/17 17:16:30 | 000,108,032 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2011/07/17 17:16:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2011/07/17 17:16:29 | 000,532,224 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2011/07/17 17:16:28 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2011/07/17 17:15:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2011/07/17 17:15:31 | 000,715,264 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2011/07/17 17:15:31 | 000,228,864 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2011/07/17 17:15:31 | 000,112,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2011/07/13 19:11:47 | 000,000,000 | ---D | C] -- C:\1-Backup DriveImage
[2011/07/13 19:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Runtime Software
[2011/07/13 19:09:50 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2011/07/12 16:04:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user.name\Start Menu\Programs\Administrative Tools
[2011/07/12 16:03:33 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\user.name\Desktop\dds.scr
[2011/07/12 15:50:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Desktop\DRIVE-Image sw
[2011/07/09 22:26:45 | 000,000,000 | ---D | C] -- C:\Program Files\A.F.5 Rename your files 1.1
[2011/07/06 20:14:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Desktop\1-Metatron
[2011/06/27 13:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Local Settings\Application Data\PCHealth
[2011/06/24 23:14:34 | 000,000,000 | ---D | C] -- C:\RC-Fileroom
[2011/06/24 23:13:01 | 000,000,000 | ---D | C] -- C:\1-RC-Fileroom
[2011/06/24 21:35:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Start Menu\Programs\NirSoft SysExporter
[2011/06/24 21:35:50 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2011/06/23 21:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Desktop\1-RC.Fileroom.DIR b4 reorg
[2011/06/23 19:17:16 | 000,000,000 | ---D | C] -- C:\1-RC-Fileroom.1st
[2011/06/20 17:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Desktop\RCR.Scans.Temp
[2011/06/20 17:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user.name\Application Data\Fujitsu
[2011/06/20 17:00:02 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[378 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[117 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/19 16:25:13 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\RKUnhookerLE.EXE
[2011/07/19 16:23:43 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user.name\Desktop\OTL.exe
[2011/07/19 16:01:59 | 000,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2011/07/19 15:57:53 | 000,043,531 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/07/19 15:55:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/19 11:39:31 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2007.lnk
[2011/07/19 11:20:12 | 000,000,868 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\v.Clone.lnk
[2011/07/19 11:19:59 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\VMware Player.lnk
[2011/07/19 11:18:24 | 000,001,024 | ---- | M] () -- C:\.rnd
[2011/07/19 11:18:17 | 000,546,248 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/19 11:18:17 | 000,106,302 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/19 11:18:13 | 000,001,801 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VMware Player.lnk
[2011/07/19 10:14:03 | 000,487,416 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\d31544200-en.pdf
[2011/07/19 10:13:51 | 001,540,006 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\vclone-intro.pdf
[2011/07/17 17:18:53 | 000,421,442 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/07/17 17:16:50 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/07/17 17:16:49 | 000,000,776 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\ZoneAlarm Security.lnk
[2011/07/17 17:13:14 | 046,973,440 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\zaSetup_92_106_000_en.exe
[2011/07/13 19:09:53 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2011/07/13 19:09:53 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2011/07/13 18:20:04 | 001,624,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/13 17:27:38 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/13 15:40:33 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2011/07/12 16:03:35 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\user.name\Desktop\dds.scr
[2011/07/12 16:02:44 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user.name\defogger_reenable
[2011/07/12 16:01:50 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\Defogger.exe
[2011/07/12 15:34:58 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Access 2007.lnk
[2011/07/12 15:22:50 | 000,064,064 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\cpuinfo.exe
[2011/07/11 06:51:26 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Pro Antivirus.lnk
[2011/07/11 06:51:22 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/07/11 06:45:05 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/10 00:38:38 | 000,001,720 | -H-- | M] () -- C:\Documents and Settings\user.name\-My Documents\Default.rdp
[2011/07/07 15:57:59 | 001,572,864 | ---- | M] () -- C:\Documents and Settings\user.name\-My Documents\1Resources1.accdb
[2011/07/07 15:57:17 | 001,572,864 | ---- | M] () -- C:\Documents and Settings\user.name\-My Documents\1Resources.accdb
[2011/07/06 20:12:35 | 000,000,847 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/07/06 20:12:35 | 000,000,829 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/06 19:42:52 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2011/07/05 09:37:38 | 000,002,283 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype (2).lnk
[2011/07/04 07:43:53 | 000,040,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/07/04 07:43:51 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/07/04 07:36:43 | 000,441,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/07/04 07:36:32 | 000,309,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/07/04 07:35:23 | 000,043,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/07/04 07:35:12 | 000,102,616 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/07/04 07:35:09 | 000,096,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/07/04 07:32:32 | 000,025,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/07/04 07:32:13 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/07/04 07:32:12 | 000,019,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/06/29 05:01:48 | 000,000,837 | ---- | M] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/06/29 04:59:08 | 001,869,114 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\PPotter-RR-Prerunner-EXCEL-06-28-2011.pdf
[2011/06/25 22:10:27 | 000,330,556 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\1-RC-Fileroom.zip
[2011/06/25 22:10:27 | 000,330,556 | ---- | M] () -- C:\1-RC-Fileroom.zip
[2011/06/25 21:09:06 | 000,004,386 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\Fileroom.MD.properties.bat
[2011/06/25 17:25:30 | 000,005,588 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\RC.FileroomMD.tenants.bat
[2011/06/25 01:42:29 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/24 23:24:20 | 000,002,818 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\Fileroom.Folders.bat
[2011/06/24 22:35:48 | 000,006,499 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\RC.FileroomMD3.tenants.bat
[2011/06/24 21:34:25 | 000,107,910 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\sysexp_setup.exe
[2011/06/23 22:25:39 | 000,000,190 | ---- | M] () -- C:\Documents and Settings\user.name\-My Documents\Excelsior.fnd
[2011/06/23 20:07:11 | 000,008,302 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\1.ppotter-webdev.pdf
[2011/06/23 20:00:10 | 000,000,114 | ---- | M] () -- C:\WINDOWS\Printdir.bat
[2011/06/23 19:59:27 | 000,662,528 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\MicrosoftFixit50548.msi
[2011/06/23 19:26:01 | 000,004,260 | ---- | M] () -- C:\Documents and Settings\user.name\Desktop\RC-2.Fileroom.MD.Tenants.bat
[378 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[117 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/19 16:25:03 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\RKUnhookerLE.EXE
