Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7Antispyware leftover fix


  • This topic is locked This topic is locked
19 replies to this topic

#1 AndyButler

AndyButler

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 December 2011 - 04:00 PM

Hi I need help getting rid of some trojan/malware remains. Malwarebytes and tdsskiller don't find anything but I am still getting internet explorer redirects, windows firewall turned off & will not turn on and need help because it looks like I may have a rootkit hiding somewhere. I have included my dds files. Also avast is showing alot of "malicious URL blocked" messages and the process is C:\Windows\System32\ping.exe. I have ESAT, MBAM, SAS & HiJackThis logs. I have combofix, aswMBR & minitoolbox dl'd & ready to run but don't want to use them without your direction. I have windows 7 32 Thanks!

Attached Files


Edited by AndyButler, 20 December 2011 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 20 December 2011 - 07:23 PM

Update......running eset fixed the redirects but I wonder if I still have the rootkit. Eset said I had a variant of the Win32/Sirefef.DN trojan.

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 23 December 2011 - 03:49 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It looks like you have/had an infection known as ZAccess.

Please yield this warning:


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 December 2011 - 12:19 PM

Running tools now...will post logs when finished.
OTL logfile created on: 12/23/2011 12:21:41 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 64.71% Memory free
6.50 Gb Paging File | 5.22 Gb Available in Paging File | 80.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 131.54 Gb Free Space | 44.13% Space Free | Partition Type: NTFS

Computer Name: BUTLER-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/23 09:57:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2011/11/28 13:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EX00.725\gmer.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/16 16:04:04 | 000,803,432 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2011/01/16 15:13:52 | 000,378,984 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/10/26 14:46:54 | 001,458,176 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2007/04/16 07:18:04 | 000,099,840 | ---- | M] (a la mode, inc.) -- C:\Program Files\a la mode\Sched\eSched.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/12 14:09:47 | 001,670,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\32f68764be7200d3796b55e377311245\Microsoft.VisualBasic.ni.dll
MOD - [2011/10/12 10:45:24 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/12 10:45:10 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/12 10:45:03 | 011,819,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\8e7909ef6b5f953d49244c6b9f5f5100\System.Web.ni.dll
MOD - [2011/10/12 10:44:56 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/12 10:44:52 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/12 10:44:48 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/12 10:44:42 | 007,963,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/12 10:44:35 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EX00.725\gmer.exe
MOD - [2010/09/22 20:12:20 | 000,016,832 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
MOD - [2010/03/15 10:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2006/11/17 18:18:50 | 000,122,880 | ---- | M] () -- C:\Windows\System32\ala32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (XMLProvS)
SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [Disabled | Stopped] -- -- (LMIGuardianSvc)
SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/11/14 10:51:08 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/04/18 02:00:54 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/01/16 15:13:52 | 000,378,984 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/05/07 07:36:10 | 000,092,008 | ---- | M] (TomTom) [Disabled | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2008/11/19 08:47:24 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/06/29 17:54:16 | 000,073,728 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Unknown | Running] -- -- (SASKUTIL)
DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/06/06 17:06:54 | 000,211,984 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtihdW73.sys -- (AtiHDAudioService)
DRV - [2011/03/18 11:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\system32\speedfan.sys -- (speedfan)
DRV - [2011/01/16 18:53:00 | 010,480,296 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/12 02:10:52 | 000,122,984 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2010/01/27 11:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/10/26 15:09:06 | 001,095,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2009/10/13 01:16:02 | 000,049,152 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\l160x86.sys -- (AtcL001)
DRV - [2009/09/30 09:33:56 | 000,104,976 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/01/14 16:43:50 | 000,083,808 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2008/09/08 22:58:14 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/09/10 06:49:46 | 000,095,616 | ---- | M] (C-Media Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmiucr.SYS -- (CMISTOR)
DRV - [2007/06/29 13:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006/11/16 17:20:48 | 000,015,920 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2006/10/18 16:44:48 | 000,007,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2006/02/07 14:52:58 | 000,006,912 | ---- | M] (JMicron ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\JGOGO.sys -- (JGOGO)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/intl/searchpane/en-au/prov2.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4263895640-4010197635-618819606-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
IE - HKU\S-1-5-21-4263895640-4010197635-618819606-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxy.kodak.com:81/proxy.pac

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/09/22 12:29:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/09/22 12:29:30 | 000,000,000 | ---D | M]

[2011/04/17 19:19:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
[2010/06/14 21:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions\home2@tomtom.com
[2011/04/17 19:08:00 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

