Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated attacks blocked by firewall but nothing detected on scans


  • This topic is locked This topic is locked
10 replies to this topic

#1 Purple88

Purple88

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 24 September 2011 - 01:11 AM

Norton Internet Security keeps notifying of virus attacks and malware attacks being blocked, but repeated scans with Norton, Malware Bytes, and Spybot all turn up nothing. Other symptoms include losing sound on web sites, but gets restored after a reboot (at least until next wave of attack notices). Also seeing slow response on boot up. Am not familiar with "rootkit" viruses, but an IT friend said some of our symptoms sound familiar. Need help to find and purge.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Rob at 22:58:44 on 2011-09-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.1558 [GMT -7:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SAOB Monitor] c:\program files\acronis\trueimagehome\onlinebackupstandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\canonp~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BAD6256C-2B74-42E1-970A-9F3354C35D44} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-11-27 40560]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-2 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-2 744568]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-1-8 752128]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110909.001\BHDrvx86.sys [2011-9-9 816760]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-2 136312]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-1-8 3246040]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-2-21 8960]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-2 130008]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-1-8 167968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-5 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110923.030\IDSXpx86.sys [2011-9-23 356280]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-21 110080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110923.018\NAVENG.SYS [2011-9-23 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110923.018\NAVEX15.SYS [2011-9-23 1576312]
S2 RapidPortM3;RapidPortM3;c:\windows\system32\drivers\CAPM3LP.SYS [2009-3-7 22976]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-2-21 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-2-21 16640]
.
=============== Created Last 30 ================
.
2011-09-20 06:17:21 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys
2011-09-20 02:17:55 -------- d-----w- c:\documents and settings\rob\application data\28B7BC49-47C1-4D49-A43C-1C79C799D47B
2011-09-20 02:17:53 -------- d-----w- c:\documents and settings\rob\application data\3D70D7BD-DD73-4F8B-A84F-C3F94A79367F
2011-09-12 14:28:36 -------- d-----w- c:\documents and settings\rob\application data\Tific
2011-09-06 03:52:42 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-06 03:52:03 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-20 02:17:55 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-09-20 02:17:49 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-09-20 02:17:48 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 22:59:24.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 28 September 2011 - 12:32 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Purple88

Purple88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 30 September 2011 - 12:00 AM

Copied from Report.txt

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB20E0000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6045696 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA105A000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4923392 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF280000 C:\WINDOWS\System32\igxpdx32.DLL 3330048 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 2297856 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1871872 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1871872 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x9596E000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110929.019\NAVEX15.SYS 1572864 bytes (Symantec Corporation, AV Engine)
0xA0AC1000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 888832 bytes
0xB9E4A000 iaStor.sys 888832 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xA0C12000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110920.001\BHDrvx86.sys 831488 bytes (Symantec Corporation, BASH Driver)
0xB9D06000 SYMEFA.SYS 765952 bytes
0xB9AD6000 tdrpm273.sys 745472 bytes (Acronis, Acronis Try&Decide Volume Filter Driver)
0xB9B8C000 timntr.sys 598016 bytes (Acronis, Acronis Backup Archive Explorer)
0xB9C4B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9B4C1000 C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS 548864 bytes (Symantec Corporation, Symantec AutoProtect)
0xA0D59000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA0CFB000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB1F8D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x98772000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110929.031\IDSxpx86.sys 372736 bytes (Symantec Corporation, IDS Core Driver)
0xA0F09000 C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS 364544 bytes (Symantec Corporation, Network Dispatch Driver)
0xA0F62000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA001D000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB9DD3000 SYMDS.SYS 356352 bytes
0xBF5AD000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9B60F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB1FEB000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA0521000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9C1E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA0DC9000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x9BAE8000 C:\WINDOWS\system32\DRIVERS\afcdp.sys 163840 bytes (Acronis, File Level CDP Kernel Helper)
0xB2080000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA0E3A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9AAE000 snapman.sys 163840 bytes (Acronis, Acronis Snapshot API)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA0EE3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA0EBD000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 155648 bytes (Symantec Corporation, Symantec Event Library)
0xA022D000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA0DF4000 C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS 147456 bytes (Symantec Corporation, Iron Driver)
0xA1036000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB20A8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB2043000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA0E18000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134528 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E2A000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xA1016000 C:\WINDOWS\system32\drivers\IntcHdmi.sys 131072 bytes (Intel® Corporation, Intel® High Definition Audio HDMI)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA0CDD000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 122880 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB9A94000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB2066000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 106496 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xA09A0000 C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS 102400 bytes (Roxio, Drive Letter Access Component)
0xA0973000 C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS 94208 bytes (Roxio, Drive Letter Access Component)
0xB9CEF000 DRVMCDB.SYS 94208 bytes (Sonic Solutions, Device Driver)
0xB9CD8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB202C000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA098A000 C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS 90112 bytes (Roxio, Drive Letter Access Component)
0xA077E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0x9595A000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110929.019\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB20CC000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA0FBB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9DC1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB201B000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB6ACE000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA138000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA208000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA158000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB42F1000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB6ABE000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xBA178000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA268000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 45056 bytes (Roxio, Device Driver Manager)
0xB6B1E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA188000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB6B2E000 C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS 45056 bytes (Symantec Corporation, Symantec AutoProtect)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1E8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA0F8000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\SymIM.sys 40960 bytes (Symantec Corporation, NDIS Intermediate Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x9173B000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB6AFE000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA128000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA258000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB26D0000 C:\WINDOWS\System32\Drivers\DLABMFSM.SYS 32768 bytes (Roxio, Drive Letter Access Component)
0xBA478000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB3532000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA368000 C:\WINDOWS\System32\Drivers\DLABOIOM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
0xBA450000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB26B8000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB4100000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB26E8000 C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS 24576 bytes (Roxio, Drive Letter Access Component)
0xBA438000 C:\WINDOWS\System32\Drivers\DLARTL_M.SYS 24576 bytes (Roxio, Shared Driver Component)
0xB2F5C000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xBA420000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB3562000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA330000 hotcore3.sys 20480 bytes (Paragon Software Group, A part of Paragon System Utilities)
0xBA468000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB2F3C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA0285000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xB6C17000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xA1006000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB2B17000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA096F000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9960000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA0FFA000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xBA4BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4D0000 C:\WINDOWS\System32\Drivers\DLAPoolM.SYS 12288 bytes (Roxio, Drive Letter Access Component)
0xA0BD2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB6C2B000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9924000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0x8A083000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA0923000 C:\WINDOWS\system32\DRIVERS\LANPkt.sys 12288 bytes (Realtek Semiconductor Corporation, Realtek LAN Protocol Driver)
0xA100E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB3C90000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB99A4000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB3715000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 DLACDBHM.SYS 8192 bytes (Roxio, Shared Driver Component)
0xBA5AA000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB3719000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB3320000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB331A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5E8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5EC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7AB000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA784000 C:\WINDOWS\System32\Drivers\DLADResM.SYS 4096 bytes (Roxio, Drive Letter Access Component)
0xBA773000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7F3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================


OTL logfile created on: 9/29/2011 9:45:07 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Rob\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 29.01% Memory free
4.80 Gb Paging File | 2.77 Gb Available in Paging File | 57.70% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 126.01 Gb Total Space | 74.53 Gb Free Space | 59.14% Space Free | Partition Type: NTFS
Drive G: | 106.78 Gb Total Space | 2.93 Gb Free Space | 2.75% Space Free | Partition Type: NTFS
Drive H: | 931.51 Gb Total Space | 64.72 Gb Free Space | 6.95% Space Free | Partition Type: NTFS