[2011/07/19 11:20:12 | 000,000,868 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\v.Clone.lnk
[2011/07/19 11:19:59 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\VMware Player.lnk
[2011/07/19 11:18:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2011/07/19 11:18:12 | 000,001,801 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VMware Player.lnk
[2011/07/19 10:14:02 | 000,487,416 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\d31544200-en.pdf
[2011/07/19 10:13:46 | 001,540,006 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\vclone-intro.pdf
[2011/07/17 17:16:50 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/07/17 17:16:49 | 000,000,776 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\ZoneAlarm Security.lnk
[2011/07/17 17:16:29 | 000,421,442 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/07/17 17:12:58 | 046,973,440 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\zaSetup_92_106_000_en.exe
[2011/07/13 19:09:53 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\user.name\Application Data\Microsoft\Internet Explorer\Quick Launch\DriveImage XML.lnk
[2011/07/13 19:09:53 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2011/07/12 16:02:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user.name\defogger_reenable
[2011/07/12 16:01:50 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\Defogger.exe
[2011/07/12 15:22:46 | 000,064,064 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\cpuinfo.exe
[2011/07/07 15:57:33 | 001,572,864 | ---- | C] () -- C:\Documents and Settings\user.name\-My Documents\1Resources1.accdb
[2011/07/07 15:56:40 | 001,572,864 | ---- | C] () -- C:\Documents and Settings\user.name\-My Documents\1Resources.accdb
[2011/06/29 05:01:16 | 001,869,114 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\PPotter-RR-Prerunner-EXCEL-06-28-2011.pdf
[2011/06/25 22:10:27 | 000,330,556 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\1-RC-Fileroom.zip
[2011/06/25 22:10:27 | 000,330,556 | ---- | C] () -- C:\1-RC-Fileroom.zip
[2011/06/25 21:09:06 | 000,004,386 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\Fileroom.MD.properties.bat
[2011/06/24 23:11:36 | 000,002,818 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\Fileroom.Folders.bat
[2011/06/24 22:28:27 | 000,006,499 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\RC.FileroomMD3.tenants.bat
[2011/06/24 21:34:24 | 000,107,910 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\sysexp_setup.exe
[2011/06/23 22:25:39 | 000,000,190 | ---- | C] () -- C:\Documents and Settings\user.name\-My Documents\Excelsior.fnd
[2011/06/23 20:07:11 | 000,008,302 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\1.ppotter-webdev.pdf
[2011/06/23 20:00:10 | 000,000,114 | ---- | C] () -- C:\WINDOWS\Printdir.bat
[2011/06/23 19:59:27 | 000,662,528 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\MicrosoftFixit50548.msi
[2011/06/23 19:26:01 | 000,004,260 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\RC-2.Fileroom.MD.Tenants.bat
[2011/06/23 19:14:14 | 000,005,588 | ---- | C] () -- C:\Documents and Settings\user.name\Desktop\RC.FileroomMD.tenants.bat
[2011/06/16 18:15:07 | 000,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2011/05/11 11:02:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2011/05/11 11:02:07 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2011/05/11 09:19:54 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2011/05/11 09:19:52 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2011/05/11 09:18:16 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2011/05/11 09:18:15 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2011/05/11 09:17:59 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2011/02/22 01:44:16 | 000,053,123 | ---- | C] () -- C:\Documents and Settings\user.name\Application Data\Comma Separated Values (Windows).ADR
[2011/01/01 22:51:30 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/20 20:56:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
[2010/11/26 22:33:41 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\user.name\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/24 17:39:54 | 000,009,461 | ---- | C] () -- C:\Documents and Settings\user.name\Application Data\Microsoft Excel 97-2003.EML
[2010/11/24 17:39:32 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/11/23 11:28:55 | 000,106,678 | ---- | C] () -- C:\WINDOWS\hpqins13.dat
[2010/11/23 11:26:02 | 000,103,586 | ---- | C] () -- C:\WINDOWS\hpqins01.dat
[2010/11/21 09:23:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/18 23:36:14 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/11/14 22:19:33 | 000,157,282 | ---- | C] () -- C:\WINDOWS\hphins26.dat
[2010/11/14 22:19:33 | 000,000,787 | ---- | C] () -- C:\WINDOWS\hphmdl26.dat
[2010/11/14 21:13:59 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2010/11/12 21:47:48 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2010/11/12 16:51:44 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\user.name\Local Settings\Application Data\fusioncache.dat
[2010/11/12 09:47:56 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/25 13:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/11/02 10:12:52 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\missouri.dll
[2006/08/01 17:48:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/01 17:21:38 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/08/01 17:14:44 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-5577497.exe
[2006/08/01 17:14:04 | 000,667,896 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2006/08/01 17:14:04 | 000,001,235 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2006/08/01 17:13:57 | 000,012,987 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/08/01 17:13:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/08/01 17:10:22 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/08/01 16:59:52 | 000,000,083 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/08/01 16:58:31 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/08/01 16:58:31 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/08/01 16:53:33 | 000,095,822 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/08/01 16:52:22 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/01 16:48:47 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/08/01 16:48:47 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/08/01 16:48:47 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/01 16:48:47 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/08/01 16:48:47 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/08/01 16:48:47 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/08/01 16:48:47 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/08/01 16:48:47 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/08/01 16:48:47 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/08/01 16:48:47 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/08/01 16:48:47 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/08/01 16:47:18 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/08/01 16:25:53 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/08/01 16:25:53 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/08/01 16:25:33 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2006/06/16 14:58:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/31 00:17:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/31 00:07:46 | 000,546,248 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/31 00:07:46 | 000,106,302 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/31 00:05:30 | 001,624,952 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/31 00:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/30 23:58:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/03 02:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2004/08/10 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 00:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/07/26 10:51:38 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/08/23 11:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 11:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[1998/10/11 01:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15D5AA51