Hosts file not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKU\S-1-5-21-4263895640-4010197635-618819606-500..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Utility Application.lnk = C:\Users\Administrator\AppData\Roaming\Verizon\UA_ar\UtilityApplication.exe (Samsung Electronices Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: bing.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: eappraiseit.com ([talon] https in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: fnismls.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: live.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: rdesk.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: rexplorer.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: safemls.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4263895640-4010197635-618819606-500\..Trusted Domains: xmlsweb.com ([]* in Trusted sites)
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} http://rcar.fnismls.com/Paragon/Codebase/FNISPrintControl.cab (PrintPreview Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 10.2.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {CD27EEF6-55B8-4F24-99C5-E1191D814445} file:///C:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB (alaWeb5.cUtil)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{448CD02B-25D3-4D80-A2AE-172D7D0CF03B}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89F87965-3244-4356-BDA3-95C1CD7FACC7}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DEE8747C-EC09-449D-80A0-CFA8EC577434}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{82c7810e-2b4e-11e1-9c73-001b210f00bf}\Shell - "" = AutoRun
O33 - MountPoints2\{82c7810e-2b4e-11e1-9c73-001b210f00bf}\Shell\AutoRun\command - "" = E:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{92a820e6-b7a6-11e0-b397-001b210f00bf}\Shell - "" = AutoRun
O33 - MountPoints2\{92a820e6-b7a6-11e0-b397-001b210f00bf}\Shell\AutoRun\command - "" = E:\ToolLauncher-Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/23 10:22:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\MigWiz
[2011/12/23 09:57:55 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2011/12/21 13:41:19 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Kodak
[2011/12/21 13:40:35 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2011/12/21 13:39:44 | 000,000,000 | ---D | C] -- C:\ProgramData\{A0559A84-0A11-425F-BFFC-532378694B25}
[2011/12/20 19:14:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/12/20 19:14:34 | 000,637,848 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\npdeployJava1.dll
[2011/12/20 19:14:34 | 000,567,184 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2011/12/20 19:14:34 | 000,223,112 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2011/12/20 19:14:34 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2011/12/20 19:14:34 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2011/12/20 19:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/12/20 11:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/12/19 16:14:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/19 16:14:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/19 16:14:30 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/19 16:14:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/19 16:14:19 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/19 16:14:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/19 16:13:45 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/12/19 16:09:28 | 004,344,514 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2011/12/19 15:39:07 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2011/12/19 14:56:59 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2011/12/19 12:51:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/12/19 12:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/12/19 12:24:00 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/12/17 18:19:10 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/12/17 18:19:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/12/17 18:19:09 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/12/17 18:19:07 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/12/17 18:19:07 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/12/17 18:19:06 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/12/17 18:19:04 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/12/17 18:17:58 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/12/17 18:17:58 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/12/17 14:41:53 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/12/17 14:41:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/12/17 14:39:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/12/17 14:39:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/12/17 14:39:16 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/12/17 14:11:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/17 14:11:44 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/15 14:03:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOTAL Sketch
[2011/12/13 17:52:28 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011/12/13 17:52:22 | 002,342,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/12/13 17:52:14 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/12/13 17:52:14 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/12/13 17:52:14 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/12/13 17:52:14 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/12/13 17:52:14 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/12/13 17:52:13 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/12/13 17:51:58 | 003,967,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/12/13 17:51:58 | 003,912,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/12/13 17:51:28 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2009/04/06 23:08:29 | 000,098,304 | ---- | C] ( ) -- C:\Windows\System32\AutoLicense.dll
[2009/04/06 23:08:29 | 000,045,056 | ---- | C] ( ) -- C:\Windows\System32\AutoPAX.dll
[2009/04/06 23:08:26 | 000,122,880 | ---- | C] ( ) -- C:\Windows\System32\alauploader.exe
[6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/23 12:16:54 | 000,052,966 | ---- | M] () -- C:\Windows\alaredun.ini
[2011/12/23 12:16:54 | 000,004,893 | ---- | M] () -- C:\Windows\alamode.ini
[2011/12/23 12:16:18 | 000,000,364 | ---- | M] () -- C:\Windows\MercuryWT.ini
[2011/12/23 12:13:57 | 001,153,699 | ---- | M] () -- C:\Users\Administrator\Desktop\1911 Thompson St SE.PDF
[2011/12/23 11:51:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/23 11:00:51 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/23 09:57:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2011/12/23 09:50:43 | 000,294,195 | ---- | M] () -- C:\Users\Administrator\Desktop\gmer.zip
