Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual UDP Port 137 activity


  • This topic is locked This topic is locked
28 replies to this topic

#1 ynot2k

ynot2k

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 08 December 2011 - 10:16 AM

Howdy, wondering if anyone can help with this:

Computer in question is Windows 7 Professional x64
We are in a Server 2003 domain environment
Microsoft Security Essentials is installed and up to date with no threats detected

At our company firewall level, we are seeing a lot of requests to seemingly random external IP addresses on UDP port 137 from this and one other computer (my old XP machine). When we first saw this, we blocked all external UDP 137 requests so at this point, there should be no other fallout.
TCPView & netstat shows only normal UDP 137 activity for NetBIOS.
There is seemingly no other effects to the computer itself - it is operating normally, no browser redirections, no random popups, etc.

I have run F-Secure online scanner, a full scan from MSE and even CCleaner.
I created a new AD user and logged in as that user and still the problem persisted.
I am currently running Sophos Anti-rootkit and will post the results when complete.

Any suggestions would be more than welcome! Thanks!

graham

Edit: Just added Professional to the operating system

Edited by ynot2k, 08 December 2011 - 10:20 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:39 AM

Posted 09 December 2011 - 04:20 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 11 December 2011 - 07:43 PM

Thanks. Sorry for the late reply. I'm back at my desk tomorrow morning @ 9am eastern and will post more then.

Cheers gw

#4 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 12 December 2011 - 09:44 AM

Results of DDS: (no GMER run). i have attach.txt but won't post until requested...
Note i replaced my user name with [USER] in the output.
thanks