Computer Name: FAMILYROOM | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/29 21:34:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
PRC - [2011/09/19 19:17:53 | 003,246,040 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2011/06/27 23:57:32 | 005,550,840 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2011/05/10 18:57:28 | 002,536,440 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
PRC - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe
PRC - [2010/12/06 04:56:42 | 000,390,728 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/12/06 04:56:38 | 000,804,528 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010/09/22 18:11:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/07/10 20:54:41 | 000,867,080 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/07/20 16:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/07/20 16:45:06 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/05/23 13:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/12 17:11:30 | 000,038,464 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
PRC - [2007/03/12 16:02:20 | 000,038,024 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\CAPM3RSK.EXE
PRC - [2007/03/12 15:29:20 | 000,106,128 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE


========== Modules (No Company Name) ==========

MOD - [2009/02/27 16:39:29 | 000,019,968 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU
MOD - [2009/02/27 16:32:27 | 000,020,480 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA
MOD - [2007/07/23 14:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/09/19 19:17:53 | 003,246,040 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe -- (NIS)
SRV - [2010/12/06 04:56:38 | 000,804,528 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/07/10 20:54:41 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/06 06:06:20 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor8.0)
SRV - [2008/07/20 16:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/09/19 19:17:55 | 000,167,968 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2011/09/19 19:17:49 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
DRV - [2011/09/19 19:17:48 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2011/09/09 10:44:06 | 000,816,760 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110920.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/09/05 21:10:09 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110929.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/05 21:10:09 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/09/05 21:10:09 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/05 21:10:09 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110929.019\NAVENG.SYS -- (NAVENG)
DRV - [2011/09/03 04:37:14 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110929.031\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/05/02 15:10:13 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/30 20:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2011/03/30 20:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2011/03/30 20:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 20:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 17:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 19:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/26 23:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/26 22:07:05 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2011/01/08 23:21:00 | 000,170,528 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/09/30 18:22:08 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2009/05/06 15:28:00 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hotcore3.sys -- (hotcore3)
DRV - [2008/08/18 16:03:12 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/18 15:21:20 | 000,110,080 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/08/18 15:20:06 | 004,752,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/12/03 10:13:48 | 000,011,264 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2007/11/20 00:14:08 | 000,016,640 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTLVLAN.SYS -- (RTLVLAN)
DRV - [2007/11/20 00:04:50 | 000,008,960 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2007/07/23 14:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 14:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 14:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 14:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 14:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 14:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 14:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 14:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 13:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 13:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2003/06/04 00:00:00 | 000,022,976 | ---- | M] (CANON INC.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CAPM3LP.SYS -- (RapidPortM3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/#!/?sk=h
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - No CLSID value found
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\..\URLSearchHook: {26429896-e6d9-49eb-9359-2bb97d8e6f46} - No CLSID value found
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Elaine\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/28 08:43:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn\ [2011/09/28 10:48:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn_2011_7_2_3 [2011/09/29 13:31:29 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SAOB Monitor] C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe -update activex File not found
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe -update activex File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE (CANON INC.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} https://www.plaxo.com/activex/plx_upldr-2k-xp.cab (Plaxo Auto-Import Utility)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BAD6256C-2B74-42E1-970A-9F3354C35D44}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 14:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/08 05:39:19 | 000,000,000 | RH-D | M] - H:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 05:56:50 | 000,000,036 | RH-- | M] () - H:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{a5b88550-bbc6-11df-8680-00219b2789b5}\Shell - "" = AutoRun
O33 - MountPoints2\{a5b88550-bbc6-11df-8680-00219b2789b5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a5b88550-bbc6-11df-8680-00219b2789b5}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{ce95d6be-3cf0-11de-8f60-00219b2789b5}\Shell - "" = AutoRun
O33 - MountPoints2\{ce95d6be-3cf0-11de-8f60-00219b2789b5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ce95d6be-3cf0-11de-8f60-00219b2789b5}\Shell\AutoRun\command - "" = H:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/29 21:34:41 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
[2011/09/29 13:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/09/24 16:05:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\com.Shutterfly.ExpressUploader
[2011/09/24 16:05:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Shutterfly
[2011/09/24 16:05:44 | 000,000,000 | ---D | C] -- C:\Program Files\Shutterfly
[2011/09/23 22:58:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\Administrative Tools
[2011/09/23 22:50:22 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.scr
[2011/09/22 15:40:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\HPAppData
[2011/09/22 07:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/09/20 23:45:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rob\Recent
[2011/09/19 23:17:21 | 000,044,024 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2011/09/19 19:17:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\28B7BC49-47C1-4D49-A43C-1C79C799D47B
[2011/09/19 19:17:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\3D70D7BD-DD73-4F8B-A84F-C3F94A79367F
[2011/09/12 07:28:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Tific
[2011/09/06 04:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/06 04:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/05 22:19:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/05 21:49:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\Computer Stuff
[2011/09/05 21:48:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\Family
[2011/09/05 20:52:42 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/09/05 20:52:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/05 20:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/09/05 20:52:03 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2011/09/03 03:17:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/29 21:41:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/29 21:34:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
[2011/09/29 20:59:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/29 13:30:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/27 23:18:40 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/24 16:05:50 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shutterfly Express Uploader.lnk
[2011/09/23 22:50:23 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.scr
[2011/09/21 21:24:45 | 017,842,681 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\Norton Recent History 20110921.mcf
[2011/09/19 20:20:44 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/19 19:17:55 | 000,167,968 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\afcdp.sys
[2011/09/19 19:17:49 | 000,752,128 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\tdrpm273.sys
[2011/09/19 19:17:48 | 000,600,928 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\timntr.sys
[2011/09/19 19:17:42 | 000,000,866 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acronis True Image Home 2011.lnk
[2011/09/09 02:12:13 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/09/06 16:38:49 | 000,024,600 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\NETGEAR_WGR614v10_20110906.cfg
[2011/09/05 22:22:10 | 000,004,210 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\cc_20110905_222205.reg
[2011/09/05 22:19:47 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/09/05 22:15:35 | 000,157,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/05 22:11:04 | 000,443,218 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/05 22:11:04 | 000,072,358 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/04 21:04:36 | 000,198,071 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\Error msg Win32 and details Sept2011.JPG
[2011/09/04 21:03:18 | 000,171,790 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\Error msg Win32 Sept2011.JPG
[2011/09/04 11:36:20 | 000,016,052 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\cc_20110904_113617.reg
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/24 16:05:50 | 000,000,923 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shutterfly Express Uploader.lnk
[2011/09/21 21:24:36 | 017,842,681 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\Norton Recent History 20110921.mcf
[2011/09/13 05:42:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/06 16:38:49 | 000,024,600 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\NETGEAR_WGR614v10_20110906.cfg
[2011/09/05 22:22:08 | 000,004,210 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\cc_20110905_222205.reg
[2011/09/05 21:45:40 | 003,298,787 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\OWorshipTheKing.mp3
[2011/09/05 21:45:40 | 000,198,071 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\Error msg Win32 and details Sept2011.JPG
[2011/09/05 21:45:40 | 000,171,790 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\Error msg Win32 Sept2011.JPG
[2011/09/05 21:45:39 | 002,683,924 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\Allegro.mp3
[2011/09/05 21:45:39 | 000,016,052 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\cc_20110904_113617.reg
[2011/01/12 14:00:00 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/07/10 00:20:24 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.ini
[2010/04/28 08:42:57 | 000,023,085 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2009/12/10 21:29:54 | 000,000,023 | ---- | C] () -- C:\WINDOWS\kodakpcd.Rob.ini
[2009/09/20 19:38:52 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Rachel.ini
[2009/08/17 09:21:42 | 000,116,840 | ---- | C] () -- C:\WINDOWS\hpqins00.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/07 20:08:15 | 000,147,628 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2009/04/07 20:08:15 | 000,008,138 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2009/03/08 21:06:06 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/21 10:26:49 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2009/02/21 10:26:49 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2009/02/21 10:26:49 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4977.dll
[2009/02/21 10:26:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/02/21 10:26:12 | 000,001,159 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/02/21 08:53:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/21 08:40:58 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/25 14:31:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 14:27:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 14:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 09:16:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 09:16:22 | 000,443,218 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 09:16:22 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 09:16:22 | 000,072,358 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 09:16:22 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 09:16:22 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 09:16:21 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 09:16:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 09:16:18 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 09:16:18 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 09:16:13 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 09:16:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 02:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 02:21:52 | 000,157,160 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/12/21 11:13:56 | 000,191,136 | ---- | C] () -- C:\WINDOWS\System32\plx_upldr.dll