[2011/12/22 17:18:24 | 001,674,088 | ---- | M] () -- C:\Users\Administrator\Desktop\3938 Laird Ln.PDF
[2011/12/22 16:54:29 | 000,000,059 | ---- | M] () -- C:\Windows\Ltdlgfileu.INI
[2011/12/22 14:48:33 | 001,767,832 | ---- | M] () -- C:\Users\Administrator\Desktop\3810 Forest Highland Dr.PDF
[2011/12/22 12:41:22 | 000,039,428 | ---- | M] () -- C:\Users\Administrator\Desktop\1911t.pdf
[2011/12/22 12:29:23 | 058,504,192 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mbb
[2011/12/22 12:29:23 | 026,430,464 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mb
[2011/12/21 18:26:08 | 001,663,181 | ---- | M] () -- C:\Users\Administrator\Desktop\1414 Brentwood Dr.PDF
[2011/12/21 13:14:01 | 000,014,062 | ---- | M] () -- C:\Users\Administrator\Desktop\5606c.pdf
[2011/12/20 19:14:26 | 000,637,848 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npdeployJava1.dll
[2011/12/20 19:14:26 | 000,567,184 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2011/12/20 19:14:26 | 000,223,112 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2011/12/20 19:14:26 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2011/12/20 19:14:26 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2011/12/20 18:21:35 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/20 18:21:35 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/20 17:56:34 | 000,673,552 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/20 17:56:34 | 000,124,622 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/20 17:49:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/20 16:06:52 | 2616,549,376 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/20 15:58:23 | 001,541,571 | ---- | M] () -- C:\Windows\System32\alaXML.xtf
[2011/12/20 11:44:18 | 000,395,875 | ---- | M] () -- C:\Users\Administrator\Desktop\MiniToolBox.exe
[2011/12/20 00:45:32 | 001,888,930 | ---- | M] () -- C:\Users\Administrator\Desktop\65 Whispering Pine Dr.PDF
[2011/12/19 19:39:21 | 001,601,564 | ---- | M] () -- C:\Users\Administrator\Desktop\900 Tippings Ct.PDF
[2011/12/19 16:09:33 | 004,344,514 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2011/12/19 15:39:12 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2011/12/19 15:29:17 | 000,050,477 | ---- | M] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2011/12/19 14:57:11 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2011/12/19 12:51:14 | 000,002,999 | ---- | M] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/12/19 12:20:45 | 001,557,791 | ---- | M] () -- C:\Users\Administrator\Desktop\tdsskiller.zip
[2011/12/17 18:19:10 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/12/17 18:19:04 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/12/17 14:39:23 | 000,001,216 | ---- | M] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2011/12/17 14:11:47 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/17 14:08:04 | 000,010,416 | -HS- | M] () -- C:\Users\Administrator\AppData\Local\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 14:08:04 | 000,010,416 | -HS- | M] () -- C:\ProgramData\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 12:35:28 | 000,103,365 | ---- | M] () -- C:\Windows\System32\itusbcore.dat
[2011/12/17 12:35:28 | 000,000,197 | ---- | M] () -- C:\Windows\System32\itlsvc.dat
[2011/12/17 12:30:15 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2011/12/16 16:34:45 | 001,608,437 | ---- | M] () -- C:\Users\Administrator\Desktop\219 E Farrell St.PDF
[2011/12/16 14:59:11 | 001,446,141 | ---- | M] () -- C:\Users\Administrator\Desktop\9503 Vine St.PDF
[2011/12/16 12:18:58 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/12/15 14:58:31 | 001,608,193 | ---- | M] () -- C:\Users\Administrator\Desktop\184 Hunters Run Pl NW.PDF
[2011/12/15 14:03:16 | 000,000,876 | ---- | M] () -- C:\Users\Public\Desktop\TOTAL Sketch.lnk
[2011/12/15 12:50:45 | 001,052,846 | ---- | M] () -- C:\Users\Administrator\Desktop\3510 Timber Hill Dr SE.PDF
[2011/12/14 16:02:09 | 001,662,445 | ---- | M] () -- C:\Users\Administrator\Desktop\627 N Valley Dr.PDF
[2011/12/14 14:24:58 | 006,100,639 | ---- | M] () -- C:\Users\Administrator\Desktop\233 County Road 587.PDF
[2011/12/14 13:39:39 | 001,767,895 | ---- | M] () -- C:\Users\Administrator\Desktop\1625 John Ross Rd.PDF
[2011/12/13 18:09:11 | 000,488,248 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/13 16:55:16 | 001,625,019 | ---- | M] () -- C:\Users\Administrator\Desktop\149 County Road 29.PDF
[2011/12/13 14:13:31 | 001,715,324 | ---- | M] () -- C:\Users\Administrator\Desktop\3015 13th Ave.PDF
[2011/12/12 17:41:29 | 003,842,048 | ---- | M] () -- C:\Users\Administrator\Documents\My Money.mny
[2011/12/12 17:41:27 | 000,557,552 | R--- | M] () -- C:\Users\Administrator\Documents\My Money Backup_2011-12-12_174125.mbf
[2011/12/12 16:13:53 | 001,555,428 | ---- | M] () -- C:\Users\Administrator\Desktop\3112 Huntingdon Trace.PDF
[2011/12/09 15:39:28 | 001,711,406 | ---- | M] () -- C:\Users\Administrator\Desktop\3619 Tanaka Trail.PDF
[2011/12/07 13:44:17 | 001,363,691 | ---- | M] () -- C:\Users\Administrator\Desktop\7990 Trout Lily Dr.PDF
[2011/12/07 12:07:34 | 001,505,911 | ---- | M] () -- C:\Users\Administrator\Desktop\7012 Windcrest Ln.PDF
[2011/12/06 13:46:04 | 001,368,718 | ---- | M] () -- C:\Users\Administrator\Desktop\235 Shenandoah Ln NW.PDF
[2011/12/06 11:45:21 | 001,653,537 | ---- | M] () -- C:\Users\Administrator\Desktop\402 Emmett Ave NW.PDF
[2011/12/05 17:12:07 | 001,636,883 | ---- | M] () -- C:\Users\Administrator\Desktop\3906 Kemp Cir.PDF
[2011/12/05 13:10:26 | 001,559,046 | ---- | M] () -- C:\Users\Administrator\Desktop\4914 Saint Elmo Ave.PDF
[2011/12/02 18:25:02 | 001,641,430 | ---- | M] () -- C:\Users\Administrator\Desktop\1179 Penobscot Dr.PDF
[2011/12/02 16:38:57 | 001,516,011 | ---- | M] () -- C:\Users\Administrator\Desktop\675 Pinhook Rd.PDF
[2011/12/01 16:51:28 | 001,683,082 | ---- | M] () -- C:\Users\Administrator\Desktop\2426 Jenkins Rd.PDF
[2011/12/01 15:21:25 | 001,960,652 | ---- | M] () -- C:\Users\Administrator\Desktop\1523 Rowewood Dr.PDF
[2011/11/30 14:30:46 | 001,514,120 | ---- | M] () -- C:\Users\Administrator\Desktop\838 Brookrun Dr.PDF
[2011/11/30 13:00:18 | 001,730,584 | ---- | M] () -- C:\Users\Administrator\Desktop\1501 N Winer Dr.PDF
[2011/11/29 14:20:52 | 000,551,682 | R--- | M] () -- C:\Users\Administrator\Documents\My Money Backup_2011-11-29_142051.mbf
[2011/11/28 16:00:10 | 001,776,852 | ---- | M] () -- C:\Users\Administrator\Desktop\3200 Easton Ave.PDF
[2011/11/28 14:08:37 | 001,405,960 | ---- | M] () -- C:\Users\Administrator\Desktop\2405 Colonial Dr.PDF