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by [USER] at 9:36:49 on 2011-12-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.4078.2194 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Users\[USER]\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\[USER]\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{44BAC334-993F-41AC-BACB-AEBCF87611E6} : NameServer = 192.168.0.4,192.168.0.6
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No File
BHO-X64: Trend Micro NSC BHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [(Default)]
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\[USER]\AppData\Roaming\Mozilla\Firefox\Profiles\hk43gcj1.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\[USER]\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-10-8 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-10-8 13336]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 dkab_device;dkab_device;C:\Windows\system32\DKabcoms.exe -service --> C:\Windows\system32\DKabcoms.exe -service [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\E82F.tmp --> C:\Windows\system32\E82F.tmp [?]
S3 netvsc;netvsc;C:\Windows\system32\DRIVERS\netvsc60.sys --> C:\Windows\system32\DRIVERS\netvsc60.sys [?]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 SynthVid;SynthVid;C:\Windows\system32\DRIVERS\VMBusVideoM.sys --> C:\Windows\system32\DRIVERS\VMBusVideoM.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-12-12 14:33:46 -------- d-----w- C:\Users\[USER]\AppData\Local\{0991D2F0-FC3F-451B-9128-117ABB3C488D}
2011-12-12 14:33:36 -------- d-----w- C:\Users\[USER]\AppData\Local\{6C0766D3-A289-418C-9669-9415E6A95FCD}
2011-12-12 14:32:21 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0E6BBBB2-99C2-4ED2-ABCC-3581B1523E6F}\offreg.dll
2011-12-08 15:58:05 -------- d-----w- C:\Users\[USER]\AppData\Roaming\Malwarebytes
2011-12-08 15:57:57 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-08 15:57:54 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-08 15:57:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-08 15:05:20 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0E6BBBB2-99C2-4ED2-ABCC-3581B1523E6F}\mpengine.dll
2011-12-08 14:58:53 -------- d-----w- C:\Users\[USER]\AppData\Roaming\f-secure
2011-12-08 14:58:48 -------- d-----w- C:\ProgramData\F-Secure
2011-12-08 14:54:34 6144 ------w- C:\Windows\System32\E82F.tmp
2011-12-08 14:53:34 6144 ------w- C:\Windows\System32\FF95.tmp
2011-12-08 14:53:29 -------- d-----w- C:\Program Files (x86)\Sophos
2011-12-08 14:34:58 -------- d-----w- C:\Users\[USER]\AppData\Local\{D994904E-AD15-416B-80ED-ADD263850E03}
2011-12-08 14:34:49 -------- d-----w- C:\Users\[USER]\AppData\Local\{30672D34-E5F7-4C25-A076-7B2405AE2B5F}
2011-12-07 14:20:43 -------- d-----w- C:\Users\[USER]\AppData\Local\{13917BE8-A863-4F80-9598-EFFDDBBB570D}
2011-12-07 14:20:33 -------- d-----w- C:\Users\[USER]\AppData\Local\{AA82E470-7A2D-4EB7-B948-6DCE4D829D7E}
2011-12-06 20:48:58 -------- d-----w- C:\Program Files (x86)\Common Files\WatchGuard
2011-12-06 19:36:51 -------- d-----w- C:\Users\[USER]\AppData\Roaming\WatchGuard
2011-12-06 19:36:50 -------- d-----w- C:\ProgramData\WatchGuard
2011-12-06 19:36:04 192105 ----a-w- C:\Windows\SysWow64\IssProc.dll
2011-12-06 19:36:04 -------- d-----w- C:\Program Files (x86)\WatchGuard
2011-12-06 14:00:44 -------- d-----w- C:\Users\[USER]\AppData\Local\{A21A6E84-EB80-4C21-94D5-FE0F97CAA1DA}
2011-12-06 14:00:35 -------- d-----w- C:\Users\[USER]\AppData\Local\{8FB4E5A9-81EB-4ECE-BACD-F33B6055498C}
2011-12-05 14:24:49 -------- d-----w- C:\Users\[USER]\AppData\Local\{C7D7F3BF-2A24-46E2-BE24-88A3D364CC1E}
2011-12-05 14:24:38 -------- d-----w- C:\Users\[USER]\AppData\Local\{852115C9-2566-4D89-B8C5-CD50BA97CD65}
2011-12-01 14:20:17 -------- d-----w- C:\Users\[USER]\AppData\Local\{78761CD9-CA11-425A-B611-C9B592324C94}
2011-12-01 14:20:08 -------- d-----w- C:\Users\[USER]\AppData\Local\{CB7F6052-E4E8-4257-9B05-964186D1B588}
2011-11-30 14:07:39 -------- d-----w- C:\Users\[USER]\AppData\Local\{01093AAF-342E-4FD2-8F53-43B12E7842F9}
2011-11-30 14:07:30 -------- d-----w- C:\Users\[USER]\AppData\Local\{EB40A67A-DD48-4E84-953A-5E04F82A87AC}
2011-11-29 18:50:05 -------- d-----w- C:\Users\[USER]\AppData\Local\QuickPar
2011-11-29 18:48:43 -------- d-----w- C:\Program Files (x86)\QuickPar
2011-11-29 14:33:57 -------- d-----w- C:\Users\[USER]\AppData\Local\{F7022CC5-00D4-4776-BFB5-179FE72CD0F1}
2011-11-29 14:33:48 -------- d-----w- C:\Users\[USER]\AppData\Local\{E8AD13C8-9E9C-420E-B6D3-F2F92A143421}
2011-11-28 19:19:10 -------- d-----w- C:\Users\[USER]\AppData\Local\Diagnostics
2011-11-28 14:30:04 -------- d-----w- C:\Users\[USER]\AppData\Local\{7CAD3224-6D1C-4EDA-AC78-2370363FBDFA}
2011-11-28 14:29:48 -------- d-----w- C:\Users\[USER]\AppData\Local\{5AA3A896-8612-4CD6-BFAB-B5C12385CB2E}
2011-11-24 16:32:04 -------- d-----w- C:\Users\[USER]\AppData\Local\{B94EE1D2-2920-423A-BEBB-5B2A89AFABEE}
2011-11-24 16:31:55 -------- d-----w- C:\Users\[USER]\AppData\Local\{4539950D-3626-49B6-904C-7E65B4ED2677}
2011-11-23 19:24:03 -------- d-----w- C:\ProgramData\FreeRIP
2011-11-23 19:24:02 -------- d-----w- C:\Program Files (x86)\FreeRIP3
2011-11-23 19:19:13 -------- d-----w- C:\Users\[USER]\AppData\Roaming\Xilisoft
2011-11-23 19:04:40 -------- d-----w- C:\tmp
2011-11-23 14:17:01 -------- d-----w- C:\Users\[USER]\AppData\Local\{E5FD1C45-0583-43AE-A303-218583AA7846}
2011-11-23 14:16:52 -------- d-----w- C:\Users\[USER]\AppData\Local\{92CEF80E-DC28-4D59-80B6-D4630745C903}
2011-11-22 14:04:08 -------- d-----w- C:\Users\[USER]\AppData\Local\{44FAA83B-4382-4458-8F6C-326E2C08CCD4}
2011-11-22 14:03:57 -------- d-----w- C:\Users\[USER]\AppData\Local\{1A87E367-A7CF-4B47-BA5C-5409E976675C}
2011-11-21 14:32:39 -------- d-----w- C:\Users\[USER]\AppData\Local\{97A42EA5-0DFC-4B48-A0E9-9B24CB11840D}
2011-11-21 14:32:27 -------- d-----w- C:\Users\[USER]\AppData\Local\{0B595A5B-FCC4-4E08-AA35-17B88D2ECF1C}
2011-11-16 14:25:33 -------- d-----w- C:\Users\[USER]\AppData\Local\{3D69A895-92E2-40BB-BE10-7D30568238FF}
2011-11-16 14:25:24 -------- d-----w- C:\Users\[USER]\AppData\Local\{256C2F3B-1063-42B1-8EBF-24DB5CD882CB}
2011-11-15 14:01:37 -------- d-----w- C:\Users\[USER]\AppData\Local\{0764B795-58D2-4D63-93C7-7D97EB70E678}
2011-11-15 14:01:25 -------- d-----w- C:\Users\[USER]\AppData\Local\{4B50ED36-07D7-4E4E-979D-F372FB98DE72}
2011-11-14 14:37:36 -------- d-----w- C:\Users\[USER]\AppData\Local\{05CB5EA0-80E1-4843-A92B-4168BD48A492}
2011-11-14 14:37:26 -------- d-----w- C:\Users\[USER]\AppData\Local\{D52B4D8C-0FE7-4D58-8882-7189F6EF9D87}
.
==================== Find3M ====================
.
2011-11-23 15:17:20 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-08 08:16:14 0 ----a-w- C:\Windows\ativpsrm.bin
2011-10-08 07:54:45 91648 ----a-w- C:\Windows\System32\SetIEInstalledDate.exe
2011-10-08 06:27:43 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 9:38:28.92 ===============

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 13 December 2011 - 10:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431326 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 13 December 2011 - 10:45 AM

dds is up to date
no gmer (windows 7 pro 64-bit)
detailed issue is still in the original post
yes i do have the windows installation CD (dell vostro)

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:39 PM

Posted 15 December 2011 - 09:31 AM

Hello, my name is Elise and I'll assist you with this issue.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 15 December 2011 - 10:00 AM

Hello Elise, Thanks for taking the time to help out. More backstory: i can see from a lot of these scanners that they look at recently added files to the filesystem - i believe my issue goes back a while. Reason being is that i migrated from one workstation (XP Pro SP3) about 2 months ago. Both computers are exhibiting the same issue - the network firewall is detecting the same kinds of traffic coming from that machine as well (also hope to get you to help with that one!!!). Note that the computer performance is still fine - no issues to report with regards to sluggish or any other kinds of unusual behaviours. Thanks again, gw

NOTE i try to remove any personal information from these logs, here's the basic legend:
[USER] = my user account
[DOMAIN] = the network domain
[DOMAIN CONTROLLER] = the domain controller. all of the machines in here are on roaming profiles in a Win 2003 server environment.