< End of report >

OTL Extras logfile created on: 9/29/2011 9:45:07 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Rob\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 29.01% Memory free
4.80 Gb Paging File | 2.77 Gb Available in Paging File | 57.70% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 126.01 Gb Total Space | 74.53 Gb Free Space | 59.14% Space Free | Partition Type: NTFS
Drive G: | 106.78 Gb Total Space | 2.93 Gb Free Space | 2.75% Space Free | Partition Type: NTFS
Drive H: | 931.51 Gb Total Space | 64.72 Gb Free Space | 6.95% Space Free | Partition Type: NTFS

Computer Name: FAMILYROOM | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (TODO: <Company name>)
"C:\Program Files\HP\HP Software Update\hpwucli.exe" = C:\Program Files\HP\HP Software Update\hpwucli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (TODO: <Company name>)
"C:\Program Files\HP\HP Software Update\hpwucli.exe" = C:\Program Files\HP\HP Software Update\hpwucli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{04A3A6B0-8E19-49BB-82FF-65C5A55F917D}" = Acronis True Image Home 2011
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{17DFE37C-064E-4834-AD8F-A4B2B4DF68F8}" = Adobe Photoshop Elements 8.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 19
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{395A57A6-E0E1-C599-3A28-19A96682B4C6}" = Adobe Photoshop.com Inspiration Browser
"{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{63688C0C-441B-B09B-97A3-B059D79A84F7}" = Shutterfly Express Uploader
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
"{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}" = PhotoOne Recovery
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{88253B77-33C9-4A9D-9E4C-4579E39D9158}" = Diagnostics Utility
"{88D68A69-D247-466B-90DD-575F6BE16230}_is1" = CardRecovery 5.30
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9EDA3DD1-130D-4EE1-A3D2-5A3D795CC8C9}" = MFCLOC
"{A0E583D1-23F7-4C35-9620-B169D7715E4B}" = Adobe Premiere Elements 8.0
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_946" = Adobe Acrobat 9.4.6 - CPSID_83708
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B34E4B72-37C6-4f79-A5B3-008EEFC6EA8B}" = PS_AIO_02_Software_min
"{B46AC30C-22D2-4610-B041-1DA7BB29EB57}" = HP Photosmart All-In-One Software 9.0
"{B7E5D642-E74E-40a4-B5C7-6AB6EE916814}" = PS_AIO_02_ProductContext
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BAFFEF7F-08B3-45b3-B215-418175C4E9DD}" = c5200_Help
"{BC10649A-983B-494e-AD1F-DE0BF717D701}" = PS_AIO_02_Software
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4F85730-F1E4-11DD-ADEE-005056C00008}" = Paragon Partition Manager™ 10.0 Express
"{C708333C-B1B9-43be-B797-49FEC7A8D15B}" = C5200
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D1E03284-66FD-4292-8239-504CEC5B0CC3}" = C5200_doccd
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 8.0" = Adobe Photoshop Elements 8.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Canon PC1200/iC D700" = Canon PC1200/iC D700
"CCleaner" = CCleaner
"com.Shutterfly.ExpressUploader" = Shutterfly Express Uploader
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1" = Adobe Photoshop.com Inspiration Browser
"PremElem80" = Adobe Premiere Elements 8.0
"VLC media player" = VLC media player 1.1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/22/2011 1:59:34 AM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1001
Description = Fault bucket -1707785707.

Error - 9/22/2011 6:44:27 PM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10t.ocx, version 10.3.181.26, fault address 0x00192c70.

Error - 9/22/2011 6:44:50 PM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1001
Description = Fault bucket -1803922376.

Error - 9/23/2011 1:06:10 AM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module urlmon.dll, version 8.0.6001.19100, fault address 0x000295f8.

Error - 9/26/2011 8:20:33 PM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 | ID = 5000
Description = EventType officelifeboathang, P1 winword.exe, P2 12.0.6545.5000, P3
ntdll.dll, P4 5.1.2600.6055, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 9/28/2011 2:34:16 AM | Computer Name = FAMILYROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/28/2011 2:34:16 AM | Computer Name = FAMILYROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/28/2011 2:34:16 AM | Computer Name = FAMILYROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/28/2011 2:30:31 PM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 9/28/2011 5:34:22 PM | Computer Name = FAMILYROOM | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

[ OSession Events ]
Error - 10/30/2009 10:39:54 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/30/2009 10:40:13 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/30/2009 10:41:47 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 85
seconds with 60 seconds of active time. This session ended with a crash.

Error - 10/30/2009 10:44:31 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 151
seconds with 120 seconds of active time. This session ended with a crash.

Error - 10/30/2009 10:44:45 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/30/2009 10:45:37 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 41
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/21/2010 5:30:08 PM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5192
seconds with 2100 seconds of active time. This session ended with a crash.

Error - 5/29/2010 11:45:55 PM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 38584 seconds with 1860 seconds of active time. This session ended with
a crash.

Error - 2/1/2011 1:59:46 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 20675
seconds with 1680 seconds of active time. This session ended with a crash.

Error - 2/26/2011 3:07:47 AM | Computer Name = FAMILYROOM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 5757 seconds with 3900 seconds of active time. This session ended with a
crash.

[ System Events ]
Error - 9/27/2011 4:39:10 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:13 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:13 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:13 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 9/27/2011 4:39:14 AM | Computer Name = FAMILYROOM | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 01 October 2011 - 06:37 AM

Hi-

I am sorry for the delay, but it has been a busy week at work. I reviewed the reports you sent and did not see any infections. We need to do some more looking.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If the AV Scan window appears, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No).
  • When you get the "Scan finished successfully" message, click the save log button, save it to your desktop (MBR.txt) and post it in your next reply.
  • It will also copy the MBR (Master Boot Record) into a file on your desktop as MBR.dat.

Also, you Java runtimes are not current. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Select your Platform: Windows x86 Offline.
  • Save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java™ 6 Update in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u27-windows-i586.exe to install the newest version.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

In your reply, please copy in the aswMBR report.
Shannon

#5 Purple88

Purple88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 02 October 2011 - 06:39 PM

Here is the aswMBR.txt log

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-02 16:27:27
-----------------------------
16:27:27.281 OS Version: Windows 5.1.2600 Service Pack 3
16:27:27.281 Number of processors: 2 586 0x170A
16:27:27.281 ComputerName: FAMILYROOM UserName: Rob
16:27:28.359 Initialize success
16:27:58.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
16:27:58.734 Disk 0 Vendor: WDC_WD25 01.0 Size: 238418MB BusType: 3
16:27:58.734 Disk 0 MBR read successfully
16:27:58.734 Disk 0 MBR scan
16:27:58.734 Disk 0 unknown MBR code
16:27:58.734 Disk 0 MBR hidden
16:27:58.750 Disk 0 scanning sectors +488279610
16:27:58.812 Disk 0 scanning C:\WINDOWS\system32\drivers
16:28:03.562 Service scanning
16:28:04.828 Modules scanning
16:28:11.406 Disk 0 trace - called modules:
16:28:11.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8984c4c0]<<
16:28:11.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acaa030]
16:28:11.406 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x89fc99a0]
16:28:11.406 \Driver\iaStor[0x8a067030] -> IRP_MJ_CREATE -> 0x8984c4c0
16:28:11.406 Scan finished successfully
16:28:38.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rob\Desktop\Computer debugging Sept2011\MBR.dat"
16:28:38.203 The log file has been saved successfully to "C:\Documents and Settings\Rob\Desktop\Computer debugging Sept2011\aswMBR.txt"


I also looked at the History file and the Quarantine file in Norton Antivirus. It looks like Norton detected and quarantined multiple instances of the following 2 major threats in the past 30 days: Trojan.Gen.2 and Maljava. Hopefully this will help narrow down the search for what is wrong and how to fix it.