< End of report >
=====================================================
Extras.txt
=====================================================
OTL Extras logfile created on: 7/19/2011 4:28:06 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\user.name\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 56.67% Memory free
3.78 Gb Paging File | 2.97 Gb Available in Paging File | 78.57% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 140.48 Gb Total Space | 69.60 Gb Free Space | 49.54% Space Free | Partition Type: NTFS
Drive D: | 8.56 Gb Total Space | 0.56 Gb Free Space | 6.49% Space Free | Partition Type: FAT32
Drive F: | 298.09 Gb Total Space | 5.88 Gb Free Space | 1.97% Space Free | Partition Type: NTFS

Computer Name: WS10 | User Name: user.name | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-536995187-1795891562-3944622506-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Print_Directory_Listing] -- Printdir.bat "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"5985:TCP" = 5985:TCP:*:Enabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5920:TCP" = 5920:TCP:*:Enabled:vnc
"2078:TCP" = 2078:TCP:*:Enabled:hostgator web disk
"2077:TCP" = 2077:TCP:*:Enabled:hostgator web disk

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections -- (Hewlett-Packard)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections -- (Hewlett-Packard)
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\RealVNC\VNC4\winvnc4.exe" = C:\Program Files\RealVNC\VNC4\winvnc4.exe:*:Enabled:winvnc4.exe -- (RealVNC Ltd.)
"C:\Program Files\RealVNC\VNC4\vncviewer.exe" = C:\Program Files\RealVNC\VNC4\vncviewer.exe:*:Enabled:Run VNC Viewer -- (RealVNC Ltd.)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" = C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe:*:Enabled:LogMeIn Hamachi -- (LogMeIn Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)
"C:\Program Files\VMware\VMware Player\vmware-authd.exe" = C:\Program Files\VMware\VMware Player\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{02C8D869-16E6-47FB-AC73-A98E99E0982D}" = Scan to Microsoft SharePoint
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0CE5F45E-F6CC-4638-B0DD-BB7F6EF56713}" = HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{1341D838-719C-4A05-B50F-49420CA1B4BB}" = HP Boot Optimizer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR}
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 26
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2CC5FCAE-51BA-4926-8C2B-4F07E54F6EA3}" = ScanSnap
"{2D963679-1FC7-4E13-9A81-343F6F49BCC4}" = BlackBerry Desktop Software 4.5
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{38436888-9EAA-4cec-A56F-65B73D9D423C}" = D1500
"{392A74D0-4DFE-49F7-87C3-8A61708F8856}" = Eraser 6.0.8.2273
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{547EB317-F9FC-4571-B66A-83B3C9D6A2C8}" = VMware Virtual Disk Development Kit
"{5491307B-D2EB-442B-A420-280A3BCF51DF}" = VOIP080
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{55E63724-2BFE-49BC-B03E-9BE0F62E18C2}" = ScanSnap Organizer
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{82C113AD-486F-4bd5-A2EA-2383AF57D084}" = D1500_Help
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{85440CD2-9CD7-4FF9-BEF0-3531FC51956A}" = MessageExport
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8B8240B3-891D-4965-AA51-8799622D44FF}" = DJ_SF_03_D1500_ProductContext
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DCD0779-8811-4060-9227-871E2FD48E45}" = CardMinder V4.1
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0017-0000-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer 2007
"{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{E1C33B03-3FE9-45BF-91E4-0266F38618C6}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0017-0409-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer MUI (English) 2007
"{90120000-0017-0409-0000-0000000FF1CE}_SharePointDesigner_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A331AE6-C985-4CA7-A1B6-CBECA92EED54}" = GlidePoint® Touchpad Driver 3
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C03756D-0444-473F-98FF-2713AC8633AB}" = jAlbum
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9F7AF7CD-E3D0-4C68-A3BA-C76C359B3AA8}" = LightScribe 1.4.105.1
"{A066194B-DC8F-449A-8E0F-B57BDD3A2072}" = SyncToy 2.1 (x86)
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A53A11EA-0095-493F-86FA-A15E8A86A405}" = VMware Player
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B1421599-A42D-47ef-B512-B9B0317BD599}" = DJ_SF_03_D1500_Software
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C6A61DF1-3139-46AE-BDB6-4AC701B5F677}" = ScanSnap Organizer
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3A80508-CD83-4CA3-8671-914A1BC78B61}" = Microsoft Sync Framework 2.0 Provider Services (x86) ENU
"{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}" = CardMinder
"{D53F5649-79B7-40E4-BCD9-56A581C4B92C}" = ScanSnap
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1" = HP Support Overview
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}" = ScanSnap Manager
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E4C1DBF1-67D9-4973-9DEC-677E695E7CE0}" = AxCrypt 1.7.2126.0
"{E58F3B88-3B3E-4F85-9323-04789D979C15}" = ScanSnap Organizer
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EEF985E8-8B36-4230-B174-117A2381C17F}" = LogMeIn Hamachi
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML (Private Edition)
"{FB250000-0001-0000-0000-074957833700}" = ABBYY FineReader for ScanSnap ™ 3.0
"{FB705754-66FB-4419-9EA9-EB020DEA8D50}" = RingCentral Voicemail Player
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{FF63121D-91C6-42CC-B341-F1AA729728E7}" = Microsoft Sync Framework 2.0 Core Components (x86) ENU
"3A5CA951EF665845B5AD1156BD88090C7A4F3E57" = Windows Driver Package - Intel (E1000) Net (08/20/2008 8.10.3.0)
"7-Zip" = 7-Zip 9.20
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.3.0 Professional
"Adobe Acrobat 8 Professional_830" = Adobe Acrobat 8.3.0 - CPSID_83708
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"AppDevALEX" = Free Training via AppDev OnDemand 2.4.8.0
"Audacity_is1" = Audacity 1.2.6
"avast" = avast! Pro Antivirus
"AwayMode160" = Microsoft Away Mode
"Belarc Advisor" = Belarc Advisor 8.1
"BlackBerry_{2D963679-1FC7-4E13-9A81-343F6F49BCC4}" = BlackBerry Desktop Software 4.5
"CamStudio" = CamStudio
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPOOVClient-5577497 Uninstaller" = Compaq Connections (remove only)
"ie8" = Windows Internet Explorer 8
"Inkscape" = Inkscape 0.48.0
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"LADSPA_plugins-win_is1" = LADSPA_plugins-win-0.4.15
"LAME for Audacity_is1" = LAME v3.98.3 for Audacity
"LogMeIn Hamachi" = LogMeIn Hamachi
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NirSoft SysExporter" = NirSoft SysExporter
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"PROPLUS" = Microsoft Office Professional Plus 2007
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"RealPlayer 6.0" = RealPlayer
"RealVNC_is1" = VNC Free Edition 4.1.3
"Rohos_Rohos22_is1" = Rohos Disk 1.8
"SharePointDesigner" = Microsoft Office SharePoint Designer 2007
"v.Clone" = v.Clone
"WampServer 2_is1" = WampServer 2.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/2/2011 10:58:33 PM | Computer Name = WS10 | Source = ESENT | ID = 489
Description = wuauclt (1888) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/2/2011 10:58:34 PM | Computer Name = WS10 | Source = ESENT | ID = 455
Description = wuaueng.dll (1888) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/2/2011 10:58:46 PM | Computer Name = WS10 | Source = ESENT | ID = 489
Description = wuauclt (1888) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/2/2011 10:58:46 PM | Computer Name = WS10 | Source = ESENT | ID = 455
Description = wuaueng.dll (1888) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/3/2011 11:21:10 AM | Computer Name = WS10 | Source = Application Error | ID = 1000
Description = Faulting application ehshell.exe, version 5.1.2715.3011, faulting
module claud.ax, version 6.0.0.2803, fault address 0x00025d1d.