=== OTL.TXT ===

OTL logfile created on: 12/15/2011 9:47:15 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\[USER]\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.98 Gb Total Physical Memory | 2.57 Gb Available Physical Memory | 64.64% Memory free
7.96 Gb Paging File | 5.60 Gb Available in Paging File | 70.37% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.57 Gb Total Space | 261.52 Gb Free Space | 57.79% Space Free | Partition Type: NTFS
Drive K: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS
Drive S: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS
Drive Z: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS

Computer Name: LEAFS | User Name: [USER] | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/15 09:46:43 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\[USER]\Downloads\OTL.exe
PRC - [2010/11/17 10:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2010/09/13 18:32:32 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/09/13 18:32:30 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/07 06:16:28 | 000,411,192 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
MOD - [2011/12/07 06:16:27 | 003,767,864 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\pdf.dll
MOD - [2011/12/07 06:14:56 | 000,122,952 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\avutil-51.dll
MOD - [2011/12/07 06:14:55 | 000,222,280 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\avformat-53.dll
MOD - [2011/12/07 06:14:53 | 001,746,504 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\avcodec-53.dll
MOD - [2011/10/25 11:42:38 | 000,475,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\60c320dbe033e8ff4830cdc059933f2c\IAStorUtil.ni.dll
MOD - [2011/10/25 11:42:38 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ebfad289d9759034cd3a887802fadb5b\IAStorCommon.ni.dll
MOD - [2011/10/25 11:06:33 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/25 11:06:19 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/25 11:06:15 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/25 11:06:12 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/25 11:06:10 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/25 11:06:03 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
MOD - [2011/10/25 11:06:02 | 007,963,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/25 11:05:59 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/12/21 00:15:30 | 001,041,248 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
MOD - [2010/11/24 22:44:02 | 000,375,280 | ---- | M] () -- c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\SQLite352.dll
MOD - [2010/11/17 10:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/10/12 14:37:08 | 009,670,656 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe -- (MySQL)
SRV:64bit: - [2011/08/18 14:37:54 | 002,360,048 | ---- | M] (RealVNC Ltd) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV:64bit: - [2011/04/27 16:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 16:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/01/05 07:57:46 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/11/17 20:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2006/10/21 12:38:20 | 000,476,568 | ---- | M] ( ) [On_Demand | Stopped] -- C:\Windows\SysNative\DKabcoms.exe -- (dkab_device)
SRV - [2010/11/25 05:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 05:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/09/13 18:32:32 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2010/03/18 16:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2006/10/21 12:38:24 | 000,508,824 | ---- | M] ( ) [On_Demand | Stopped] -- C:\Windows\SysWow64\DKabcoms.exe -- (dkab_device)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/10/08 03:11:23 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/10/08 03:11:23 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/08/18 14:23:40 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vncmirror.sys -- (vncmirror)
DRV:64bit: - [2011/05/12 14:03:12 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\E82F.tmp -- (MEMSWEEP2)
DRV:64bit: - [2011/04/27 14:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/01/05 08:37:16 | 008,283,136 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/01/05 07:19:40 | 000,294,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:48 | 000,168,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netvsc60.sys -- (netvsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusVideoM.sys -- (SynthVid)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/17 17:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/10/15 20:28:18 | 000,317,440 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel®
DRV:64bit: - [2010/09/21 22:59:38 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel®
DRV:64bit: - [2010/09/14 07:24:26 | 000,437,272 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/06/08 07:36:18 | 000,406,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink ™
DRV:64bit: - [2010/03/19 03:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/02/27 10:32:14 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-813497703-725345543-2607\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/23
IE - HKU\S-1-5-21-1004336348-813497703-725345543-2607\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/23
IE - HKU\S-1-5-21-1004336348-813497703-725345543-2607\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\[USER]\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\[USER]\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/12/13 11:47:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/11/16 11:12:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\[USER]\AppData\Roaming\mozilla\Extensions
[2011/11/16 11:12:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/11/05 01:53:18 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/11/04 22:21:03 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/11/04 22:21:03 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\[USER]\AppData\Local\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\[USER]\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.7_0\
CHR - Extension: Angry Birds = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2.1_0\
CHR - Extension: Web Developer = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbameneiokkgbdmiekhjnmfkcnldhhm\0.3.1_0\
CHR - Extension: getResponseHeaders = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmodjaihpladaednpgcbiapepghfbgam\0.0.4_0\
CHR - Extension: DoINeedAJacket? = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\djeoechjlalojlnndahlfbcjojfjibkc\1.1.1_0\
CHR - Extension: Facebook Disconnect = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpepffjfmamnambagiibghpglaidiec\1.2.0_0\
CHR - Extension: FB Photo Zoom = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\elioihkkcdgakfbahdoddophfngopipi\1.1109.26.1_0\
CHR - Extension: REST Console Launcher = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\faceofpmfclkengnkgkgjkcibdbhemoc\4.0.2_0\
CHR - Extension: AdBlock = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.6_0\
CHR - Extension: Windows Media Player Extension for HTML5 = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak\1.0_0\
CHR - Extension: Poppit = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
CHR - Extension: HTTP Response Browser = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgekankhbggjkjpcbhacjgflbacnpljm\0.2_0\
CHR - Extension: Plants vs Zombies = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmcegpfdgcoclcdfkjahiimlikdpnina\1.0.5_0\
CHR - Extension: Auto Refresh Plus = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih\1.8.9.0_0\
CHR - Extension: Sinuous = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\omlmnomieeknagejjojcpdomnbnbchdl\1.0.4_0\