[2011/11/28 13:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/11/28 13:01:23 | 000,199,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/11/23 23:25:27 | 002,342,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/23 12:16:54 | 000,052,966 | ---- | C] () -- C:\Windows\alaredun.ini
[2011/12/23 12:13:51 | 001,153,699 | ---- | C] () -- C:\Users\Administrator\Desktop\1911 Thompson St SE.PDF
[2011/12/23 09:50:42 | 000,294,195 | ---- | C] () -- C:\Users\Administrator\Desktop\gmer.zip
[2011/12/22 17:18:19 | 001,674,088 | ---- | C] () -- C:\Users\Administrator\Desktop\3938 Laird Ln.PDF
[2011/12/22 14:48:28 | 001,767,832 | ---- | C] () -- C:\Users\Administrator\Desktop\3810 Forest Highland Dr.PDF
[2011/12/22 12:41:21 | 000,039,428 | ---- | C] () -- C:\Users\Administrator\Desktop\1911t.pdf
[2011/12/21 18:26:08 | 001,663,181 | ---- | C] () -- C:\Users\Administrator\Desktop\1414 Brentwood Dr.PDF
[2011/12/21 13:14:00 | 000,014,062 | ---- | C] () -- C:\Users\Administrator\Desktop\5606c.pdf
[2011/12/20 15:58:23 | 001,541,571 | ---- | C] () -- C:\Windows\System32\alaXML.xtf
[2011/12/20 11:44:13 | 000,395,875 | ---- | C] () -- C:\Users\Administrator\Desktop\MiniToolBox.exe
[2011/12/20 00:45:26 | 001,888,930 | ---- | C] () -- C:\Users\Administrator\Desktop\65 Whispering Pine Dr.PDF
[2011/12/19 19:39:15 | 001,601,564 | ---- | C] () -- C:\Users\Administrator\Desktop\900 Tippings Ct.PDF
[2011/12/19 16:14:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/19 16:14:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/19 16:14:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/19 16:14:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/19 16:14:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/19 15:29:17 | 000,050,477 | ---- | C] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2011/12/19 12:51:14 | 000,002,999 | ---- | C] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/12/19 12:20:42 | 001,557,791 | ---- | C] () -- C:\Users\Administrator\Desktop\tdsskiller.zip
[2011/12/17 18:19:10 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/12/17 14:39:23 | 000,001,216 | ---- | C] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2011/12/17 14:11:47 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/17 12:35:28 | 000,103,365 | ---- | C] () -- C:\Windows\System32\itusbcore.dat
[2011/12/17 12:35:28 | 000,000,197 | ---- | C] () -- C:\Windows\System32\itlsvc.dat
[2011/12/17 12:22:46 | 000,010,416 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 12:22:46 | 000,010,416 | -HS- | C] () -- C:\ProgramData\mcovru1q8brh1wun5tli0c265t8p
[2011/12/16 16:34:41 | 001,608,437 | ---- | C] () -- C:\Users\Administrator\Desktop\219 E Farrell St.PDF
[2011/12/16 14:59:06 | 001,446,141 | ---- | C] () -- C:\Users\Administrator\Desktop\9503 Vine St.PDF
[2011/12/15 14:58:26 | 001,608,193 | ---- | C] () -- C:\Users\Administrator\Desktop\184 Hunters Run Pl NW.PDF
[2011/12/15 14:03:16 | 000,000,876 | ---- | C] () -- C:\Users\Public\Desktop\TOTAL Sketch.lnk
[2011/12/15 12:50:41 | 001,052,846 | ---- | C] () -- C:\Users\Administrator\Desktop\3510 Timber Hill Dr SE.PDF
[2011/12/14 16:02:04 | 001,662,445 | ---- | C] () -- C:\Users\Administrator\Desktop\627 N Valley Dr.PDF
[2011/12/14 14:24:58 | 006,100,639 | ---- | C] () -- C:\Users\Administrator\Desktop\233 County Road 587.PDF
[2011/12/14 13:39:34 | 001,767,895 | ---- | C] () -- C:\Users\Administrator\Desktop\1625 John Ross Rd.PDF
[2011/12/13 16:55:11 | 001,625,019 | ---- | C] () -- C:\Users\Administrator\Desktop\149 County Road 29.PDF
[2011/12/13 14:13:26 | 001,715,324 | ---- | C] () -- C:\Users\Administrator\Desktop\3015 13th Ave.PDF
[2011/12/12 17:41:27 | 000,557,552 | R--- | C] () -- C:\Users\Administrator\Documents\My Money Backup_2011-12-12_174125.mbf
[2011/12/12 16:13:53 | 001,555,428 | ---- | C] () -- C:\Users\Administrator\Desktop\3112 Huntingdon Trace.PDF
[2011/12/09 15:39:23 | 001,711,406 | ---- | C] () -- C:\Users\Administrator\Desktop\3619 Tanaka Trail.PDF
[2011/12/07 13:44:13 | 001,363,691 | ---- | C] () -- C:\Users\Administrator\Desktop\7990 Trout Lily Dr.PDF
[2011/12/07 12:07:30 | 001,505,911 | ---- | C] () -- C:\Users\Administrator\Desktop\7012 Windcrest Ln.PDF
[2011/12/06 13:46:00 | 001,368,718 | ---- | C] () -- C:\Users\Administrator\Desktop\235 Shenandoah Ln NW.PDF
[2011/12/06 11:45:10 | 001,653,537 | ---- | C] () -- C:\Users\Administrator\Desktop\402 Emmett Ave NW.PDF
[2011/12/05 17:12:02 | 001,636,883 | ---- | C] () -- C:\Users\Administrator\Desktop\3906 Kemp Cir.PDF
[2011/12/05 13:10:21 | 001,559,046 | ---- | C] () -- C:\Users\Administrator\Desktop\4914 Saint Elmo Ave.PDF
[2011/12/02 18:24:57 | 001,641,430 | ---- | C] () -- C:\Users\Administrator\Desktop\1179 Penobscot Dr.PDF
[2011/12/02 16:38:53 | 001,516,011 | ---- | C] () -- C:\Users\Administrator\Desktop\675 Pinhook Rd.PDF
[2011/12/01 16:51:23 | 001,683,082 | ---- | C] () -- C:\Users\Administrator\Desktop\2426 Jenkins Rd.PDF
[2011/12/01 15:21:20 | 001,960,652 | ---- | C] () -- C:\Users\Administrator\Desktop\1523 Rowewood Dr.PDF
[2011/11/30 14:30:41 | 001,514,120 | ---- | C] () -- C:\Users\Administrator\Desktop\838 Brookrun Dr.PDF
[2011/11/30 13:00:13 | 001,730,584 | ---- | C] () -- C:\Users\Administrator\Desktop\1501 N Winer Dr.PDF
[2011/11/29 14:20:52 | 000,551,682 | R--- | C] () -- C:\Users\Administrator\Documents\My Money Backup_2011-11-29_142051.mbf
[2011/11/28 16:00:06 | 001,776,852 | ---- | C] () -- C:\Users\Administrator\Desktop\3200 Easton Ave.PDF
[2011/11/28 14:08:32 | 001,405,960 | ---- | C] () -- C:\Users\Administrator\Desktop\2405 Colonial Dr.PDF
[2011/08/24 17:59:16 | 000,207,549 | ---- | C] () -- C:\Windows\hpwins28.dat.temp
[2011/08/24 17:59:16 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat.temp
[2011/08/24 15:46:17 | 000,206,559 | ---- | C] () -- C:\Windows\hpwins28.dat
[2011/07/28 16:49:12 | 000,053,760 | ---- | C] () -- C:\Windows\System32\OVDecode.dll
[2011/05/20 21:35:28 | 000,304,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
[2011/04/19 11:22:59 | 000,007,607 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2011/04/18 13:29:26 | 000,000,022 | ---- | C] () -- C:\Users\Administrator\AppData\Local\kodakpcd.ini
[2011/04/17 19:59:49 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/04/17 19:33:22 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2011/03/13 09:51:55 | 000,000,118 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\wklnhst.dat
[2011/02/18 12:59:03 | 000,000,059 | ---- | C] () -- C:\Windows\Ltdlgfileu.INI
[2010/08/05 13:37:14 | 000,000,282 | ---- | C] () -- C:\Windows\TECHUSER.INI
[2009/12/09 23:17:42 | 000,000,016 | ---- | C] () -- C:\Windows\popcinfo.dat