Error - 7/5/2011 7:51:43 AM | Computer Name = WS10 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 7/5/2011 10:36:11 AM | Computer Name = WS10 | Source = Application Error | ID = 1000
Description = Faulting application prevx.exe, version 3.0.5.220, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 7/5/2011 10:44:41 AM | Computer Name = WS10 | Source = Application Error | ID = 1001
Description = Fault bucket -2084622376.

Error - 7/5/2011 4:26:37 PM | Computer Name = WS10 | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 7/6/2011 7:49:06 PM | Computer Name = WS10 | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6557.5001, stamp 4db1d555,
faulting module outlook.exe, version 12.0.6557.5001, stamp 4db1d555, debug? 0,
fault address 0x0046f5f0.

[ OSession Events ]
Error - 2/22/2011 5:09:58 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 30
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/1/2011 10:21:57 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 3544
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/13/2011 1:01:15 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1238
seconds with 780 seconds of active time. This session ended with a crash.

Error - 3/13/2011 11:34:40 PM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 747
seconds with 600 seconds of active time. This session ended with a crash.

Error - 3/14/2011 7:01:00 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 6736
seconds with 3600 seconds of active time. This session ended with a crash.

Error - 3/14/2011 7:12:46 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 676
seconds with 480 seconds of active time. This session ended with a crash.

Error - 3/14/2011 11:06:39 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 14006
seconds with 3420 seconds of active time. This session ended with a crash.

Error - 3/17/2011 6:57:14 AM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5134
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 4/7/2011 1:43:20 PM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 70843
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 7/6/2011 7:49:00 PM | Computer Name = WS10 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 6292
seconds with 120 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/18/2011 5:48:29 PM | Computer Name = WS10 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 60 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/18/2011 5:48:29 PM | Computer Name = WS10 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 60 minutes. NtpClient has no source of accurate
time.

Error - 7/18/2011 6:48:29 PM | Computer Name = WS10 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 120 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/18/2011 6:48:29 PM | Computer Name = WS10 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 7/18/2011 8:48:30 PM | Computer Name = WS10 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 240 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/18/2011 8:48:30 PM | Computer Name = WS10 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 240 minutes. NtpClient has no source of accurate
time.

Error - 7/19/2011 12:48:30 AM | Computer Name = WS10 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 480 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 7/19/2011 12:48:30 AM | Computer Name = WS10 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 480 minutes. NtpClient has no source of accurate
time.

Error - 7/19/2011 11:33:56 AM | Computer Name = WS10 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 7/19/2011 3:58:38 PM | Computer Name = WS10 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >

==================================================================
Report.txt RKU
report on RKU screen ended with Nothing Detected :(
==================================================================
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB6321000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4460544 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3956736 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 82.08 )
0xB90DF000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3538944 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 82.08 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB8F48000 C:\WINDOWS\system32\DRIVERS\HSX_DP.sys 1011712 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB421B000 C:\WINDOWS\system32\Drivers\vmx86.sys 847872 bytes (VMware, Inc., VMware kernel driver)
0xB8E92000 C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys 745472 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9DDA000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6152000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xB5F13000 C:\WINDOWS\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
0xB6095000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8D0A000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6221000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB3E5C000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB8E1F000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xB5F83000 C:\WINDOWS\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
0xBF3D8000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB903F000 C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys 282624 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB9EC8000 ftsata2.sys 274432 bytes (Promise Technology, Inc., Promise Driver for Windows Server 2003)
0xB3EDC000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8DE8000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xB8D68000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB4312000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DAD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAFA09000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB6105000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8E6A000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB61D3000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB61FB000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB5E77000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB62FD000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB90A7000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9084000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB2447000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB6130000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E90000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D93000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB5E37000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EB0000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB4DF8000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xB9E67000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8DD1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB4206000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB90CB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB627A000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E7E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8DC0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB2AD4000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB54DF000 C:\WINDOWS\system32\Drivers\vmci.sys 65536 bytes (VMware, Inc., VMware kernel driver)
0xBA1D8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA298000 C:\WINDOWS\system32\DRIVERS\glideusb.sys 61440 bytes (Cirque Corporation, GlidePoint® USB Filter Driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB3F45000 C:\Program Files\Rohos\RHDISK.SYS 61440 bytes (Tesline-Service SRL, Rohos® Encrypted virtual disk driver)
0xB435F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB22EC000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB943F000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA318000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA128000 PxHelp20.sys 49152 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA178000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB18BC000 C:\WINDOWS\System32\DRIVERS\UALFDrv2.sys 49152 bytes (Sonix, UAFilter)
0xBA2B8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA168000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB5327000 C:\WINDOWS\system32\drivers\hcmon.sys 40960 bytes (VMware, Inc., VMware USB monitor)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1A8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA198000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA1F8000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 36864 bytes (AVAST Software, avast! TDI Filter Driver)
0xBA118000 bb-run.sys 36864 bytes (Promise Technology, Inc., Promise Disk Accelerator)
0xB25FA000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA188000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xBA208000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA460000 C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 32768 bytes (Check Point Software Technologies, ZoneAlarm Browser Security)
0xBA408000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA3C0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA4B0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA468000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xB5ECB000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB3412000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA470000 C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys 28672 bytes (VMware, Inc., VMware bridge driver (32-bit))
0xBA3A0000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xBA428000 C:\WINDOWS\system32\DRIVERS\aracpi.sys 24576 bytes (Microsoft Corporation, Microsoft AR ACPI Driver (Beta 2 Release 2))
0xBA370000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB5EC3000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBA398000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\arhidfltr.sys 20480 bytes (Microsoft Corporation, Microsoft AR HID Filter Driver (Beta 2 Release 2))
0xBA3D8000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xBA458000 C:\WINDOWS\system32\DRIVERS\hamachi.sys 20480 bytes (LogMeIn, Inc., Hamachi Virtual Network Interface Driver)
0xBA3B0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA438000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA448000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA4A0000 C:\WINDOWS\system32\drivers\VMkbd.sys 20480 bytes (VMware, Inc., VMware keyboard filter driver (32-bit))
0xB5EE3000 C:\WINDOWS\system32\drivers\vmnetuserif.sys 20480 bytes (VMware, Inc., VMware network application interface driver (32-bit))
0xBA478000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB62F5000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB31F5000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA57C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5F0B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9D4F000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xB3105000 C:\WINDOWS\system32\DRIVERS\QslFsFltr.sys 16384 bytes (Windows ® Win 7 DDK provider, QuikSync Fs mini filter driver)
0xB4C60000 C:\Program Files\VMware\VMware Virtual Disk Development Kit\bin\vstor2-mntapi10.sys 16384 bytes (VMware, Inc., VMware Virtual Storage Volume Driver)
0xB31F9000 C:\Program Files\VMware\VMware Player\vstor2-ws60.sys 16384 bytes (VMware, Inc., VMware Virtual Storage Volume Driver)
0xBA544000 C:\WINDOWS\system32\DRIVERS\arpolicy.sys 12288 bytes (Microsoft Corporation, Microsoft AR Policy Driver (Beta 2 Release 2))
0xB5447000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB8DB8000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB62F9000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB5FD1000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA54C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9D5B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA584000 C:\WINDOWS\system32\DRIVERS\VMNET.SYS 12288 bytes (VMware, Inc., VMware virtual network driver (32-bit))
0xBA580000 C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys 12288 bytes (VMware, Inc., VMware virtual network adapter driver (32-bit))
0xB8DB4000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBA5C4000 C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2))
0xBA61E000 C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Mouse Filter Driver (Beta 2 Release 2))
0xBA646000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA64C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA642000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AE000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA64A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA64E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA622000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xBA628000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA634000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AC000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA690000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7B2000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xBA73B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA743000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

==================================================================

thank you!



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 20 July 2011 - 11:03 AM

Hi-

Thanks for the logs. I am still working my way though them. In the meantime, please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

In your reply, please let me know what problems you are currently having with your computer, and copy in the contents of the NBAN report.
Shannon

#5 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 20 July 2011 - 07:03 PM

Ran malwarebytes Full scan of C & D- result same as when i ran it on 7/6- nothing detected- log below.

I have not been usign the PC until i cna confirm if i have a problem or not.

i see no malware type symptoms- no browser redirects, difficulty going to anti-malware sites or downloading anti-malware software- GMER was a bit problematic to run & save the report when i ran on 7/6- but then i got a clean run and thought all was ok.. but PC seemed a bit off- but i had not used for a week due to internet outtage 7 run malwarebytes, GMER, kapersky tool and the avast boot scan.. so the comprehensive scanning could chagne the general feel - and the Avast report of win32 high threat made me a bit paranoid. I think it is a flase positivbe- but need to know the PC is clean before reconnecting to VLAN resources & transferring data to other PC's from this one.

seemed a bit unresponsive-
but when working I connect to external server, hosted Exchange & hosted web site "ssl- web-drive" adn run many programs.
@ GB RAM & 2.2 GHz machine often runing Adobe Pro. MS Office 2007, Outlook, photo editing and web design software-
- thus it can run a bit different with any program/windpows update that adds to the overall burden.

i ran checks on hard drive, RAM & CPU all ok there.. and ran a check disk-
over the past couple of days i have reconnected to internet and done simple browsing, streamed some video- and used Avast 'safe-zone" browser- and the PC seems ok to me.

Thank you for your help!

=================================================

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7212

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/20/2011 7:38:00 PM
mbam-log-2011-07-20 (19-38-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 530792
Time elapsed: 7 hour(s), 14 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 20 July 2011 - 08:47 PM

Hi-

I don't see any infections so far. From your runs, you have one possible infection found in an active area (c:\program files\online services\PeoplePC\ISP5900\Bin\BartShel.exe) and three found in an inactive area - _restore. We should check these files to see if they had a problem or not. I want you to send the BartShel.exe and one of the others to Jotti to be checked from wherever they are currently - I have used their 'found' locations below.

First, before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following files in turn and click the Submit file button within Jotti.

c:\program files\online services\PeoplePC\ISP5900\Bin\BartShel.exe
c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP281\A0056089.exe
( or one of the other)

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
To scan the next file, click on the Next File button.
Please post back the results of the scan in your next post. You can just post the links to the reports.
If Jotti is busy, try the same at Virustotal

Next, I would like to check your master boot record (MBR) on your system drive. Please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.
In your reply, please let me know the results of the Jotti upload - links to the results would be fine, and copy in the contents of the MBRCheck report.
Shannon

#7 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 July 2011 - 07:52 AM

Hi Shannon2012-

per your request:

1- please make sure thatyou can view all hidden files.