O1 HOSTS File: ([2011/11/07 13:32:27 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2:64bit: - BHO: (no name) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No CLSID value found.
O2 - BHO: (no name) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No CLSID value found.
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousMachineGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousUserGroupPolicy = 0
O7 - HKU\S-1-5-21-1004336348-813497703-725345543-2607\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8:64bit: - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8:64bit: - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8:64bit: - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [DOMAIN]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{44BAC334-993F-41AC-BACB-AEBCF87611E6}: NameServer = 192.168.0.4,192.168.0.6
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\tmpx - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\tmpx - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/15 09:13:44 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{77C6CD7C-168E-4A35-8791-9092A5DE1E45}
[2011/12/15 09:13:34 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{92E2DD35-1774-4F99-892A-E6004A4902BA}
[2011/12/15 09:13:30 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\Apple Computer
[2011/12/14 12:39:45 | 000,096,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 12:39:45 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 12:39:44 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 12:39:44 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 12:39:44 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 12:39:44 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 12:39:43 | 002,309,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2011/12/14 12:39:43 | 001,493,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2011/12/14 12:39:43 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2011/12/14 12:39:43 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2011/12/14 12:39:42 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2011/12/14 11:25:38 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2011/12/14 11:25:37 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 11:25:37 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 09:08:18 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{BD343727-272E-459C-B6CD-D5165A7C171F}
[2011/12/14 09:08:08 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{7CD82159-DC6E-43D2-96CC-4536335D0832}
[2011/12/13 11:47:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/12/13 11:47:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2011/12/13 11:47:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2011/12/13 11:47:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Apple
[2011/12/13 11:47:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Apple Software Update
[2011/12/13 11:47:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/12/13 11:41:30 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\Apple
[2011/12/13 11:41:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2011/12/13 09:34:29 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{3DD84424-BDCD-4AFF-8DB4-5A756706B327}
[2011/12/13 09:34:20 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{36EF44A7-4DA0-45D8-9692-2FF5381C62FB}
[2011/12/12 09:36:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\[USER]\Desktop\dds.scr
[2011/12/12 09:33:46 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{0991D2F0-FC3F-451B-9128-117ABB3C488D}
[2011/12/12 09:33:36 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{6C0766D3-A289-418C-9669-9415E6A95FCD}
[2011/12/08 10:58:05 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\Malwarebytes
[2011/12/08 10:57:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/08 10:57:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/08 10:57:54 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/12/08 10:57:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/12/08 09:58:53 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\f-secure
[2011/12/08 09:58:48 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2011/12/08 09:53:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/12/08 09:53:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2011/12/08 09:34:58 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{D994904E-AD15-416B-80ED-ADD263850E03}
[2011/12/08 09:34:49 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{30672D34-E5F7-4C25-A076-7B2405AE2B5F}
[2011/12/07 09:20:43 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{13917BE8-A863-4F80-9598-EFFDDBBB570D}
[2011/12/07 09:20:33 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{AA82E470-7A2D-4EB7-B948-6DCE4D829D7E}
[2011/12/06 15:49:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WatchGuard System Manager 10.2
[2011/12/06 15:48:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\WatchGuard
[2011/12/06 15:48:57 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\InstallShield Installation Information
[2011/12/06 14:36:51 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\WatchGuard
[2011/12/06 14:36:51 | 000,000,000 | ---D | C] -- C:\Users\[USER]\Documents\My WatchGuard
[2011/12/06 14:36:50 | 000,000,000 | ---D | C] -- C:\ProgramData\WatchGuard
[2011/12/06 14:36:04 | 000,192,105 | ---- | C] (http://Raz-Soft.com) -- C:\Windows\SysWow64\IssProc.dll
[2011/12/06 14:36:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WatchGuard
[2011/12/06 09:00:44 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{A21A6E84-EB80-4C21-94D5-FE0F97CAA1DA}
[2011/12/06 09:00:35 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{8FB4E5A9-81EB-4ECE-BACD-F33B6055498C}
[2011/12/05 09:24:49 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{C7D7F3BF-2A24-46E2-BE24-88A3D364CC1E}
[2011/12/05 09:24:38 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{852115C9-2566-4D89-B8C5-CD50BA97CD65}
[2011/12/01 09:20:17 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{78761CD9-CA11-425A-B611-C9B592324C94}
[2011/12/01 09:20:08 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{CB7F6052-E4E8-4257-9B05-964186D1B588}
[2011/11/30 09:07:39 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{01093AAF-342E-4FD2-8F53-43B12E7842F9}
[2011/11/30 09:07:30 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{EB40A67A-DD48-4E84-953A-5E04F82A87AC}
[2011/11/29 13:50:05 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\QuickPar
[2011/11/29 13:48:43 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\QuickPar
[2011/11/29 13:48:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPar
[2011/11/29 13:48:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickPar
[2011/11/29 09:33:57 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{F7022CC5-00D4-4776-BFB5-179FE72CD0F1}
[2011/11/29 09:33:48 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{E8AD13C8-9E9C-420E-B6D3-F2F92A143421}