Thanks!

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 02 October 2011 - 07:45 PM

Hi-

Thank you for the log and the info. It does show a problem which we need to fix.

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.8.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.5.0_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Next, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, copy in the contents of the TDSSKiller report and the ComboFix report. How is your computer running now?
Shannon

#7 Purple88

Purple88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 03 October 2011 - 01:49 AM

Many thanks ... the beast is responding MUCH better now!! Here are the log files from TDSSKiller and Combofix. Please let me know if anything else looks unusual, and thanks, again!


23:07:13.0546 2932 TDSS rootkit removing tool 2.6.3.0 Oct 1 2011 13:14:27
23:07:14.0625 2932 ============================================================
23:07:14.0625 2932 Current date / time: 2011/10/02 23:07:14.0625
23:07:14.0625 2932 SystemInfo:
23:07:14.0625 2932
23:07:14.0625 2932 OS Version: 5.1.2600 ServicePack: 3.0
23:07:14.0625 2932 Product type: Workstation
23:07:14.0625 2932 ComputerName: FAMILYROOM
23:07:14.0625 2932 UserName: Rob
23:07:14.0625 2932 Windows directory: C:\WINDOWS
23:07:14.0625 2932 System windows directory: C:\WINDOWS
23:07:14.0625 2932 Processor architecture: Intel x86
23:07:14.0625 2932 Number of processors: 2
23:07:14.0625 2932 Page size: 0x1000
23:07:14.0625 2932 Boot type: Normal boot
23:07:14.0625 2932 ============================================================
23:07:15.0078 2932 Initialize success
23:07:30.0515 3624 ============================================================
23:07:30.0515 3624 Scan started
23:07:30.0515 3624 Mode: Manual;
23:07:30.0515 3624 ============================================================
23:07:30.0765 3624 Abiosdsk - ok
23:07:30.0812 3624 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:07:30.0812 3624 abp480n5 - ok
23:07:30.0843 3624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:07:30.0843 3624 ACPI - ok
23:07:30.0875 3624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:07:30.0890 3624 ACPIEC - ok
23:07:30.0937 3624 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:07:30.0953 3624 adpu160m - ok
23:07:31.0000 3624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:07:31.0000 3624 aec - ok
23:07:31.0046 3624 afcdp (53696ad8ffc5fac51949a525ff65a689) C:\WINDOWS\system32\DRIVERS\afcdp.sys
23:07:31.0062 3624 afcdp - ok
23:07:31.0109 3624 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
23:07:31.0109 3624 AFD - ok
23:07:31.0156 3624 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:07:31.0156 3624 agp440 - ok
23:07:31.0171 3624 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:07:31.0171 3624 agpCPQ - ok
23:07:31.0171 3624 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:07:31.0187 3624 Aha154x - ok
23:07:31.0234 3624 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:07:31.0234 3624 aic78u2 - ok
23:07:31.0250 3624 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:07:31.0250 3624 aic78xx - ok
23:07:31.0265 3624 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:07:31.0281 3624 AliIde - ok
23:07:31.0296 3624 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:07:31.0296 3624 alim1541 - ok
23:07:31.0312 3624 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:07:31.0312 3624 amdagp - ok
23:07:31.0328 3624 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:07:31.0328 3624 amsint - ok
23:07:31.0343 3624 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:07:31.0343 3624 asc - ok
23:07:31.0359 3624 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:07:31.0375 3624 asc3350p - ok
23:07:31.0375 3624 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:07:31.0390 3624 asc3550 - ok
23:07:31.0406 3624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:07:31.0406 3624 AsyncMac - ok
23:07:31.0421 3624 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:07:31.0421 3624 atapi - ok
23:07:31.0437 3624 Atdisk - ok
23:07:31.0453 3624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:07:31.0453 3624 Atmarpc - ok
23:07:31.0484 3624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:07:31.0484 3624 audstub - ok
23:07:31.0500 3624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:07:31.0500 3624 Beep - ok
23:07:31.0703 3624 BHDrvx86 (09b8897ac84c49beabea75cf9fe1ab45) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110920.001\BHDrvx86.sys
23:07:31.0703 3624 BHDrvx86 - ok
23:07:31.0812 3624 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
23:07:31.0812 3624 BVRPMPR5 - ok
23:07:31.0843 3624 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:07:31.0843 3624 cbidf - ok
23:07:31.0843 3624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:07:31.0843 3624 cbidf2k - ok
23:07:31.0859 3624 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:07:31.0859 3624 cd20xrnt - ok
23:07:31.0906 3624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:07:31.0906 3624 Cdaudio - ok
23:07:31.0921 3624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:07:31.0921 3624 Cdfs - ok
23:07:31.0937 3624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:07:31.0937 3624 Cdrom - ok
23:07:31.0937 3624 Changer - ok
23:07:31.0984 3624 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:07:31.0984 3624 CmdIde - ok
23:07:32.0000 3624 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:07:32.0000 3624 Cpqarray - ok
23:07:32.0046 3624 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:07:32.0046 3624 dac2w2k - ok
23:07:32.0062 3624 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:07:32.0062 3624 dac960nt - ok
23:07:32.0109 3624 Diag69xp (a22d5a027f397e412cbb2d97e8661bff) C:\WINDOWS\system32\Drivers\Diag69xp.sys
23:07:32.0125 3624 Diag69xp - ok
23:07:32.0171 3624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:07:32.0171 3624 Disk - ok
23:07:32.0203 3624 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
23:07:32.0203 3624 DLABMFSM - ok
23:07:32.0218 3624 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
23:07:32.0218 3624 DLABOIOM - ok
23:07:32.0234 3624 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
23:07:32.0234 3624 DLACDBHM - ok
23:07:32.0234 3624 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
23:07:32.0234 3624 DLADResM - ok
23:07:32.0250 3624 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
23:07:32.0250 3624 DLAIFS_M - ok
23:07:32.0265 3624 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
23:07:32.0265 3624 DLAOPIOM - ok
23:07:32.0265 3624 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
23:07:32.0265 3624 DLAPoolM - ok
23:07:32.0281 3624 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
23:07:32.0281 3624 DLARTL_M - ok
23:07:32.0281 3624 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
23:07:32.0281 3624 DLAUDFAM - ok
23:07:32.0312 3624 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
23:07:32.0328 3624 DLAUDF_M - ok
23:07:32.0359 3624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:07:32.0375 3624 dmboot - ok
23:07:32.0390 3624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:07:32.0390 3624 dmio - ok
23:07:32.0390 3624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:07:32.0406 3624 dmload - ok
23:07:32.0421 3624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:07:32.0437 3624 DMusic - ok
23:07:32.0468 3624 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:07:32.0468 3624 dpti2o - ok
23:07:32.0500 3624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:07:32.0500 3624 drmkaud - ok
23:07:32.0515 3624 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
23:07:32.0531 3624 DRVMCDB - ok
23:07:32.0562 3624 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
23:07:32.0562 3624 DRVNDDM - ok
23:07:32.0671 3624 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
23:07:32.0687 3624 eeCtrl - ok
23:07:32.0718 3624 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
23:07:32.0718 3624 EraserUtilRebootDrv - ok
23:07:32.0750 3624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:07:32.0750 3624 Fastfat - ok
23:07:32.0765 3624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
23:07:32.0765 3624 Fdc - ok
23:07:32.0781 3624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:07:32.0781 3624 Fips - ok
23:07:32.0796 3624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
23:07:32.0796 3624 Flpydisk - ok
23:07:32.0828 3624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
23:07:32.0828 3624 FltMgr - ok
23:07:32.0843 3624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:07:32.0843 3624 Fs_Rec - ok
23:07:32.0859 3624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:07:32.0875 3624 Ftdisk - ok
23:07:32.0890 3624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:07:32.0890 3624 Gpc - ok
23:07:32.0906 3624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:07:32.0906 3624 HDAudBus - ok
23:07:32.0937 3624 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:07:32.0937 3624 hidusb - ok
23:07:32.0953 3624 hotcore3 (3e71ff34fcc1b757d1f070239c538b43) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
23:07:32.0984 3624 hotcore3 - ok
23:07:33.0015 3624 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:07:33.0031 3624 hpn - ok
23:07:33.0062 3624 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
23:07:33.0062 3624 HPZid412 - ok
23:07:33.0093 3624 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
23:07:33.0109 3624 HPZipr12 - ok
23:07:33.0156 3624 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
23:07:33.0156 3624 HPZius12 - ok
23:07:33.0203 3624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:07:33.0218 3624 HTTP - ok
23:07:33.0250 3624 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:07:33.0250 3624 i2omgmt - ok
23:07:33.0265 3624 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:07:33.0281 3624 i2omp - ok
23:07:33.0453 3624 ialm (2da364ee62d4949620b6fae4ffea16a7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
23:07:33.0593 3624 ialm - ok
23:07:33.0625 3624 iaStor (707c1692214b1c290271067197f075f6) C:\WINDOWS\system32\drivers\iaStor.sys
23:07:33.0625 3624 iaStor - ok
23:07:33.0781 3624 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110930.030\IDSxpx86.sys
23:07:33.0781 3624 IDSxpx86 - ok
23:07:33.0828 3624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:07:33.0828 3624 Imapi - ok
23:07:33.0859 3624 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:07:33.0859 3624 ini910u - ok
23:07:33.0984 3624 IntcAzAudAddService (5c8f36cdcb489111b24003af4dfe1fdc) C:\WINDOWS\system32\drivers\RtkHDAud.sys
23:07:34.0031 3624 IntcAzAudAddService - ok
23:07:34.0062 3624 IntcHdmiAddService (c9ef68bee3b1a62f34125a9fbbaac10c) C:\WINDOWS\system32\drivers\IntcHdmi.sys
23:07:34.0078 3624 IntcHdmiAddService - ok
23:07:34.0093 3624 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:07:34.0109 3624 IntelIde - ok
23:07:34.0125 3624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:07:34.0125 3624 intelppm - ok
23:07:34.0156 3624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
23:07:34.0156 3624 Ip6Fw - ok
23:07:34.0156 3624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:07:34.0171 3624 IpFilterDriver - ok
23:07:34.0171 3624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:07:34.0171 3624 IpInIp - ok
23:07:34.0203 3624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:07:34.0218 3624 IpNat - ok
23:07:34.0218 3624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:07:34.0218 3624 IPSec - ok
23:07:34.0250 3624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:07:34.0250 3624 IRENUM - ok
23:07:34.0281 3624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:07:34.0296 3624 isapnp - ok
23:07:34.0328 3624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:07:34.0328 3624 Kbdclass - ok
23:07:34.0343 3624 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:07:34.0343 3624 kbdhid - ok
23:07:34.0375 3624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:07:34.0390 3624 kmixer - ok
23:07:34.0406 3624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:07:34.0406 3624 KSecDD - ok
23:07:34.0453 3624 LANPkt (8f5795b166cbb50966e29982f8cdb310) C:\WINDOWS\system32\DRIVERS\LANPkt.sys
23:07:34.0453 3624 LANPkt - ok
23:07:34.0453 3624 lbrtfdc - ok
23:07:34.0468 3624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:07:34.0468 3624 mnmdd - ok
23:07:34.0500 3624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:07:34.0500 3624 Modem - ok