DONE

2-submit files to (http://virusscan.jotti.org/)
a) I see now I haddeleted this file from the antivirus chest- c:\program files\onlineservices\PeoplePC\ISP5900\Bin\BartShel.exe
B) I still have allthese files in the antivirus chest and can restore them to original location-


HOWEVER windows is denying me access to this folder as it seems to be aprotected system folder

THUS i cannot access/upload the files-

I did submit all to Avast on 7/6 when originally reported as possible infectionor false positive- with my email address.

Avast has not contacted me regarding any findings

c:\system volumeinformation\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP281\A0056089.exe (or one of the other)


3- Run MBRCheck.exe
DONE- report below.


Thank you for your help!


============================================
MBR report
============================================

MBRCheck, version 1.2.3
© 2010, AD


Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c


Kernel Drivers (total 158):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B0000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9EC8000 ftsata2.sys
0xB9EB0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E90000 fltmgr.sys
0xB9E7E000 sr.sys
0xBA118000 bb-run.sys
0xBA128000 PxHelp20.sys
0xB9E67000 KSecDD.sys
0xB9DDA000 Ntfs.sys
0xB9DAD000 NDIS.sys
0xB9D93000 Mup.sys
0xBA228000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xBA410000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xB785A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7846000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7822000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA168000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA178000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA188000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB77FF000 \SystemRoot\system32\DRIVERS\ks.sys
0xB77BA000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xB76C3000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xB760D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA380000 \SystemRoot\System32\Drivers\Modem.SYS
0xB75E5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA56C000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB759A000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB7563000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xBA198000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA390000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5F8000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xBA578000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xBA7E5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5FC000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA580000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB754C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB753B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA438000 \SystemRoot\system32\DRIVERS\hamachi.sys
0xBA448000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB750B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA490000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA602000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB74AD000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D57000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9D4F000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xB9D4B000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xBA1F8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA208000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA60C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA218000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB4AC4000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB4AA0000 \SystemRoot\system32\drivers\portcls.sys
0xB7C4A000 \SystemRoot\system32\drivers\drmk.sys
0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA728000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61E000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA378000 \SystemRoot\System32\drivers\vga.sys
0xBA622000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA626000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA398000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8F8A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB4A1D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB49C4000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB7C2A000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB499E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB4976000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA3B8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA568000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB4954000 \SystemRoot\System32\drivers\afd.sys
0xB7C1A000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4929000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB48B9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB7BFA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB7BEA000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA74B000 \SystemRoot\System32\Drivers\BANTExt.sys
0xB4847000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB47D7000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xBA3A0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA238000 \SystemRoot\system32\DRIVERS\glideusb.sys
0xB48A9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA248000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xB478B000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA460000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA278000 \SystemRoot\System32\DRIVERS\UALFDrv2.sys
0xBA288000 \SystemRoot\system32\drivers\usbaudio.sys
0xB4A74000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB4A6C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA642000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xBA498000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xB472A000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB4712000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA650000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4A64000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA440000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA775000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3D8000 \SystemRoot\System32\ATMFD.DLL
0xBA530000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xB3CAA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3B53000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xB38BE000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3BCA000 \SystemRoot\system32\drivers\sysaudio.sys
0xB377B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB37A8000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xB37E8000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xB3684000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xB34B3000 \SystemRoot\System32\Drivers\HTTP.sys
0xB336B000 \SystemRoot\system32\DRIVERS\srv.sys
0xB389E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB35CC000 \??\C:\Program Files\Rohos\RHDISK.SYS
0xB32EB000 \SystemRoot\system32\DRIVERS\QslFsFltr.sys
0xBA408000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xB3347000 \??\C:\Program Files\VMware\VMware Virtual Disk Development Kit\bin\vstor2-mntapi10.sys
0xB32E7000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xBA3D8000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB2DA8000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xAFBA1000 \SystemRoot\system32\drivers\kmixer.sys
0xBA370000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll


Processes (total 59):
0 System Idle Process
4 System
972 C:\WINDOWS\system32\smss.exe
1028 csrss.exe
1052 C:\WINDOWS\system32\winlogon.exe
1096 C:\WINDOWS\system32\services.exe
1108 C:\WINDOWS\system32\lsass.exe
1308 C:\WINDOWS\system32\svchost.exe
1360 svchost.exe
516 C:\Program Files\Rohos\agent.exe
532 C:\WINDOWS\system32\svchost.exe
856 svchost.exe
1500 svchost.exe
1612 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1820 C:\WINDOWS\explorer.exe
628 C:\WINDOWS\system32\spoolsv.exe
144 svchost.exe
1444 C:\WINDOWS\arservice.exe
1464 C:\Program Files\Bonjour\mDNSResponder.exe
368 C:\WINDOWS\ehome\ehrecvr.exe
388 C:\WINDOWS\ehome\ehSched.exe
712 C:\Program Files\GlidePoint\glidesvc.exe
788 C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
872 C:\WINDOWS\system32\svchost.exe
1352 C:\WINDOWS\system32\inetsrv\inetinfo.exe
192 C:\Program Files\Java\jre6\bin\jqs.exe
224 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2040 C:\WINDOWS\system32\nvsvc32.exe
2064 C:\Program Files\EMC Corporation\v.Clone\QuikSync\QuikSync.exe
2760 svchost.exe
2788 C:\WINDOWS\system32\svchost.exe
3536 mcrdsvc.exe
2752 C:\WINDOWS\system32\dllhost.exe
1808 alg.exe
336 C:\WINDOWS\ehome\ehtray.exe
696 C:\WINDOWS\ehome\ehmsas.exe
1072 C:\WINDOWS\RTHDCPL.EXE
1520 C:\WINDOWS\arpwrmsg.exe
3944 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3952 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
2564 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2728 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1656 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4036 C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
1704 C:\Program Files\VMware\VMware Player\hqtray.exe
3912 C:\WINDOWS\system32\DrvMon.exe
3404 C:\Documents and Settings\All Users\Application Data\Boxtools\Toolbox.exe
2988 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
2484 C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
588 C:\Program Files\Philips\VOIP080\VOIP080.exe
3860 C:\WINDOWS\system\hpsysdrv.exe
2288 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3844 C:\Program Files\Alwil Software\Avast5\sfzone\SafeZoneBrowser.exe
2872 C:\Program Files\Alwil Software\Avast5\sfzone\SafeZoneBrowser.exe
2924 C:\Program Files\Alwil Software\Avast5\sfzone\SafeZoneBrowser.exe
1472 C:\Program Files\Alwil Software\Avast5\sfzone\SafeZoneBrowser.exe
3972 C:\WINDOWS\system32\rundll32.exe
404 C:\WINDOWS\system32\wscntfy.exe
3168 C:\Documents and Settings\user.name\Desktop\MBRCheck.exe