[2011/11/28 14:19:10 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\Diagnostics
[2011/11/28 09:30:04 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{7CAD3224-6D1C-4EDA-AC78-2370363FBDFA}
[2011/11/28 09:29:48 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{5AA3A896-8612-4CD6-BFAB-B5C12385CB2E}
[2011/11/24 11:32:04 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{B94EE1D2-2920-423A-BEBB-5B2A89AFABEE}
[2011/11/24 11:31:55 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{4539950D-3626-49B6-904C-7E65B4ED2677}
[2011/11/23 14:24:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FreeRIP3
[2011/11/23 14:24:03 | 000,000,000 | ---D | C] -- C:\ProgramData\FreeRIP
[2011/11/23 14:24:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FreeRIP3
[2011/11/23 14:19:13 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Roaming\Xilisoft
[2011/11/23 14:04:40 | 000,000,000 | ---D | C] -- C:\tmp
[2011/11/23 10:16:39 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2011/11/23 09:17:01 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{E5FD1C45-0583-43AE-A303-218583AA7846}
[2011/11/23 09:16:52 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{92CEF80E-DC28-4D59-80B6-D4630745C903}
[2011/11/22 09:04:08 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{44FAA83B-4382-4458-8F6C-326E2C08CCD4}
[2011/11/22 09:03:57 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{1A87E367-A7CF-4B47-BA5C-5409E976675C}
[2011/11/21 09:32:39 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{97A42EA5-0DFC-4B48-A0E9-9B24CB11840D}
[2011/11/21 09:32:27 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{0B595A5B-FCC4-4E08-AA35-17B88D2ECF1C}
[2011/11/16 11:12:47 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\Mozilla
[2011/11/16 11:12:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2011/11/16 09:25:33 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{3D69A895-92E2-40BB-BE10-7D30568238FF}
[2011/11/16 09:25:24 | 000,000,000 | ---D | C] -- C:\Users\[USER]\AppData\Local\{256C2F3B-1063-42B1-8EBF-24DB5CD882CB}
[2011/11/09 14:43:02 | 000,421,888 | ---- | C] ( ) -- C:\Windows\SysWow64\DKabcomm.dll
[2011/11/09 14:43:01 | 000,614,400 | ---- | C] ( ) -- C:\Windows\SysWow64\DKabcomc.dll
[2011/11/09 14:43:01 | 000,508,824 | ---- | C] ( ) -- C:\Windows\SysWow64\DKabcoms.exe
[2011/11/09 14:43:01 | 000,163,840 | ---- | C] ( ) -- C:\Windows\SysWow64\DKabprox.dll
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/15 09:13:17 | 000,001,058 | RHS- | M] () -- C:\Users\[USER]\ntuser.pol
[2011/12/15 09:13:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/15 09:12:56 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-813497703-725345543-2607UA.job
[2011/12/14 17:22:18 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/14 17:22:18 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/14 17:19:10 | 000,796,950 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/14 17:19:10 | 000,677,442 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/14 17:19:10 | 000,129,566 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/14 17:14:53 | 004,953,008 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/14 17:14:26 | 3207,426,048 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/14 14:59:59 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/12/14 14:16:21 | 000,002,012 | -H-- | M] () -- C:\Users\[USER]\Documents\Default.rdp
[2011/12/14 12:07:01 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-813497703-725345543-2607Core.job
[2011/12/12 17:34:16 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/12/12 09:36:27 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\[USER]\Desktop\dds.scr
[2011/12/08 15:08:00 | 000,033,338 | ---- | M] () -- C:\Users\[USER]\Documents\MB_200678.pdf
[2011/12/08 11:32:00 | 000,033,597 | ---- | M] () -- C:\Users\[USER]\Documents\TSSC_200676.pdf
[2011/12/08 10:57:58 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 13:23:30 | 000,003,009 | ---- | M] () -- C:\Users\[USER]\Documents\mos_tor_600.csv
[2011/11/30 13:56:00 | 000,127,284 | ---- | M] () -- C:\Users\[USER]\Documents\alicia_bumper.jpg
[2011/11/30 11:50:35 | 000,001,456 | ---- | M] () -- C:\Users\[USER]\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/11/29 13:48:43 | 000,001,009 | ---- | M] () -- C:\Users\[USER]\Desktop\QuickPar.lnk
[2011/11/23 14:24:08 | 000,001,492 | ---- | M] () -- C:\ProgramData\ss.ini
[2011/11/23 14:19:00 | 000,000,600 | ---- | M] () -- C:\Users\[USER]\AppData\Local\PUTTY.RND
[2011/11/23 10:17:20 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/11/22 12:23:08 | 000,009,125 | ---- | M] () -- C:\Users\[USER]\Desktop\mos_calgary_2011.csv
[2011/11/16 10:20:07 | 000,338,821 | ---- | M] () -- C:\Users\[USER]\Desktop\ssc_xmas_card.jpg
[2011/11/16 09:39:03 | 000,006,136 | ---- | M] () -- C:\Users\[USER]\Desktop\Noname1.html
[2011/11/16 09:33:15 | 000,137,103 | ---- | M] () -- C:\Users\[USER]\Desktop\holiday11_rsvp_600.jpg
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/13 11:41:30 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2011/12/12 17:34:16 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/12/12 10:18:47 | 921,307,572 | ---- | C] () -- C:\Users\[USER]\Desktop\Hard Ticket to Hawaii - DivxRipBy RUBrTOE.avi
[2011/12/08 15:08:00 | 000,033,338 | ---- | C] () -- C:\Users\[USER]\Documents\MB_200678.pdf
[2011/12/08 11:32:00 | 000,033,597 | ---- | C] () -- C:\Users\[USER]\Documents\TSSC_200676.pdf
[2011/12/08 10:57:58 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 13:23:30 | 000,003,009 | ---- | C] () -- C:\Users\[USER]\Documents\mos_tor_600.csv
[2011/11/30 13:56:00 | 000,127,284 | ---- | C] () -- C:\Users\[USER]\Documents\alicia_bumper.jpg
[2011/11/29 13:48:43 | 000,001,009 | ---- | C] () -- C:\Users\[USER]\Desktop\QuickPar.lnk
[2011/11/23 14:24:08 | 000,001,492 | ---- | C] () -- C:\ProgramData\ss.ini
[2011/11/22 12:23:07 | 000,009,125 | ---- | C] () -- C:\Users\[USER]\Desktop\mos_calgary_2011.csv
[2011/11/16 11:12:45 | 000,001,148 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/11/16 10:18:52 | 000,338,821 | ---- | C] () -- C:\Users\[USER]\Desktop\ssc_xmas_card.jpg
[2011/11/16 09:39:02 | 000,006,136 | ---- | C] () -- C:\Users\[USER]\Desktop\Noname1.html
[2011/11/16 09:33:15 | 000,137,103 | ---- | C] () -- C:\Users\[USER]\Desktop\holiday11_rsvp_600.jpg
[2011/11/07 14:47:48 | 000,001,456 | ---- | C] () -- C:\Users\[USER]\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/11/01 15:58:36 | 000,000,600 | ---- | C] () -- C:\Users\[USER]\AppData\Local\PUTTY.RND
[2011/10/25 10:39:43 | 000,004,022 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/10/08 03:16:14 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/10/08 02:59:54 | 000,002,975 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/10 09:33:46 | 000,802,352 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