[2009/10/01 14:04:31 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/08/18 02:18:40 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,488,248 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,673,552 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,124,622 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009/05/17 22:00:24 | 000,000,244 | ---- | C] () -- C:\Windows\ACIeServices.INI
[2009/04/08 12:51:55 | 000,000,364 | ---- | C] () -- C:\Windows\MercuryWT.ini
[2009/04/08 12:51:55 | 000,000,000 | ---- | C] () -- C:\Windows\Mercury.ini
[2009/04/07 14:29:06 | 000,417,792 | ---- | C] () -- C:\Windows\System32\fxdb.dll
[2009/04/07 14:28:30 | 001,213,440 | ---- | C] () -- C:\Windows\System32\opengl.dll
[2009/04/07 14:28:30 | 000,315,904 | ---- | C] () -- C:\Windows\System32\glu.dll
[2009/04/07 14:28:30 | 000,154,624 | ---- | C] () -- C:\Windows\System32\glut.dll
[2009/04/07 12:05:27 | 000,148,900 | ---- | C] () -- C:\Windows\hpoins19.dat
[2009/04/07 12:05:18 | 000,026,952 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2009/04/06 23:08:49 | 000,034,304 | ---- | C] () -- C:\Windows\System32\UnlockFile.exe
[2009/04/06 23:08:48 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx14_ic.ini
[2009/04/06 23:08:46 | 000,327,680 | ---- | C] () -- C:\Windows\System32\SmaRTEng.dll
[2009/04/06 23:08:44 | 000,577,536 | ---- | C] () -- C:\Windows\System32\PAXMeta.dll
[2009/04/06 23:08:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\P2kDesk.dll
[2009/04/06 23:08:34 | 000,338,944 | ---- | C] () -- C:\Windows\System32\LFfpx7.dll
[2009/04/06 23:08:34 | 000,118,784 | ---- | C] () -- C:\Windows\System32\LFKodak.dll
[2009/04/06 23:08:33 | 000,024,576 | ---- | C] () -- C:\Windows\System32\fmt_jb2.dll
[2009/04/06 23:08:33 | 000,018,944 | ---- | C] () -- C:\Windows\System32\fmt_xcx.dll
[2009/04/06 23:08:33 | 000,011,264 | ---- | C] () -- C:\Windows\System32\fmt_xmf.dll
[2009/04/06 23:08:33 | 000,000,313 | ---- | C] () -- C:\Windows\System32\ic32.ini
[2009/04/06 23:08:31 | 000,040,960 | ---- | C] () -- C:\Windows\System32\DeskSkt.dll
[2009/04/06 23:08:31 | 000,036,864 | ---- | C] () -- C:\Windows\System32\DP2kFrms.dll
[2009/04/06 23:08:29 | 000,401,408 | ---- | C] () -- C:\Windows\System32\AXF_AXS.dll
[2009/04/06 23:08:29 | 000,220,160 | ---- | C] () -- C:\Windows\System32\Carcla30.dll
[2009/04/06 23:08:28 | 000,204,864 | ---- | C] () -- C:\Windows\System32\AtxWrap.dll
[2009/04/06 23:08:26 | 000,018,432 | ---- | C] () -- C:\Windows\System32\alavistautils.dll
[2009/04/06 23:08:26 | 000,001,597 | ---- | C] () -- C:\Windows\System32\alaUploader.exe.config
[2009/04/06 23:08:24 | 001,159,168 | ---- | C] () -- C:\Windows\System32\alaMFC2.dll
[2009/04/06 23:08:24 | 000,151,552 | ---- | C] () -- C:\Windows\System32\alaMapi.dll
[2009/04/06 23:08:24 | 000,086,016 | ---- | C] () -- C:\Windows\System32\alaLaunch2.dll
[2009/04/06 23:08:24 | 000,073,728 | ---- | C] () -- C:\Windows\System32\alaLaunch.dll
[2009/04/06 23:08:22 | 000,122,880 | ---- | C] () -- C:\Windows\System32\ala32.dll
[2009/04/06 23:05:54 | 000,004,893 | ---- | C] () -- C:\Windows\alamode.ini
[2009/03/02 08:44:54 | 000,010,720 | ---- | C] () -- C:\Windows\TECHHELP5.INI
[2009/02/09 18:11:13 | 000,000,089 | ---- | C] () -- C:\Windows\System32\PDFWRITR.INI
[2009/02/09 18:11:13 | 000,000,089 | ---- | C] () -- C:\Windows\System32\__PDF.INI
[2009/02/03 17:22:44 | 000,049,152 | ---- | C] () -- C:\Windows\System32\usbinst32.dll
[2009/02/03 17:19:33 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2009/02/03 16:37:07 | 000,000,331 | ---- | C] () -- C:\Windows\FMTMSAM.INI
[2009/02/03 16:36:57 | 000,000,260 | ---- | C] () -- C:\Windows\hpbafd.ini
[2009/02/03 16:35:51 | 000,094,274 | ---- | C] () -- C:\Windows\System32\HPBHealr.dll
[2009/02/03 16:00:31 | 000,000,000 | ---- | C] () -- C:\Windows\D1SIG32.INI
[2009/02/03 15:55:06 | 000,495,616 | ---- | C] () -- C:\Windows\System32\Tx32.dll
[2009/02/03 13:59:35 | 000,000,305 | ---- | C] () -- C:\Windows\D1IMG32.INI
[2009/02/03 13:42:45 | 000,000,424 | -H-- | C] () -- C:\Windows\vskt7.ini
[2009/02/03 12:47:08 | 000,000,011 | ---- | C] () -- C:\Windows\LHouse.INI
[2009/02/03 12:40:45 | 000,073,360 | ---- | C] () -- C:\Windows\System32\readdll.dll
[2009/02/03 12:37:45 | 000,001,354 | ---- | C] () -- C:\Windows\DAYONE.INI
[2009/02/03 12:37:13 | 000,000,250 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/03 12:37:12 | 000,000,023 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2009/02/03 12:37:06 | 000,061,440 | ---- | C] () -- C:\Windows\System32\WRKGADM.EXE
[2009/02/03 12:37:06 | 000,032,768 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL
[2009/02/03 12:37:04 | 000,031,936 | ---- | C] () -- C:\Windows\System32\D1skt.dll
[2009/01/03 09:22:04 | 000,011,678 | ---- | C] () -- C:\Windows\d1fnc.ini
[2008/01/26 12:41:28 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2008/01/26 12:41:28 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI
[2008/01/26 12:38:47 | 000,000,225 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2008/01/26 12:38:47 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini
[2008/01/26 12:38:47 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf07a.dat
[2008/01/26 12:36:08 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2008/01/26 12:36:07 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2008/01/26 12:36:05 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll
[2008/01/26 12:34:59 | 000,031,567 | ---- | C] () -- C:\Windows\maxlink.ini
[2008/01/24 18:42:07 | 000,000,458 | ---- | C] () -- C:\Windows\MTU.INI
[2008/01/24 18:41:34 | 000,000,064 | ---- | C] () -- C:\Windows\winhelp.ini
[2008/01/14 22:13:04 | 000,464,384 | ---- | C] () -- C:\Windows\CmiUCRUninstall_x64.exe
[2008/01/14 22:13:03 | 000,311,296 | ---- | C] () -- C:\Windows\CmiUCRUninstall.exe
[2008/01/14 22:10:58 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2008/01/14 21:18:17 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2008/01/14 21:18:16 | 000,013,738 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2008/01/14 21:18:10 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2007/08/22 06:43:34 | 000,327,680 | ---- | C] () -- C:\Windows\CmUCREye.exe
[2007/06/28 11:43:00 | 000,442,368 | ---- | C] () -- C:\Windows\System32\nvappbar.exe
[2007/04/03 08:59:52 | 000,098,304 | ---- | C] () -- C:\Windows\System32\apshext.dll
[2007/02/14 07:12:22 | 000,327,680 | ---- | C] () -- C:\Windows\System32\CmUCRRm.exe
[2007/02/12 09:08:00 | 000,065,536 | ---- | C] () -- C:\Windows\cmiboot.exe
[2006/12/07 11:10:34 | 000,053,248 | ---- | C] () -- C:\Windows\System32\CmUCRRm.Dll
[2003/01/30 11:21:29 | 000,000,544 | ---- | C] () -- C:\Windows\System32\WinSkt7.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1998/09/17 01:25:24 | 000,004,096 | ---- | C] () -- C:\Windows\delttsul.exe
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:76650B61