23:07:34.0515 3624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:07:34.0515 3624 Mouclass - ok
23:07:34.0531 3624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:07:34.0546 3624 mouhid - ok
23:07:34.0546 3624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:07:34.0546 3624 MountMgr - ok
23:07:34.0578 3624 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:07:34.0578 3624 mraid35x - ok
23:07:34.0593 3624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:07:34.0593 3624 MRxDAV - ok
23:07:34.0656 3624 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:07:34.0671 3624 MRxSmb - ok
23:07:34.0671 3624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:07:34.0687 3624 Msfs - ok
23:07:34.0703 3624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:07:34.0703 3624 MSKSSRV - ok
23:07:34.0718 3624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:07:34.0734 3624 MSPCLOCK - ok
23:07:34.0734 3624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:07:34.0734 3624 MSPQM - ok
23:07:34.0765 3624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:07:34.0765 3624 mssmbios - ok
23:07:34.0796 3624 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:07:34.0812 3624 Mup - ok
23:07:34.0953 3624 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20111002.004\NAVENG.SYS
23:07:34.0953 3624 NAVENG - ok
23:07:34.0984 3624 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20111002.004\NAVEX15.SYS
23:07:35.0000 3624 NAVEX15 - ok
23:07:35.0109 3624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:07:35.0109 3624 NDIS - ok
23:07:35.0156 3624 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:07:35.0156 3624 NdisTapi - ok
23:07:35.0171 3624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:07:35.0171 3624 Ndisuio - ok
23:07:35.0203 3624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:07:35.0203 3624 NdisWan - ok
23:07:35.0250 3624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:07:35.0250 3624 NDProxy - ok
23:07:35.0265 3624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:07:35.0265 3624 NetBIOS - ok
23:07:35.0281 3624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:07:35.0281 3624 NetBT - ok
23:07:35.0296 3624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:07:35.0312 3624 Npfs - ok
23:07:35.0343 3624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:07:35.0359 3624 Ntfs - ok
23:07:35.0406 3624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:07:35.0406 3624 Null - ok
23:07:35.0437 3624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:07:35.0437 3624 NwlnkFlt - ok
23:07:35.0437 3624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:07:35.0453 3624 NwlnkFwd - ok
23:07:35.0468 3624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
23:07:35.0484 3624 Parport - ok
23:07:35.0484 3624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:07:35.0484 3624 PartMgr - ok
23:07:35.0515 3624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:07:35.0515 3624 ParVdm - ok
23:07:35.0531 3624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:07:35.0562 3624 PCI - ok
23:07:35.0562 3624 PCIDump - ok
23:07:35.0593 3624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:07:35.0593 3624 PCIIde - ok
23:07:35.0609 3624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:07:35.0609 3624 Pcmcia - ok
23:07:35.0609 3624 PDCOMP - ok
23:07:35.0625 3624 PDFRAME - ok
23:07:35.0625 3624 PDRELI - ok
23:07:35.0640 3624 PDRFRAME - ok
23:07:35.0640 3624 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:07:35.0640 3624 perc2 - ok
23:07:35.0656 3624 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:07:35.0656 3624 perc2hib - ok
23:07:35.0687 3624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:07:35.0703 3624 PptpMiniport - ok
23:07:35.0703 3624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:07:35.0703 3624 PSched - ok
23:07:35.0718 3624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:07:35.0718 3624 Ptilink - ok
23:07:35.0750 3624 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:07:35.0750 3624 PxHelp20 - ok
23:07:35.0765 3624 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:07:35.0765 3624 ql1080 - ok
23:07:35.0765 3624 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:07:35.0765 3624 Ql10wnt - ok
23:07:35.0781 3624 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:07:35.0781 3624 ql12160 - ok
23:07:35.0796 3624 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:07:35.0796 3624 ql1240 - ok
23:07:35.0796 3624 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:07:35.0796 3624 ql1280 - ok
23:07:35.0843 3624 RapidPortM3 (56cc08d938435f88abff1ecc12bdd5e3) C:\WINDOWS\system32\Drivers\CAPM3LP.SYS
23:07:35.0859 3624 RapidPortM3 - ok
23:07:35.0875 3624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:07:35.0875 3624 RasAcd - ok
23:07:35.0890 3624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:07:35.0890 3624 Rasl2tp - ok
23:07:35.0906 3624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:07:35.0906 3624 RasPppoe - ok
23:07:35.0906 3624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:07:35.0906 3624 Raspti - ok
23:07:35.0921 3624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:07:35.0937 3624 Rdbss - ok
23:07:35.0937 3624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:07:35.0937 3624 RDPCDD - ok
23:07:35.0953 3624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:07:35.0953 3624 rdpdr - ok
23:07:36.0000 3624 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:07:36.0000 3624 RDPWD - ok
23:07:36.0031 3624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:07:36.0031 3624 redbook - ok
23:07:36.0078 3624 RTLE8023xp (7174f20ad9b7b7878a51ecca03c499c2) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
23:07:36.0093 3624 RTLE8023xp - ok
23:07:36.0125 3624 RTLVLAN (b9ca69921379ea2931c4450fe975bce7) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
23:07:36.0156 3624 RTLVLAN - ok
23:07:36.0187 3624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:07:36.0187 3624 Secdrv - ok
23:07:36.0203 3624 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:07:36.0203 3624 Serenum - ok
23:07:36.0203 3624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:07:36.0203 3624 Serial - ok
23:07:36.0234 3624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:07:36.0234 3624 Sfloppy - ok
23:07:36.0250 3624 Simbad - ok
23:07:36.0281 3624 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:07:36.0281 3624 sisagp - ok
23:07:36.0312 3624 snapman (eb49860e776ce860dc3cfb9edb1ba517) C:\WINDOWS\system32\DRIVERS\snapman.sys
23:07:36.0328 3624 snapman - ok
23:07:36.0359 3624 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:07:36.0359 3624 Sparrow - ok
23:07:36.0390 3624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:07:36.0406 3624 splitter - ok
23:07:36.0406 3624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:07:36.0421 3624 sr - ok
23:07:36.0484 3624 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
23:07:36.0500 3624 SRTSP - ok
23:07:36.0515 3624 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
23:07:36.0515 3624 SRTSPX - ok
23:07:36.0531 3624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:07:36.0546 3624 Srv - ok
23:07:36.0578 3624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:07:36.0578 3624 swenum - ok
23:07:36.0625 3624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:07:36.0625 3624 swmidi - ok
23:07:36.0656 3624 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:07:36.0656 3624 symc810 - ok
23:07:36.0671 3624 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:07:36.0671 3624 symc8xx - ok
23:07:36.0687 3624 SYMDNS - ok
23:07:36.0734 3624 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
23:07:36.0734 3624 SymDS - ok
23:07:36.0796 3624 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
23:07:36.0812 3624 SymEFA - ok
23:07:36.0843 3624 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
23:07:36.0859 3624 SymEvent - ok
23:07:36.0859 3624 SYMFW - ok
23:07:36.0875 3624 SYMIDS - ok
23:07:36.0906 3624 SymIM (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
23:07:36.0906 3624 SymIM - ok
23:07:36.0906 3624 SymIMMP (94a2459242a6dd0daf3baa99e96784ff) C:\WINDOWS\system32\DRIVERS\SymIM.sys
23:07:36.0906 3624 SymIMMP - ok
23:07:36.0968 3624 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
23:07:36.0968 3624 SymIRON - ok
23:07:36.0968 3624 SYMNDIS - ok
23:07:36.0984 3624 SYMREDRV - ok
23:07:37.0046 3624 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
23:07:37.0046 3624 SYMTDI - ok
23:07:37.0078 3624 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:07:37.0078 3624 sym_hi - ok
23:07:37.0078 3624 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:07:37.0078 3624 sym_u3 - ok
23:07:37.0125 3624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:07:37.0125 3624 sysaudio - ok
23:07:37.0171 3624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:07:37.0171 3624 Tcpip - ok
23:07:37.0203 3624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:07:37.0203 3624 TDPIPE - ok
23:07:37.0250 3624 tdrpman273 (431801fcc97034e04a6eff81136578d7) C:\WINDOWS\system32\DRIVERS\tdrpm273.sys
23:07:37.0281 3624 tdrpman273 - ok
23:07:37.0296 3624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:07:37.0296 3624 TDTCP - ok
23:07:37.0328 3624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:07:37.0328 3624 TermDD - ok
23:07:37.0375 3624 timounter (a34d7024bb7140ec785c86bc065d4f60) C:\WINDOWS\system32\DRIVERS\timntr.sys
23:07:37.0390 3624 timounter - ok
23:07:37.0437 3624 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:07:37.0437 3624 TosIde - ok
23:07:37.0453 3624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:07:37.0468 3624 Udfs - ok
23:07:37.0468 3624 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:07:37.0468 3624 ultra - ok
23:07:37.0500 3624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:07:37.0515 3624 Update - ok
23:07:37.0546 3624 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:07:37.0546 3624 usbccgp - ok
23:07:37.0562 3624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:07:37.0562 3624 usbehci - ok
23:07:37.0578 3624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:07:37.0593 3624 usbhub - ok
23:07:37.0625 3624 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:07:37.0625 3624 usbprint - ok
23:07:37.0656 3624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:07:37.0656 3624 usbscan - ok
23:07:37.0671 3624 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:07:37.0671 3624 USBSTOR - ok
23:07:37.0687 3624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:07:37.0687 3624 usbuhci - ok
23:07:37.0750 3624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:07:37.0750 3624 VgaSave - ok
23:07:37.0781 3624 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:07:37.0781 3624 viaagp - ok
23:07:37.0796 3624 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:07:37.0796 3624 ViaIde - ok
23:07:37.0828 3624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:07:37.0828 3624 VolSnap - ok
23:07:37.0859 3624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:07:37.0875 3624 Wanarp - ok
23:07:37.0875 3624 WDICA - ok
23:07:37.0921 3624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:07:37.0921 3624 wdmaud - ok
23:07:37.0968 3624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:07:37.0968 3624 WudfPf - ok
23:07:38.0000 3624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:07:38.0000 3624 WudfRd - ok
23:07:38.0015 3624 MBR (0x1B8) (5e5d7299afde9ba878d3064c910c4f76) \Device\Harddisk0\DR0
23:07:38.0015 3624 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
23:07:38.0015 3624 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
23:07:38.0015 3624 Boot (0x1200) (6e27ffc2ea639d9bff9594fb57586393) \Device\Harddisk0\DR0\Partition0
23:07:38.0015 3624 \Device\Harddisk0\DR0\Partition0 - ok
23:07:38.0046 3624 Boot (0x1200) (b5283e896bc8d1a285ddd185839f3bb3) \Device\Harddisk0\DR0\Partition1
23:07:38.0046 3624 \Device\Harddisk0\DR0\Partition1 - ok
23:07:38.0046 3624 ============================================================
23:07:38.0046 3624 Scan finished
23:07:38.0046 3624 ============================================================
23:07:38.0046 2836 Detected object count: 1
23:07:38.0046 2836 Actual detected object count: 1
23:07:54.0218 2836 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
23:07:54.0218 2836 \Device\Harddisk0\DR0 - ok
23:07:54.0218 2836 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
23:08:03.0906 1240 Deinitialize success