< End of report >


=== EXRAS.TXT ===

OTL Extras logfile created on: 12/15/2011 9:47:16 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\[USER]\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.98 Gb Total Physical Memory | 2.57 Gb Available Physical Memory | 64.64% Memory free
7.96 Gb Paging File | 5.60 Gb Available in Paging File | 70.37% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.57 Gb Total Space | 261.52 Gb Free Space | 57.79% Space Free | Partition Type: NTFS
Drive K: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS
Drive S: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS
Drive Z: | 1396.86 Gb Total Space | 906.42 Gb Free Space | 64.89% Space Free | Partition Type: NTFS

Computer Name: LEAFS | User Name: [USER] | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{26A24AE4-039D-4CA4-87B4-2F86416024FF}" = Java™ 6 Update 24 (64-bit)
"{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema v1.5.2.3456 x64
"{42738DB0-FC3E-4672-A99B-9372F5696E30}" = Microsoft Security Client
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{50B4B603-A4C6-4739-AE96-6C76A0F8A388}" = Dell Backup and Recovery Manager
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6E3D4FFE-9614-4E58-9DE2-F9A036EAD491}" = ATI Catalyst Install Manager
"{83CB95E0-5518-AAC2-9B63-1FDBB4D51263}" = ATI AVIVO64 Codecs
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D6DFAD6-09E5-445E-A4B5-A388FEEBD90D}" = RBVirtualFolder64Inst
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{C99B5E76-3EA1-9943-F394-1E9F9EC8B28C}" = ccc-utility64
"{CE2D87BC-6FDE-4052-A236-7789E64279B6}" = MySQL Server 5.5
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"CCleaner" = CCleaner
"Dell Support Center" = Dell Support Center
"Dell_HostCD" = Dell Software Uninstall
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"RealVNC_is1" = VNC Enterprise Edition E4.6.3
"VNCMirror_is1" = VNC Mirror Driver 1.8.0
"VNCPrinter_is1" = VNC Printer Driver 1.7.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0B043A05-B07C-9307-8CC8-0C72BC8895E2}" = CCC Help Polish
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{16D6AA4F-959B-306B-0747-CFBEFCC7A0DE}" = CCC Help Greek
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1C1473A1-1A26-4C8F-9548-A52D03066CE7}" = Catalyst Control Center - Branding
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{22076B10-37D9-7B32-AB5D-3F97D9E87E15}" = CCC Help Turkish
"{22813428-038B-8C98-5AF8-22B7EF1B6284}" = CCC Help Spanish
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 29
"{288DB08D-0708-4A94-B055-55B99E39EB62}" = Adobe Creative Suite 5 Master Collection
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2BDCCC79-2352-1CD6-80D0-1E1948FEF262}" = CCC Help Italian
"{2D162142-12F7-4419-577C-7BB3204F799F}" = CCC Help Chinese Standard
"{2F4FB074-80B6-118F-42AD-27B6F275D884}" = CCC Help Chinese Traditional
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{374EBC77-5E23-0B63-0B65-136AEFF98C1D}" = CCC Help Danish
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology
"{400F29A3-58E9-4848-5BE1-01919F891D44}" = CCC Help Swedish
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.61
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6AFA3415-7B6A-EF20-225A-B1DC627BBAC5}" = CCC Help Korean
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{81C3E664-CA21-3C4B-312F-54DEB08EF1A5}" = Catalyst Control Center InstallProxy
"{8279F213-ECD0-4C36-A8EC-670FC16218E3}" = CCC Help Dutch
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0116-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{9842650A-98C5-A238-AC65-189F80285EBD}" = CCC Help Czech
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9F41678D-3934-EBBA-F85C-E1A97DB84407}" = CCC Help Thai
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{ADDD9902-3576-7071-1196-24E37F15BB52}" = Catalyst Control Center Localization All
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CA0006CC-FB7D-6358-BF24-3394D509AB9C}" = CCC Help Japanese
"{CA04E3AD-FFAC-0EE9-3605-E9665EC05BF7}" = CCC Help Finnish
"{CCAE8CA3-5C96-FBF2-BD0F-27D4644217D3}" = CCC Help Portuguese
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E0C8AC08-1B2C-AD87-E4CE-9C0A2618807E}" = CCC Help English
"{E4F3A636-92E3-86C4-FA1E-19BC06CBB037}" = CCC Help German
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E5F6575A-7567-9230-2BE0-615A46E5721B}" = CCC Help Russian
"{E9656E99-F59E-F377-DC5F-477047CA4FCF}" = CCC Help French
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F16B7D69-784E-C12E-D42B-A1D69A38B752}" = CCC Help Hungarian
"{FB85D440-98E6-B361-1727-DFD81F366943}" = ccc-core-static
"{FC4AAC27-3775-E69E-6DBB-381425D79A94}" = CCC Help Norwegian
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"EditPlus 3" = EditPlus 3
"Free Download Manager_is1" = Free Download Manager 3.8 RC1
"GrabIt_is1" = GrabIt 1.7.2 Beta 6 (build 1008)
"HeidiSQL_is1" = HeidiSQL 6.0
"ImgBurn" = ImgBurn
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"PocketKnife Peek_is1" = PocketKnife Peek 2.0
"QuickPar" = QuickPar 0.9
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.20
"uTorrent" = Torrent
"WinLiveSuite" = Windows Live Essentials
"WinX DVD Ripper_is1" = WinX DVD Ripper 5.5.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1004336348-813497703-725345543-2607\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{76ECC988-523D-47E7-ABAA-CEA9EF96EB24}" = WatchGuard System Manager 10.2
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/4/2011 2:09:47 PM | Computer Name = LEAFS.[DOMAIN] | Source = WinMgmt | ID = 10
Description =

Error - 11/7/2011 10:20:18 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Music" to "\\[DOMAIN CONTROLLER]\private\[USER]\My
Music". Redirection options=0x80009210. The following error occurred: "Can not
create folder "\\[DOMAIN CONTROLLER]\private\[USER]\My Music"". Error details: "This security
ID may not be assigned as the owner of this object. ".