< End of report >

OTL Extras logfile created on: 12/23/2011 12:21:41 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 64.71% Memory free
6.50 Gb Paging File | 5.22 Gb Available in Paging File | 80.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 131.54 Gb Free Space | 44.13% Space Free | Partition Type: NTFS

Computer Name: BUTLER-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{03B0D67B-36C9-C2CD-B63B-7B526138BA52}" = ccc-utility
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04FC2E4C-0E41-9D39-4E58-1EF29D4EF09D}" = ccc-core-static
"{05383BE9-DB28-4BAE-9177-A2BC21CAF625}" = Microsoft Video Email add-in for Outlook 2003
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0949C078-58B4-CAF1-9A63-A4545145806D}" = Catalyst Control Center Graphics Previews Common
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0B7C79A5-5CB2-4ABD-A9C1-92A6213CE8DD}_is1" = MSI Kombustor 1.1.3
"{0BB72566-0D4C-7200-2CE7-02F298B49C88}" = CCC Help English
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}" = SDK
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{107DE62C-DACF-3204-9154-4BB24196E9AE}" = ccc-utility
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{110AD51E-D0E0-49B1-52FD-291373BA62EA}" = Catalyst Control Center Graphics Full New
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15733AD1-1CEF-459A-9245-0924FC63BDD5}" = HP My Display
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19A492A0-888F-44A0-9B21-D91700763F62}" = Catalyst Control Center - Branding
"{19F1A99A-196F-4D18-BC36-C1DAD6ABCCF3}" = KODAK Share Button App
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Attansic Ethernet Utility
"{209DF55F-5E5C-48A3-BC3D-A7CB1224458C}" = HP Print Diagnostic Utility
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2365558E-D15A-D3DA-67E5-4B67FAB71280}" = CCC Help English
"{23A456C0-A959-2974-E46A-86A9A6DF0C66}" = CCC Help English
"{26A24AE4-039D-4CA4-87B4-2F83217002FF}" = Java™ 7 Update 2
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2A1DBB1C-EB12-42D0-98D2-2338DFACD279}" = Verizon Wireless Software Utility Application for Android - Samsung
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ALAMODE)
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{31557F4F-7D10-D32E-4B70-237A09FCC31B}" = Catalyst Control Center Graphics Previews Common
"{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}" = PaperPort Image Printer
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3A4D5E2D-988D-4ee9-8E7F-3AC200A2B8F5}" = 4500G510nz_Software_Min
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C175604-F026-5D79-BBD8-F626AE10B3EF}" = Catalyst Control Center Graphics Full Existing
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{45CCC540-F869-A543-CA28-1CB92B7A2DB7}" = ccc-core-static
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{50EDAEF4-760D-1C92-8E61-853D624EB601}" = Catalyst Control Center Graphics Previews Common
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5A67D2EA-FB70-4033-A6F3-606AD85B2015}_is1" = Driver Sweeper version 2.8.5
"{5B05FF91-F20C-4832-A8DE-E1912639C17C}" = 4500G510nz
"{5E8B45A0-072C-91F7-BC80-29374194B452}" = Catalyst Control Center Graphics Previews Vista
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{62C2067E-5851-BD4C-98E0-5C4D5E155A5B}" = Catalyst Control Center Core Implementation
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{66C3D6D7-9A9C-4127-8289-6892DFD31CA4}" = NOVA
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{690879A5-18EF-447B-98D6-B699D51008AB}" = 4500_G510nz_Help
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FD94CB-D8E8-E05F-B076-D8F8566A29D6}" = Catalyst Control Center InstallProxy
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6B5D55EB-7E74-04BA-215A-49612EAF6673}" = CCC Help English
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6D4F75DA-29B2-83CE-C5DB-8756DD3DD415}" = ccc-utility
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6E19F210-3813-4002-B561-94D66AA182B6}" = Attansic L1 Gigabit Ethernet Driver
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7395D650-AE5D-4D68-B8FE-D3FA6B51467F}" = Driver Detective
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7BA01D2D-E25C-0C2C-5779-7A8E02A4BE7D}" = Catalyst Control Center Core Implementation
"{7E0E61CC-1C99-429D-BEA7-C4DD5B898D2A}" = HP Officejet 4500 G510n-z
"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
"{81FAB7A0-546F-9D61-D2FA-B4E68D9BFCD3}" = Catalyst Control Center
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{8FF4E834-DCAD-29E7-1EE8-9D817A3FA15B}" = CCC Help English
"{900C2AB5-3F37-4F84-B58C-893FA5F42D7D}_is1" = WiseFixer 3.2
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FD6F1A8-5550-46AF-8509-271DF0E768B5}" = Dual-Core Optimizer
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A292C05C-840A-9D47-5350-EF39ECC7629E}" = Catalyst Control Center HydraVision Full
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}" = Brother MFL-Pro Suite
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A4C4162B-C088-4761-A8C0-AE189E1E6BFB}" = Catalyst Control Center Graphics Previews Common
"{A4EC8375-684F-08A9-86DB-3DE0DDFC0083}" = Catalyst Control Center
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{A82B4C95-7E11-2367-6DD3-89CD06D2DD05}" = AMD Catalyst Install Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
"{AD17676C-5065-E427-130B-21CE713F93E7}" = Catalyst Control Center Graphics Light
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2455727-ED8F-4643-8A6E-F4AB8DE3633D}" = Network
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 266.71
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 266.71
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 266.71
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.1.13.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B6C89654-A6A2-477C-873B-724EC1C56407}" = ScanSoft PaperPort 11
"{B7F0B0AE-3081-C6D5-04AD-839AA677B97F}" = ccc-utility
"{B970700B-E49F-ECEF-4ADB-0F3E1AFEDE91}" = ccc-core-static
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{BA46B248-02F8-344D-1C2A-D2C80CC5DD44}" = Catalyst Control Center InstallProxy
"{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BF36BCF3-FA5C-402B-AA20-3909B813142A}" = a la mode Vault
"{C03A56EE-2715-5F54-69C4-A1CDB7602354}" = Catalyst Control Center Graphics Full New
"{C307DD64-1C69-8C52-D2C9-02D38995A269}" = Catalyst Control Center HydraVision Full
"{C41DF3CA-5F40-DB8C-D747-DC68BC2010D8}" = Catalyst Control Center
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C5B09388-4614-A43E-9835-1D362E26A22C}" = AMD Media Foundation Decoders
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CDBB3A08-5E3A-4429-B1E6-758FF739C04C}" = 2006 SP5 Updates Setup
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE Writer and FREE Tools
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D55DEDD1-B7AC-AE24-D25D-63E5B72EEC97}" = CCC Help English
"{D6621899-839D-46D0-0835-F394BDA37A38}" = AMD Drag and Drop Transcoding
"{D872D294-5E06-2C4B-B2F5-D3E19F097917}" = ccc-utility
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DDA34038-89BD-4804-B0B8-DC48D5DFB463}" = Catalyst Control Center - Branding
"{DE9EE80B-7EDE-64AC-25F1-F3F3F68C0DEA}" = Catalyst Control Center Graphics Previews Common
"{E031338C-839D-4EDD-9537-99B653C39D81}" = Autodesk MapGuide® Viewer ActiveX Control Release 6.5
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E3E1398E-8FF2-0154-6D8F-7FC26299EBED}" = Catalyst Control Center Graphics Full Existing
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
"{F48A622B-DC1D-79A5-380D-29C6493B6987}" = Catalyst Control Center Graphics Previews Common
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F59205C8-E5FB-43F5-AAB2-16C1760D4F59}" = FaceFilter Studio Brother Edition
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{F9726DDC-D7B5-BF1F-5626-EA467FEEBC52}" = ccc-utility
"{F9F13FEA-D51E-A1C3-4EDC-D04A91B62C93}" = Catalyst Control Center Graphics Previews Vista
"{FBEF69BB-829C-8D4D-B299-497147916039}" = Catalyst Control Center Graphics Light
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FD9F3DED-B730-378A-7688-510148E67135}" = Catalyst Control Center Graphics Previews Vista
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"3D970B9F930E7AAE23C06D39A1AC98548C90B442" = Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
"Able2Extract v6.0" = Able2Extract v6.0
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Afterburner" = MSI Afterburner 2.0.0
"AnswerWorks" = AnswerWorks Runtime
"avast" = avast! Free Antivirus
"C-Media Card Reader Driver USB2.0" = C-Media Card Reader Driver USB2.0
"C-Media USB2.0 Card Reader" = C-Media USB2.0 Card Reader
"Corel Applications" = Corel Applications
"ESET Online Scanner" = ESET Online Scanner v3
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.50
"Foxit PDF Editor" = Foxit PDF Editor
"GPL Ghostscript 8.71" = GPL Ghostscript 8.71
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"InstallShield_{7395D650-AE5D-4D68-B8FE-D3FA6B51467F}" = Driver Detective
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Money2008b" = Microsoft Money Plus
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NOVA Connect 10/08" = NOVA Connect 10/08
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PDF-XChange 3_is1" = PDF-XChange 3
"PROSet" = Intel® Network Connections Drivers
"Shop for HP Supplies" = Shop for HP Supplies
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"SpeedFan" = SpeedFan (remove only)
"Steam App 500" = Left 4 Dead
"Steam App 550" = Left 4 Dead 2
"Steam App 91310" = Dead Island
"TomTom HOME" = TomTom HOME 2.7.4.1962
"UnrealTournament" = Unreal Tournament G.O.T.Y. Edition
"ViewpointMediaPlayer" = Viewpoint Media Player
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinSketch Pro 7" = WinSketch Pro 7
"Wise Registry Cleaner_is1" = Wise Registry Cleaner Professional V5.8.2
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{BF36BCF3-FA5C-402B-AA20-3909B813142A}" = a la mode Vault