ComboFix 11-10-02.03 - Rob 10/02/2011 23:32:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2294 [GMT -7:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Karen\g2mdlhlpx.exe
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\FBStoolbar.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\d3d9caps.dat
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-02 08:47 . 2011-10-02 08:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-10-02 07:54 . 2011-10-02 07:54 -------- d-----w- c:\documents and settings\Rob\Application Data\236335CB-41D4-4BE3-BF59-C8E48B761770
2011-10-01 20:38 . 2011-10-01 20:38 -------- d-----w- c:\program files\Common Files\Java
2011-10-01 20:38 . 2011-10-01 20:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-01 20:38 . 2011-10-01 20:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-01 06:04 . 2011-10-01 06:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2011-09-29 20:02 . 2011-09-29 20:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-09-24 23:05 . 2011-09-24 23:05 -------- d-----w- c:\documents and settings\Rob\Application Data\com.Shutterfly.ExpressUploader
2011-09-24 23:05 . 2011-10-01 19:04 -------- d-----w- c:\program files\Shutterfly
2011-09-22 22:40 . 2011-09-22 22:40 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-09-22 22:40 . 2011-09-22 22:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2011-09-22 14:02 . 2011-09-22 22:45 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2011-09-22 14:01 . 2011-09-22 14:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2011-09-20 06:17 . 2011-03-31 03:04 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys
2011-09-20 02:17 . 2011-09-20 02:17 -------- d-----w- c:\documents and settings\Rob\Application Data\28B7BC49-47C1-4D49-A43C-1C79C799D47B
2011-09-20 02:17 . 2011-09-20 02:17 -------- d-----w- c:\documents and settings\Rob\Application Data\3D70D7BD-DD73-4F8B-A84F-C3F94A79367F
2011-09-12 14:28 . 2011-09-12 14:28 -------- d-----w- c:\documents and settings\Rob\Application Data\Tific
2011-09-06 04:17 . 2011-09-06 04:17 -------- d-----w- c:\documents and settings\Karen\Local Settings\Application Data\WMTools Downloaded Files
2011-09-06 03:52 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-06 03:52 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 07:54 . 2011-01-09 06:21 167968 ----a-w- c:\windows\system32\drivers\afcdp.sys
2011-10-02 07:54 . 2011-01-09 06:21 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys
2011-10-02 07:54 . 2011-01-09 06:21 600928 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-09-28 06:18 . 2011-06-02 03:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00 . 2010-07-10 22:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-25 16:16 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-18 16806912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SAOB Monitor"="c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2011-09-22 2536760]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-23 5550984]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-12-06 390728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D700 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE [2009-3-7 38464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-12-06 11:56 390728 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-08-18 22:19 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAHeadless]
2009-09-06 11:40 615808 ----a-w- c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 18:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [11/27/2009 10:15 AM 40560]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/2/2011 3:10 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/2/2011 3:10 PM 744568]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [1/8/2011 11:21 PM 752128]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110920.001\BHDrvx86.sys [9/26/2011 3:24 PM 816760]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/2/2011 3:10 PM 136312]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/8/2011 11:21 PM 3246040]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2/21/2009 8:36 AM 8960]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/2/2011 3:10 PM 130008]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/8/2011 11:21 PM 167968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2011 9:10 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110930.030\IDSXpx86.sys [9/30/2011 3:17 PM 356280]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2/21/2009 10:26 AM 110080]
S2 RapidPortM3;RapidPortM3;c:\windows\system32\drivers\CAPM3LP.SYS [3/7/2009 11:35 PM 22976]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2/21/2009 8:36 AM 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2/21/2009 8:36 AM 16640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-02 23:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-10-02 23:38:15
ComboFix-quarantined-files.txt 2011-10-03 06:38
.
Pre-Run: 87,165,788,160 bytes free
Post-Run: 88,604,749,824 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 67A2BF7E2E3702BE288FF3A8C619912A