Error - 11/7/2011 10:20:18 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Documents" to "\\[DOMAIN CONTROLLER]\private\[USER]\".

Redirection options=0x80009210. The following error occurred: "Can not create folder
"\\[DOMAIN CONTROLLER]\private\[USER]"". Error details: "This security ID may not be assigned
as the owner of this object. ".

Error - 11/7/2011 11:08:51 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Music" to "\\[DOMAIN CONTROLLER]\private\[USER]\My
Music". Redirection options=0x80009210. The following error occurred: "Can not
create folder "\\[DOMAIN CONTROLLER]\private\[USER]\My Music"". Error details: "This security
ID may not be assigned as the owner of this object. ".

Error - 11/7/2011 11:08:51 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Documents" to "\\[DOMAIN CONTROLLER]\private\[USER]\".

Redirection options=0x80009210. The following error occurred: "Can not create folder
"\\[DOMAIN CONTROLLER]\private\[USER]"". Error details: "This security ID may not be assigned
as the owner of this object. ".

Error - 11/7/2011 11:10:24 AM | Computer Name = LEAFS.[DOMAIN] | Source = WinMgmt | ID = 10
Description =

Error - 11/7/2011 1:20:53 PM | Computer Name = LEAFS.[DOMAIN] | Source = SideBySide | ID = 16842824
Description = Activation context generation failed for "c:\program files\microsoft
security client\MSESysprep.dll".Error in manifest or policy file "c:\program files\microsoft
security client\MSESysprep.dll" on line 10. The element imaging appears as a child
of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by
this version of Windows.

Error - 11/7/2011 6:28:18 PM | Computer Name = LEAFS.[DOMAIN] | Source = WinMgmt | ID = 10
Description =

Error - 11/8/2011 9:52:28 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Music" to "\\[DOMAIN CONTROLLER]\private\[USER]\My
Music". Redirection options=0x80009210. The following error occurred: "Can not
create folder "\\[DOMAIN CONTROLLER]\private\[USER]\My Music"". Error details: "This security
ID may not be assigned as the owner of this object. ".

Error - 11/8/2011 9:52:28 AM | Computer Name = LEAFS.[DOMAIN] | Source = Microsoft-Windows-Folder Redirection | ID = 502
Description = Failed to apply policy and redirect folder "Documents" to "\\[DOMAIN CONTROLLER]\private\[USER]\".

Redirection options=0x80009210. The following error occurred: "Can not create folder
"\\[DOMAIN CONTROLLER]\private\[USER]"". Error details: "This security ID may not be assigned
as the owner of this object. ".

[ System Events ]
Error - 12/8/2011 11:56:51 AM | Computer Name = LEAFS.[DOMAIN] | Source = Service Control Manager | ID = 7000
Description = The MEMSWEEP2 service failed to start due to the following error:
%%1275

Error - 12/8/2011 11:56:51 AM | Computer Name = LEAFS.[DOMAIN] | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\system32\E82F.tmp has been blocked from loading due
to incompatibility with this system. Please contact your software vendor for a
compatible version of the driver.

Error - 12/8/2011 11:56:51 AM | Computer Name = LEAFS.[DOMAIN] | Source = Service Control Manager | ID = 7000
Description = The MEMSWEEP2 service failed to start due to the following error:
%%1275

Error - 12/8/2011 12:42:07 PM | Computer Name = LEAFS.[DOMAIN] | Source = BROWSER | ID = 8032
Description =

Error - 12/12/2011 10:34:39 AM | Computer Name = LEAFS.[DOMAIN] | Source = BROWSER | ID = 8032
Description =

Error - 12/12/2011 1:15:55 PM | Computer Name = LEAFS.[DOMAIN] | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 12/12/2011 1:15:55 PM | Computer Name = LEAFS.[DOMAIN] | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 12/13/2011 1:46:59 PM | Computer Name = LEAFS.[DOMAIN] | Source = BROWSER | ID = 8032
Description =

Error - 12/13/2011 5:36:59 PM | Computer Name = LEAFS.[DOMAIN] | Source = BROWSER | ID = 8032
Description =

Error - 12/14/2011 10:10:30 AM | Computer Name = LEAFS.[DOMAIN] | Source = BROWSER | ID = 8032
Description =


< End of report >

#9 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 15 December 2011 - 10:04 AM

i should also note that i disabled MS security essentials real-time protection for this scan.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:39 PM

Posted 15 December 2011 - 10:20 AM

I see no malware in your logs. Was the UDP port Open (this should never be the case)?

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Download TCPView from http://live.sysinternals.com/tcpview.exe

Once the file is downloaded, double-click on it to execute the program.

When the program starts, click on the Options menu option and uncheck Resolve addresses.

Then click on the File menu option and select Save as....