\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000023`1ee1a000 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)


PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.AHH
PhysicalDrive1 Model Number: TOSHIBAMK3259GSX, Rev:


Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB
298 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F




Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Done!

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 21 July 2011 - 11:04 AM

Hi-

The important file was BartShel.exe, but since that is no longer available, we will skip Jotti for now.

Please download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • It will also copy the MBR into a file on your desktop - MBR.dat.

In your reply, please send me the contents of the aswMBR report. Rename the MBR.dat file to s2012.txt and attach that to your reply.
Shannon

#9 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 July 2011 - 01:35 PM

per your request aswMBR as follows & renamed DAT file attached- thank you!
=================================================
aswMBR version 0.9.8.942 Copyright© 2011 AVAST Software
Run date: 2011-07-21 12:40:41
-----------------------------
12:40:41.734 OS Version: Windows 5.1.2600 Service Pack 3
12:40:41.734 Number of processors: 1 586 0x4F02
12:40:41.734 ComputerName: WS10 UserName:
12:40:43.453 Initialize success
12:40:43.515 AVAST engine defs: 11072100
12:40:50.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
12:40:50.062 Disk 0 Vendor: ST3160812AS 3.AHH Size: 152627MB BusType: 3
12:40:50.078 Disk 0 MBR read successfully
12:40:50.078 Disk 0 MBR scan
12:40:50.093 Disk 0 unknown MBR code
12:40:50.093 Disk 0 scanning sectors +312575760
12:40:50.203 Disk 0 scanning C:\WINDOWS\system32\drivers
12:41:16.421 Service scanning
12:41:18.921 Modules scanning
12:42:01.750 Disk 0 trace - called modules:
12:42:01.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
12:42:01.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a509ab8]
12:42:01.781 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000007e[0x8a48af18]
12:42:01.781 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8a43c940]
12:42:03.328 AVAST engine scan C:\WINDOWS
12:42:42.734 AVAST engine scan C:\WINDOWS\system32
12:48:29.062 AVAST engine scan C:\WINDOWS\system32\drivers
12:49:09.625 AVAST engine scan C:\Documents and Settings\user.name
13:54:48.640 AVAST engine scan C:\Documents and Settings\All Users
14:08:17.875 Scan finished successfully
14:11:45.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user.name\Desktop\MBR.dat"
14:11:45.937 The log file has been saved successfully to "C:\Documents and Settings\user.name\Desktop\aswMBR.txt"
=======================

Attached Files



#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 21 July 2011 - 02:41 PM

Hi-

I still don't see any infections. The MBR looks good. There are things to clean up and off.

We need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:OTL
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
[2010/12/01 16:09:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/01 00:03:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/08 17:52:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
File not found (No name found) --
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [PCDrProfiler] File not found
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - File not found 
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - File not found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
:commands
[emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.
Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your reply, please copy in the OTL Fix report and the ESET OnlineScan report.
Shannon

#11 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 July 2011 - 04:40 PM

OTL Fix report as follows ESET still running

thank you!
========================================================================================

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-536995187-1795891562-3944622506-1008\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\ not found.
Registry value HKEY_USERS\S-1-5-21-536995187-1795891562-3944622506-1008\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ not found.
Registry value HKEY_USERS\S-1-5-21-536995187-1795891562-3944622506-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\hpqSRMon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PCDrProfiler deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\dssrequest\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sacore\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}\ not found.
File {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 2053192 bytes
->Temporary Internet Files folder emptied: 66274 bytes

User: NetworkService
->Temp folder emptied: 992728 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user.name
->Temp folder emptied: 3233686941 bytes
->Temporary Internet Files folder emptied: 76132633 bytes
->Java cache emptied: 4200356 bytes
->FireFox cache emptied: 501388221 bytes
->Flash cache emptied: 2828593 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2084977 bytes
%systemroot%\System32 .tmp files removed: 242175668 bytes
%systemroot%\System32\dllcache .tmp files removed: 57163216 bytes
%systemroot%\System32\drivers .tmp files removed: 256512 bytes
Windows Temp folder emptied: 5577694 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 18076402 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3,955.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 07212011_154717

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
==================================

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 22 July 2011 - 09:45 AM

ESET report?
Shannon

#13 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 22 July 2011 - 01:52 PM

Sorry for the delay!

ESET scan took about 17 hours (offline-Avast scanners disabled) (Scan Archives selected)

Then I lost my reply when google repoted bleepingcomptuer.com had site issues & I lost my reply which was almost complete.. I recreated below.



FYI- I saw no report option in ESET once it completed…

- only option to remove/clean or do not remove/clean..perhaps I missed something.

FYI- there was an option at the start to clean remove threats found (automatically selected- I deselected this option per your instruction to not remove anything until advised)

- Default screen showing all options/defaults



I Searched ESET website and found it automatically saves the report :

"How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\ESET\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start > Run dialog box from the Start Menu on the desktop."