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Edited by AndyButler, 23 December 2011 - 12:35 PM.


#5 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 December 2011 - 05:38 PM

Here is GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-23 17:36:21
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD3200AAJS-00VWA0 rev.12.01B02
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\ufdiipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9123AFC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91EF8510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x9123D456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x9123D4AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x9123D5C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x9123D3AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x9123D4FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9123D400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x9123D572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9123AFE8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91EF85C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9123ADB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9123B00C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9123D9BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9123BAA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9123D486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x9123D4D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9123D5EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x9123D3D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9123D53E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x9123D42E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x9123D59C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91EF8658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9123B96A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9123B030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9123B054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9123AE0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9123AF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9123AF24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9123AF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9123B078]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91F0C7A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 83286369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832BFD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 832C6D80 4 Bytes [C4, AF, 23, 91]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 832C6DA8 4 Bytes [10, 85, EF, 91]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 832C6E5C 8 Bytes [56, D4, 23, 91, AE, D4, 23, ...] {PUSH ESI; AAM 0x23; XCHG ECX, EAX; SCASB ; AAM 0x23; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 832C6E68 4 Bytes [C4, D5, 23, 91]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 832C6E84 4 Bytes [AC, D3, 23, 91] {LODSB ; SHL DWORD [EBX], CL; XCHG ECX, EAX}
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83453BE8 5 Bytes JMP 91F0969C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 8346C1D0 5 Bytes JMP 91F0B174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83481317 4 Bytes CALL 9123C025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8349B0E9 4 Bytes CALL 9123C03B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 83524F30 7 Bytes JMP 91F0C7A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001F03FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001F0804
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[108] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001F0600
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000E03FC
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000E01F8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 002A0A08
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002A03FC
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 002A0804
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002A01F8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[444] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 002A0600
.text C:\Windows\system32\csrss.exe[476] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\csrss.exe[536] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[544] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[544] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[544] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[544] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[544] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[544] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[544] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[544] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[580] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00050600
.text C:\Windows\explorer.exe[604] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\explorer.exe[604] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\explorer.exe[604] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\explorer.exe[604] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 000A0A08
.text C:\Windows\explorer.exe[604] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000A03FC
.text C:\Windows\explorer.exe[604] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 000A0804
.text C:\Windows\explorer.exe[604] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000A01F8
.text C:\Windows\explorer.exe[604] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 000A0600
.text C:\Windows\system32\services.exe[640] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[640] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[640] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[648] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00200A08
.text C:\Windows\system32\lsass.exe[648] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002003FC
.text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00200804
.text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002001F8
.text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[656] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[764] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[764] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[764] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[764] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00220A08
.text C:\Windows\system32\svchost.exe[764] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002203FC
.text C:\Windows\system32\svchost.exe[764] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00220804
.text C:\Windows\system32\svchost.exe[764] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002201F8
.text C:\Windows\system32\svchost.exe[764] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00220600
.text C:\Windows\system32\nvvsvc.exe[832] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[832] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[832] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[832] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\nvvsvc.exe[832] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\nvvsvc.exe[832] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\nvvsvc.exe[832] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\nvvsvc.exe[832] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[872] user32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00400A08
.text C:\Windows\system32\svchost.exe[872] user32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 004003FC
.text C:\Windows\system32\svchost.exe[872] user32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00400804
.text C:\Windows\system32\svchost.exe[872] user32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 004001F8
.text C:\Windows\system32\svchost.exe[872] user32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00400600
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[968] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[968] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00550A08
.text C:\Windows\System32\svchost.exe[968] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 005503FC
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00550804
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 005501F8
.text C:\Windows\System32\svchost.exe[968] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00550600
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1024] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 01160A08
.text C:\Windows\system32\svchost.exe[1024] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 011603FC
.text C:\Windows\system32\svchost.exe[1024] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 01160804
.text C:\Windows\system32\svchost.exe[1024] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 011601F8
.text C:\Windows\system32\svchost.exe[1024] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 01160600
.text C:\Windows\system32\WUDFHost.exe[1076] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\WUDFHost.exe[1076] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\WUDFHost.exe[1076] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\WUDFHost.exe[1076] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\WUDFHost.exe[1076] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001003FC
.text C:\Windows\system32\WUDFHost.exe[1076] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00100804
.text C:\Windows\system32\WUDFHost.exe[1076] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\WUDFHost.exe[1076] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\taskhost.exe[1128] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[1128] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[1128] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[1128] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[1128] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[1128] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[1128] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[1128] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 000E0600
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!CallNextHookEx 75FCABE1 5 Bytes JMP 6E2A3CA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 6E35D90F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001F03FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 6E2F7DD1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!CreateWindowExW 75FCEC7C 5 Bytes JMP 6E333894 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!DialogBoxParamW 75FE3B9B 5 Bytes JMP 6E267F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!DialogBoxIndirectParamW 75FF3B7F 5 Bytes JMP 6E46DF28 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001F0600
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!DialogBoxParamA 7600CF42 5 Bytes JMP 6E46DEC5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!DialogBoxIndirectParamA 7600D274 5 Bytes JMP 6E46DF8B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!MessageBoxIndirectA 7601E869 5 Bytes JMP 6E46DE5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!MessageBoxIndirectW 7601E963 5 Bytes JMP 6E46DDEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!MessageBoxExA 7601E9C9 5 Bytes JMP 6E46DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] USER32.dll!MessageBoxExW 7601E9ED 5 Bytes JMP 6E46DD2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] ole32.dll!OleLoadFromStream 76466143 5 Bytes JMP 6E46E27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1152] ole32.dll!CoCreateInstance 764A9D0B 5 Bytes JMP 6E333422 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00990A08
.text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 009903FC
.text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00990804
.text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 009901F8
.text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00990600
.text C:\Windows\system32\taskeng.exe[1208] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\taskeng.exe[1208] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\taskeng.exe[1208] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1208] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 000F0A08
.text C:\Windows\system32\taskeng.exe[1208] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000F03FC
.text C:\Windows\system32\taskeng.exe[1208] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 000F0804
.text C:\Windows\system32\taskeng.exe[1208] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000F01F8
.text C:\Windows\system32\taskeng.exe[1208] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 000F0600
.text C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EX00.725\gmer.exe[1252] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 002F0A08
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002F03FC
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 002F0804
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002F01F8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1256] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 002F0600
.text C:\Windows\system32\nvvsvc.exe[1272] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[1272] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[1272] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[1272] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 002F0A08
.text C:\Windows\system32\nvvsvc.exe[1272] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002F03FC
.text C:\Windows\system32\nvvsvc.exe[1272] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 002F0804
.text C:\Windows\system32\nvvsvc.exe[1272] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002F01F8
.text C:\Windows\system32\nvvsvc.exe[1272] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 002F0600
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 02950A08
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 029503FC
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 02950804
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 029501F8
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 02950600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1392] kernel32.dll!SetUnhandledExceptionFilter 760DF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1392] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1424] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1424] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001A0A08
.text C:\Windows\system32\svchost.exe[1424] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001A03FC
.text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001A0804
.text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001A01F8
.text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001A0600
.text C:\Windows\System32\spoolsv.exe[1756] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[1756] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[1756] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001403FC
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00140804
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00140600
.text C:\Windows\system32\Dwm.exe[1892] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[1892] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[1892] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1892] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00230A08
.text C:\Windows\system32\Dwm.exe[1892] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002303FC
.text C:\Windows\system32\Dwm.exe[1892] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00230804
.text C:\Windows\system32\Dwm.exe[1892] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002301F8
.text C:\Windows\system32\Dwm.exe[1892] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00230600
.text C:\Windows\System32\svchost.exe[1980] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1980] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1980] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2008] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2008] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[2060] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\taskeng.exe[2060] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\taskeng.exe[2060] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[2060] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00130A08
.text C:\Windows\system32\taskeng.exe[2060] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001303FC
.text C:\Windows\system32\taskeng.exe[2060] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00130804
.text C:\Windows\system32\taskeng.exe[2060] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001301F8
.text C:\Windows\system32\taskeng.exe[2060] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00130600
.text C:\Windows\System32\svchost.exe[2156] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[2156] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[2156] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2228] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[2228] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[2228] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2268] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000A03FC
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2268] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000A01F8
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2268] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000E03FC
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000E01F8
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00180A08
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001803FC
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00180804
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001801F8
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2316] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00180600
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00200A08
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002003FC
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00200804
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002001F8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2356] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\svchost.exe[2384] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2384] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2384] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2408] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2408] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2408] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2408] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00280A08
.text C:\Windows\system32\svchost.exe[2408] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002803FC
.text C:\Windows\system32\svchost.exe[2408] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00280804
.text C:\Windows\system32\svchost.exe[2408] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002801F8
.text C:\Windows\system32\svchost.exe[2408] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00280600
.text C:\Program Files\a la mode\Sched\eSched.exe[2468] KERNEL32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00140A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00140804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2504] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00140600
.text C:\Windows\system32\fxssvc.exe[2604] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\fxssvc.exe[2604] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\fxssvc.exe[2604] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\fxssvc.exe[2604] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00210A08
.text C:\Windows\system32\fxssvc.exe[2604] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002103FC
.text C:\Windows\system32\fxssvc.exe[2604] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00210804
.text C:\Windows\system32\fxssvc.exe[2604] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002101F8
.text C:\Windows\system32\fxssvc.exe[2604] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00210600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001003FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00100804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001001F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2728] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00100600
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00200A08
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 002003FC
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00200804
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 002001F8
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2800] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00200600
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00190A08
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001903FC
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00190804
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001901F8
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2832] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00190600
.text C:\Windows\system32\taskhost.exe[2940] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[2940] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[2940] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[2940] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[2940] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[2940] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[2940] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[2940] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 000E0600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3100] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Steam\Steam.exe[3168] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\Steam\Steam.exe[3168] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\Steam\Steam.exe[3168] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Steam\Steam.exe[3168] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\Steam\Steam.exe[3168] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001F03FC
.text C:\Program Files\Steam\Steam.exe[3168] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001F0804
.text C:\Program Files\Steam\Steam.exe[3168] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Steam\Steam.exe[3168] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001F0600
.text C:\Program Files\WinRAR\WinRAR.exe[3228] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001003FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00100804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001001F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3296] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[3764] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[3764] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[3764] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3764] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001D0A08
.text C:\Windows\system32\svchost.exe[3764] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001D03FC
.text C:\Windows\system32\svchost.exe[3764] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001D0804
.text C:\Windows\system32\svchost.exe[3764] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001D01F8
.text C:\Windows\system32\svchost.exe[3764] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001D0600
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 001601F8
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 001F03FC
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 001F0804
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[3956] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\ctfmon.exe[4348] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Windows\system32\AUDIODG.EXE[4836] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] ntdll.dll!LdrUnloadDll 77A8C8DE 5 Bytes JMP 000503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] ntdll.dll!LdrLoadDll 77A922B8 5 Bytes JMP 000501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!UnhookWindowsHookEx 75FCADF9 5 Bytes JMP 00080A08
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!UnhookWinEvent 75FCB750 5 Bytes JMP 000803FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!SetWindowsHookExW 75FCE30C 5 Bytes JMP 00080804
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!CreateWindowExW 75FCEC7C 5 Bytes JMP 6E333894 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!SetWinEventHook 75FD24DC 5 Bytes JMP 000801F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!DialogBoxParamW 75FE3B9B 5 Bytes JMP 6E267F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!DialogBoxIndirectParamW 75FF3B7F 5 Bytes JMP 6E46DF28 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!SetWindowsHookExA 75FF6D0C 5 Bytes JMP 00080600
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!DialogBoxParamA 7600CF42 5 Bytes JMP 6E46DEC5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!DialogBoxIndirectParamA 7600D274 5 Bytes JMP 6E46DF8B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!MessageBoxIndirectA 7601E869 5 Bytes JMP 6E46DE5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!MessageBoxIndirectW 7601E963 5 Bytes JMP 6E46DDEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!MessageBoxExA 7601E9C9 5 Bytes JMP 6E46DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5256] USER32.dll!MessageBoxExW 7601E9ED 5 Bytes JMP 6E46DD2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\WinRAR\WinRAR.exe[5524] kernel32.dll!GetBinaryTypeW + 70 760F69F4 1 Byte [62]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Windows\explorer.exe [604] 0x02990000