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 03 October 2011 - 08:31 AM

Hi-

Glad to hear the computer is running better. We need to check to see what is left to do.

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Finally, get a new OTL scan report.
  • Double click on the Posted Image icon on your desktop.
  • In the Extra Registry Box, check None
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it into your reply:
  • OTL.txt <-- Will be the opened report

In your reply, please copy in the MBAM report, the ESET OnlineScan report(if it produces one), and the new OTL report.
Shannon

#9 Purple88

Purple88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 04 October 2011 - 02:07 AM

Here are the results from the 3 scans requested.

MBAM Log
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7859

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/3/2011 7:01:33 PM
mbam-log-2011-10-03 (19-01-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 336666
Time elapsed: 41 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Heather\my documents\memory stick items\documents\desktop.exe (Joke.Stressreducer) -> Quarantined and deleted successfully.
c:\documents and settings\Heather\my documents\without launch u3\documents\desktop.exe (Joke.Stressreducer) -> Quarantined and deleted successfully.


*************
THE ESET ONLINE SCAN FOUND ZERO FILES INFECTED SO THERE WAS NO LIST OF FOUND THREATS TO EXPORT.
*************


And finally, here is the OTL.txt log
OTL logfile created on: 10/3/2011 11:56:16 PM - Run 2
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Rob\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 2.21 Gb Available Physical Memory | 74.65% Memory free
4.80 Gb Paging File | 4.17 Gb Available in Paging File | 86.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 126.01 Gb Total Space | 82.56 Gb Free Space | 65.52% Space Free | Partition Type: NTFS
Drive G: | 106.78 Gb Total Space | 4.97 Gb Free Space | 4.65% Space Free | Partition Type: NTFS
Drive H: | 931.51 Gb Total Space | 389.31 Gb Free Space | 41.79% Space Free | Partition Type: NTFS

Computer Name: FAMILYROOM | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/02 00:54:47 | 003,246,040 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2011/09/29 21:34:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
PRC - [2011/09/22 20:29:54 | 005,550,984 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2011/09/22 16:00:50 | 002,536,760 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
PRC - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe
PRC - [2010/12/06 04:56:42 | 000,390,728 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/12/06 04:56:38 | 000,804,528 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010/09/22 18:11:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2008/07/20 16:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/07/20 16:45:06 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/05/23 13:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/12 17:11:30 | 000,038,464 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
PRC - [2007/03/12 16:02:20 | 000,038,024 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\CAPM3RSK.EXE
PRC - [2007/03/12 15:29:20 | 000,106,128 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE


========== Modules (No Company Name) ==========

MOD - [2009/02/27 16:39:29 | 000,019,968 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU
MOD - [2009/02/27 16:32:27 | 000,020,480 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA
MOD - [2007/07/23 14:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/10/02 00:54:47 | 003,246,040 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe -- (NIS)
SRV - [2010/12/06 04:56:38 | 000,804,528 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/07/10 20:54:41 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/06 06:06:20 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor8.0)
SRV - [2008/07/20 16:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/10/02 00:54:50 | 000,167,968 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2011/10/02 00:54:43 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
DRV - [2011/10/02 00:54:42 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2011/09/29 14:35:11 | 000,816,760 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110929.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/09/05 21:10:09 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20111003.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/05 21:10:09 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/09/05 21:10:09 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/05 21:10:09 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20111003.019\NAVENG.SYS -- (NAVENG)
DRV - [2011/09/03 04:37:14 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20111001.030\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/05/02 15:10:13 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/30 20:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2011/03/30 20:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2011/03/30 20:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 20:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 17:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 19:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/26 23:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/26 22:07:05 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2011/01/08 23:21:00 | 000,170,528 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/09/30 18:22:08 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2009/05/06 15:28:00 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hotcore3.sys -- (hotcore3)
DRV - [2008/08/18 16:03:12 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/18 15:21:20 | 000,110,080 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/08/18 15:20:06 | 004,752,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/12/03 10:13:48 | 000,011,264 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2007/11/20 00:14:08 | 000,016,640 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTLVLAN.SYS -- (RTLVLAN)
DRV - [2007/11/20 00:04:50 | 000,008,960 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2007/07/23 14:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 14:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 14:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 14:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 14:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 14:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 14:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 14:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 13:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 13:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2003/06/04 00:00:00 | 000,022,976 | ---- | M] (CANON INC.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CAPM3LP.SYS -- (RapidPortM3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Elaine\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/28 08:43:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn\ [2011/09/28 10:48:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn_2011_7_2_3 [2011/10/03 19:03:43 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/10/02 23:37:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SAOB Monitor] C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE (CANON INC.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2075131660-835827781-3068924171-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} https://www.plaxo.com/activex/plx_upldr-2k-xp.cab (Plaxo Auto-Import Utility)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BAD6256C-2B74-42E1-970A-9F3354C35D44}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 14:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/08 05:39:19 | 000,000,000 | R--D | M] - H:\autorun -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/03 23:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/10/03 10:41:51 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/10/02 23:30:36 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/02 23:26:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/02 23:26:04 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/02 23:26:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/02 23:26:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/02 23:25:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/10/02 23:25:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/02 23:23:13 | 004,240,182 | R--- | C] (Swearware) -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe
[2011/10/02 16:50:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rob\Recent
[2011/10/02 01:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/10/02 00:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\236335CB-41D4-4BE3-BF59-C8E48B761770
[2011/10/01 13:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/10/01 13:38:18 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/10/01 13:38:18 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/10/01 13:38:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/10/01 13:38:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/10/01 13:38:18 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/10/01 11:56:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\Computer debugging Sept2011
[2011/09/30 23:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Identities
[2011/09/29 21:34:41 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
[2011/09/29 13:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/09/24 16:05:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\com.Shutterfly.ExpressUploader
[2011/09/24 16:05:44 | 000,000,000 | ---D | C] -- C:\Program Files\Shutterfly
[2011/09/23 22:58:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\Administrative Tools
[2011/09/22 15:40:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\HPAppData
[2011/09/22 07:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/09/19 23:17:21 | 000,044,024 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2011/09/19 19:17:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\28B7BC49-47C1-4D49-A43C-1C79C799D47B
[2011/09/19 19:17:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\3D70D7BD-DD73-4F8B-A84F-C3F94A79367F
[2011/09/12 07:28:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Tific
[2011/09/06 04:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/06 04:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/05 22:19:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/05 21:49:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\Computer Stuff
[2011/09/05 21:48:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\Family
[2011/09/05 20:52:42 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/09/05 20:52:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/05 20:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/09/05 20:52:03 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/03 22:52:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/03 21:27:45 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/03 19:03:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/02 23:37:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/02 23:30:39 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/10/02 23:23:18 | 004,240,182 | R--- | M] (Swearware) -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe
[2011/10/02 16:45:25 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/10/02 00:54:50 | 000,167,968 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\afcdp.sys
[2011/10/02 00:54:43 | 000,752,128 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\tdrpm273.sys
[2011/10/02 00:54:42 | 000,600,928 | ---- | M] (Acronis) -- C:\WINDOWS\System32\drivers\timntr.sys
[2011/10/02 00:54:36 | 000,001,218 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acronis Online Backup.lnk
[2011/10/01 23:49:25 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/01 13:38:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/10/01 13:38:09 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/10/01 13:38:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/10/01 13:38:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/10/01 13:38:09 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/29 21:34:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
[2011/09/27 23:18:40 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/09 02:12:13 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/09/06 16:38:49 | 000,024,600 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\NETGEAR_WGR614v10_20110906.cfg
[2011/09/05 22:22:10 | 000,004,210 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\cc_20110905_222205.reg
[2011/09/05 22:15:35 | 000,157,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/05 22:11:04 | 000,443,218 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/05 22:11:04 | 000,072,358 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/04 11:36:20 | 000,016,052 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\cc_20110904_113617.reg
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/03 21:27:45 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/02 23:30:39 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/10/02 23:30:37 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/02 23:26:04 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/02 23:26:04 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/02 23:26:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/02 23:26:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/02 23:26:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/02 00:54:36 | 000,001,218 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acronis Online Backup.lnk
[2011/09/06 16:38:49 | 000,024,600 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\NETGEAR_WGR614v10_20110906.cfg
[2011/09/05 22:22:08 | 000,004,210 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\cc_20110905_222205.reg
[2011/09/05 21:45:40 | 003,298,787 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\OWorshipTheKing.mp3
[2011/09/05 21:45:39 | 002,683,924 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\Allegro.mp3
[2011/09/05 21:45:39 | 000,016,052 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\cc_20110904_113617.reg
[2011/01/12 14:00:00 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/07/10 00:20:24 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.ini
[2010/04/28 08:42:57 | 000,023,085 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2009/12/10 21:29:54 | 000,000,023 | ---- | C] () -- C:\WINDOWS\kodakpcd.Rob.ini
[2009/09/20 19:38:52 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Rachel.ini
[2009/08/17 09:21:42 | 000,116,840 | ---- | C] () -- C:\WINDOWS\hpqins00.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/07 20:08:15 | 000,147,628 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2009/04/07 20:08:15 | 000,008,138 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2009/03/08 21:06:06 | 000,076,800 | ---- | C] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/21 10:26:49 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2009/02/21 10:26:49 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2009/02/21 10:26:49 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4977.dll
[2009/02/21 10:26:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/02/21 10:26:12 | 000,001,159 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/02/21 08:53:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/21 08:40:58 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/25 14:31:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 14:27:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 14:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 09:16:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 09:16:22 | 000,443,218 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 09:16:22 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 09:16:22 | 000,072,358 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 09:16:22 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 09:16:22 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 09:16:21 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 09:16:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 09:16:18 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 09:16:18 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 09:16:13 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 09:16:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 02:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 02:21:52 | 000,157,160 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/12/21 11:13:56 | 000,191,136 | ---- | C] () -- C:\WINDOWS\System32\plx_upldr.dll

< End of report >

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 04 October 2011 - 10:12 AM

Hi-

Since it looks like there is nothing else to do, it is time to clear off the tools that we used and for me to leave you with some words of advice.

First, to re-enable your Emulation drivers, double click Defogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • Defogger might ask to reboot the machine - click OK

Next, please set your system to hide all 'hidden' files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.

Next, we will uninstall ComboFix
  • Click on the Start button in your system tray
  • click on Run
  • key in the following in bold type:
    • combofix /Uninstall
  • click on Ok

Then, we should remove the tools we used and we will do that with OTL-
  • Double click on the Posted Image icon on your desktop.
  • Click the "CleanUp" button.
  • Restart your computer when prompted.

You should also remove the aswMBR files (exe, dat, txt) from your desktop.

If you wish to remove the ESET OnlineScan, you will need to go to Start->Settings->Control Panel->Add Remove Programs.

Please take the time to read below to secure your machine and take the necessary steps to keep it clean.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a pop up appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop ups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a pop up that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period. another recommended, and free, AntiSpyware program is Malwarebytes' Anti-Malware (MBAM).

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update your Java runtimes regularly

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Download the latest version here - http://java.sun.com/javase/downloads/index.jsp. You want to select the JRE version.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!!

Shannon

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:36 AM

Posted 12 October 2011 - 07:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users