HOWEVER does not save to the stated location.. it saves to C:\Program Files\ESET\ESET Online Scanner\log.txt (spaces between words on ESET folder)



Report below with links to file check via jotti



FYI- I was able to upload threat files in protected folders- how to & results as follows:
TIPS for USERS attempting/unable to submit to jotti files in protected folders

- The files reported by ESET were in protected backup partition folder and I could not use jotti file upload browse feature to brose to them- access was denied

o I was able to paste entire path from ESET report into the filename field of the browse window and upload them as follows:

§ From http://virusscan.jotti.org/en in the Jotti’s malware scan-submit file box

§ click the Browse button

· A File Upload window should open

§ In the “File name” field/data entry area paste the full path of the file to upload

· Example of full path: D:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe

· How to copy & paste

o Highlight /select the path/filename on the report and use Ctrl+c to copy it

o If you cannot select the filename/path then open a word processing program, email, notepad and type the full path and filename (save your document/message)

o Then highlight it, use Ctrl+c (press “Ctrl” key & hold, then press “c” key

o Move to File Upload window and click in filename box and use Ctrl+v to paste the path into the box, click the “Open” button

§ Then when returned to the Jotti’s malware scan – click the Submit button



- The AVAST files in Virus chest /system volume information folder I was able to upload as follows:

o In Avast Virus Chest I used right click on file name/line item and select ‘Extract” from pop-up menu

o I extracted the files to my desktop and then uploaded to jotti



Jotti scans of files in c:\system volume information\_restore as follows:

c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054917.exe was initially identified as BartShel.exe

o Lost the link w/1st reply today 7 cannot get back on jotti at this time
- name became A0054917.exe after scan,
-now A0060827.exe (see files below- it is the same content & the name @ jotti changes

o with the most recent re-scan)



c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054945.exe

identifies as CompaqPresario_Spring06.exe- see result below in ESET (seems to be weatherbug)</SPAN>

-

c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP279\A0054946.exe

identifies as HPPavillion_Spring06.exe see result below in ESET (seems to be weatherbug)</SPAN>



c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP293\A0060827.exe

http://virusscan.jotti.org/en/scanresult/8fee71a97bc490a53026c467a2535592fdf03cd2

initially identified as.. file above A0054917.exe .. aka BartShel.exe

-

c:\system volume information\_restore{106CF321-99A3-4EA-9103-1BD027606A99}\RP281\A0056089.exe

http://virusscan.jotti.org/en/scanresult/1039726b4627fb19cc59cd7002524148a0463dce/8fee71a97bc490a53026c467a2535592fdf03cd2

initially identified as.. A0060827.exe file above… aka BartShel.exe



o BartShel.exe & people PC web search show much info re: this as nuisance-ware that seems to push advertising pop-ups to users- I never used service so has been dormant since restore of factory image last year

o Links to web info

o http://www.file.net/process/bartshel.exe.html

o http://forums.pcpitstop.com/index.php?/topic/130884-peoplepc-problems/



==========================================

ESET report

==========================================

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=7667cfc8a7d0d04b90e9a9ed1f66b977

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-07-22 06:18:29

# local_time=2011-07-22 02:18:29 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=768 16777215 100 0 19387694 19387694 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=327490

# found=3

# cleaned=0

# scan_time=35883



C:\1OLD-11.30.0210-restored Docus & settings\Documents and Settings\user.name\Application Data\Sun\Java\Deployment\cache\6.0\43\556445eb-4917654a probably a variant of Win32/Agent.DYXWUMY trojan (unable to clean) 00000000000000000000000000000000 I

Jotti rescan link

http://virusscan.jotti.org/en/scanresult/4ce255cb884cf110594611fe5f8841df175afa41

This appears to be old java exploit- is in an old back up data file used to restore system configuration after windows restore of factory image
=================================================



D:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I

Jotti re-scan link

http://virusscan.jotti.org/en/scanresult/4d5dd9baff98a6777c4a1d9297e1e2fd0c762873/d8919e253e4cd6dabaebb5b2b7661ba7012bc5de

Appears to be weattherbug on of the “helpful’ apps in the HP included apps for this PC

=================================================



D:\I386\APPS\APP17286\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I

==========================================

Jotti re-scan link

http://virusscan.jotti.org/en/scanresult/7a4569703c8e97e3f6342e3bd110e8ccee5b253e/c70eef9e8aab666ea52bb1f030c7b732d7f01696

Appears to be weattherbug on of the “helpful’ apps in the HP included apps for this PC

=================================================



It all appears to be nuisance ware to me and consistent with preinstalled apps for the PC.
I think that all of this was reported as low threat when i installed Avast, and after checking told Avast to ignore, but it seems the files were perhaps reflagged by the recent Avast program & definition updates.

Thank you!



#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:51 PM

Posted 23 July 2011 - 06:30 AM

Hi-

You had a rough time of it. I'm sorry that you got kicked off that way and lost everything. Jotti wasn't much fun either.

I think it is safe to say that your computer is now clear of infections (if you ever had any) since everything that was found was out of the way in the restore area, which we will clear shortly. All the other scans came up clear, as well. So, it is time to clear off the tools we used and to offer some words of advice, which you probably don't need.

First, to re-enable your Emulation drivers, double click Defogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • Defogger might ask to reboot the machine - click OK

Next, please set your system to hide all 'hidden' files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.

To clear the system restore points, go to Contol Panel->System. Click on the System Restore tab, check Turn Off System Restore, and click on the Apply button. This will clear all the existing restore points. Once they are cleared, uncheck Turn Off System Restore, and click the Apply button.

Then, we should remove the tools we used and we will do that with OTL-
  • Double click on the Posted Image icon on your desktop.
  • Click the "CleanUp" button.
  • Restart your computer when prompted.

There will be some leftover tools and files on your desktop - just delete them.

Please take the time to read below to secure your machine and take the necessary steps to keep it clean.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a pop up appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop ups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a pop up that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period. another recommended, and free, AntiSpyware program is Malwarebytes' Anti-Malware (MBAM).

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update your Java runtimes regularly

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Download the latest version here - http://java.sun.com/javase/downloads/index.jsp. You want to select the JRE version.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!!

Shannon

#15 simple.me

simple.me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 26 July 2011 - 01:59 PM

clean up of tools complete. Thank you for your help!!:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users