A window will open asking where you would like to save the log file. Save it to your desktop as tcpview.txt

Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 15 December 2011 - 10:41 AM

Hello Elise - is it possible to send you the logs privately from now on? I would just like to send you some screen grabs. Thanks.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:39 PM

Posted 15 December 2011 - 10:59 AM

You can upload them to my channel if you want: http://www.bleepingcomputer.com/submit-malware.php?channel=105

However, be aware that help is only offered using the forums. If information is too confidential it really is not recommended to look for help on a forum, but rather hire a professional who is used to deal with that kind of situations.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 15 December 2011 - 11:07 AM

OK thanks, i posted a screen grab to your channel. Here is TCPView

[System Process] 0 TCP 192.168.0.226 2869 192.168.0.10 4172 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58724 192.168.0.7 135 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58725 192.168.0.7 1025 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58727 192.168.0.51 80 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58728 192.168.0.10 49153 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58730 192.168.0.10 49153 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58732 192.168.0.7 139 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58734 192.168.0.10 49153 TIME_WAIT
[System Process] 0 TCP 192.168.0.226 58742 192.168.0.10 49152 TIME_WAIT
System 4 UDP 192.168.0.226 137 * * 146 7,300 11 550 400 8
System 4 UDP 192.168.0.226 138 * *
System 4 TCPV6 [0:0:0:0:0:0:0:0] 445 [0:0:0:0:0:0:0:0] 0 LISTENING
System 4 TCPV6 [0:0:0:0:0:0:0:0] 2869 [0:0:0:0:0:0:0:0] 0 LISTENING
System 4 TCP 192.168.0.226 139 0.0.0.0 0 LISTENING
System 4 TCP 192.168.0.226 57246 192.168.0.200 445 ESTABLISHED
System 4 TCP 0.0.0.0 445 0.0.0.0 0 LISTENING
System 4 TCP 0.0.0.0 2869 0.0.0.0 0 LISTENING
svchost.exe 364 UDPV6 [fe80:0:0:0:682a:6ab5:7153:5f25] 546 * *
svchost.exe 364 TCPV6 [0:0:0:0:0:0:0:0] 49153 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 364 TCP 0.0.0.0 49153 0.0.0.0 0 LISTENING
wininit.exe 532 TCPV6 [0:0:0:0:0:0:0:0] 49152 [0:0:0:0:0:0:0:0] 0 LISTENING
wininit.exe 532 TCP 0.0.0.0 49152 0.0.0.0 0 LISTENING
services.exe 648 TCPV6 [0:0:0:0:0:0:0:0] 49172 [0:0:0:0:0:0:0:0] 0 LISTENING
services.exe 648 TCP 0.0.0.0 49172 0.0.0.0 0 LISTENING
lsass.exe 664 UDP 127.0.0.1 53553 * *
lsass.exe 664 TCPV6 [0:0:0:0:0:0:0:0] 49175 [0:0:0:0:0:0:0:0] 0 LISTENING
lsass.exe 664 TCP 0.0.0.0 49175 0.0.0.0 0 LISTENING
svchost.exe 836 UDP 127.0.0.1 49855 * *
svchost.exe 836 TCPV6 [0:0:0:0:0:0:0:0] 49154 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 836 TCP 0.0.0.0 49154 0.0.0.0 0 LISTENING
svchost.exe 852 TCPV6 [0:0:0:0:0:0:0:0] 135 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 852 TCP 0.0.0.0 135 0.0.0.0 0 LISTENING
svchost.exe 1272 UDPV6 [0:0:0:0:0:0:0:0] 123 * *
svchost.exe 1272 UDP 0.0.0.0 123 * *
svchost.exe 1360 UDPV6 [0:0:0:0:0:0:0:0] 5355 * *
svchost.exe 1360 UDP 0.0.0.0 5355 * *
svchost.exe 1360 UDP 127.0.0.1 53556 * *
svchost.exe 1360 UDP 0.0.0.0 56404 * * 2 90 1 45 45 45 1 1
spoolsv.exe 1480 UDP 0.0.0.0 57542 * *
spoolsv.exe 1480 UDP 127.0.0.1 60969 * *
spoolsv.exe 1480 TCPV6 [0:0:0:0:0:0:0:0] 57134 [0:0:0:0:0:0:0:0] 0 LISTENING
spoolsv.exe 1480 TCP 0.0.0.0 57134 0.0.0.0 0 LISTENING
mysqld.exe 1656 TCPV6 [0:0:0:0:0:0:0:0] 3306 [0:0:0:0:0:0:0:0] 0 LISTENING
mysqld.exe 1656 TCP 0.0.0.0 3306 0.0.0.0 0 LISTENING
winvnc4.exe 1888 TCPV6 [0:0:0:0:0:0:0:0] 5826 [0:0:0:0:0:0:0:0] 0 LISTENING
winvnc4.exe 1888 TCPV6 [0:0:0:0:0:0:0:0] 5926 [0:0:0:0:0:0:0:0] 0 LISTENING
winvnc4.exe 1888 TCP 0.0.0.0 5826 0.0.0.0 0 LISTENING
winvnc4.exe 1888 TCP 0.0.0.0 5926 0.0.0.0 0 LISTENING
svchost.exe 2900 UDPV6 [0:0:0:0:0:0:0:1] 1900 * * 7 819
svchost.exe 2900 UDPV6 [fe80:0:0:0:682a:6ab5:7153:5f25] 1900 * *
svchost.exe 2900 UDPV6 [fe80:0:0:0:682a:6ab5:7153:5f25] 60827 * *
svchost.exe 2900 UDPV6 [0:0:0:0:0:0:0:1] 60828 * *
svchost.exe 2900 UDP 127.0.0.1 1900 * * 1 117
svchost.exe 2900 UDP 192.168.0.226 1900 * *
svchost.exe 2900 UDP 192.168.0.226 60829 * *
svchost.exe 2900 UDP 127.0.0.1 60830 * *
fsm.exe 4560 TCP 192.168.0.226 58753 192.168.0.1 4117 ESTABLISHED 5 594 150 125,947

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:39 PM

Posted 15 December 2011 - 11:21 AM

This kind of connections is seen when you have the following service enabled: Peer Name Resolution Protocol

You can disable this service, but you might need it for your network (you can simply try this and re-enable it if necessary).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ynot2k

ynot2k
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 15 December 2011 - 11:24 AM

That service is currently not running on my machine. It is set to manual. I will disable it, but doubtful it will do anything...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users