---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG1 17408 bytes
File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
File C:\## aswSnx private storage\snx_rhive{ca51d198-28f2-11e1-9d15-001b210f00bf}.TM.blf 65536 bytes
File C:\## aswSnx private storage\snx_rhive{ca51d198-28f2-11e1-9d15-001b210f00bf}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\snx_rhive{ca51d198-28f2-11e1-9d15-001b210f00bf}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\CONHOST.EXE-3218E401.pf 12572 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-1A987FB7.pf 9990 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-1FDB3730.pf 10744 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-84C00C22.pf 14234 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-DDAB4C02.pf 13356 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 1026 bytes
File C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\6GZYWHRM.txt 442 bytes
File C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\YW4SA993.txt 277 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776 0 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\@ 2048 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\bckfg.tmp 849 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\cfg.ini 207 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\keywords 292 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\L 0 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\L\wtvxtapx 187904 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U 0 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB53185$\1744414776\U\80000032.@ 97792 bytes
File C:\Windows\$NtUninstallKB53185$\2115462962 0 bytes

---- EOF - GMER 1.0.15 ----

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 28 December 2011 - 01:15 AM

Good Evening!

Apologizes in the delay in responding back to you. I did not intend to make you wait this long for a response, but with the holidays, and then getting sick, it couldn't of been helped. I should be back to posting at more regular intervals now. I hope you are enjoying the holidays!

Please delete the current copy of ComboFix and download a new copy from one of the two links below.

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 28 December 2011 - 10:22 PM

I ran combo fix and it fixed some things but when it restarted my computer it restarted Avast and the log didn't print. Is there anywhere I can find the log and paste it. Andy

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 29 December 2011 - 02:03 AM

Hi Andy,

Yes, you should be able to locate the log in your C:\ drive. It should be named ComboFix.txt.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 29 December 2011 - 09:07 AM

Here is combo fix: computer has been running good with no redirects or malicious urls. No ping.exe problems at all. Hope that combo fix gets rid of what was left of this thing.

ComboFix 11-12-28.03 - Administrator 12/28/2011 21:44:22.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2682 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\windows\$NtUninstallKB53185$
c:\windows\$NtUninstallKB53185$\1744414776\@
c:\windows\$NtUninstallKB53185$\1744414776\bckfg.tmp
c:\windows\$NtUninstallKB53185$\1744414776\cfg.ini
c:\windows\$NtUninstallKB53185$\1744414776\Desktop.ini
c:\windows\$NtUninstallKB53185$\1744414776\keywords
c:\windows\$NtUninstallKB53185$\1744414776\kwrd.dll
c:\windows\$NtUninstallKB53185$\1744414776\L\wtvxtapx
c:\windows\$NtUninstallKB53185$\1744414776\lsflt7.ver
c:\windows\$NtUninstallKB53185$\1744414776\U\00000001.@
c:\windows\$NtUninstallKB53185$\1744414776\U\00000002.@
c:\windows\$NtUninstallKB53185$\1744414776\U\00000004.@
c:\windows\$NtUninstallKB53185$\1744414776\U\80000000.@
c:\windows\$NtUninstallKB53185$\1744414776\U\80000004.@
c:\windows\$NtUninstallKB53185$\1744414776\U\80000032.@
c:\windows\$NtUninstallKB53185$\2115462962
c:\windows\system32\SET33D1.tmp
c:\windows\system32\SETA7A6.tmp
c:\windows\system32\SETCAAF.tmp
c:\windows\system32\sm56co85.txt
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 03:07 . 2011-12-29 03:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-12-29 03:07 . 2011-12-29 03:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 03:07 . 2011-12-29 03:07 -------- d-----w- c:\users\Andy\AppData\Local\temp
2011-12-29 03:07 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-28 21:06 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-23 15:22 . 2011-12-23 15:22 -------- dc----w- c:\users\Administrator\AppData\Local\MigWiz
2011-12-21 18:41 . 2011-12-21 18:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\Kodak
2011-12-21 18:40 . 2011-12-21 18:40 -------- d-----w- c:\program files\DIFX
2011-12-21 18:39 . 2011-12-21 18:39 -------- d-----w- c:\programdata\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-21 00:14 . 2011-12-21 00:14 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2011-12-21 00:14 . 2011-12-21 00:14 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-21 00:14 . 2011-12-21 00:14 -------- d-----w- c:\program files\Java
2011-12-20 16:12 . 2011-12-20 16:12 -------- d-----w- c:\program files\ESET
2011-12-19 17:51 . 2011-12-19 17:51 388096 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-19 17:51 . 2011-12-19 17:51 -------- d-----w- c:\program files\Trend Micro
2011-12-19 17:24 . 2011-12-19 19:27 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-17 23:19 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-17 23:19 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-17 23:19 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-17 23:19 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-17 23:19 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-17 23:19 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-12-17 23:17 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-17 23:17 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-17 19:41 . 2011-12-17 23:17 -------- d-----w- c:\programdata\AVAST Software
2011-12-17 19:41 . 2011-12-17 23:17 -------- d-----w- c:\program files\AVAST Software
2011-12-17 19:39 . 2011-12-19 17:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-17 19:39 . 2011-12-19 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-17 19:11 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 09:00 . 2011-12-16 09:00 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{028723C5-D80F-438A-9498-1866496657A0}\offreg.dll
2011-12-16 09:00 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{028723C5-D80F-438A-9498-1866496657A0}\mpengine.dll
2011-12-13 22:51 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 22:51 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 22:51 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 22:26 . 2009-04-07 04:08 3956736 ----a-w- c:\windows\system32\alarpt5.ocx
2011-11-18 22:25 . 2009-04-07 04:08 1191936 ----a-w- c:\windows\system32\alasbys.ocx
2011-11-18 20:25 . 2009-04-07 04:08 861512 ----a-w- c:\windows\system32\wtapi.exe
2011-11-17 16:42 . 2011-06-16 03:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-11 15:52 . 2009-04-07 04:08 2176328 ----a-w- c:\windows\system32\xsitenet.dll
2011-11-11 13:34 . 2009-03-24 14:04 558408 ----a-w- c:\windows\system32\mercsettings.dll
2011-11-02 18:40 . 2009-04-07 04:08 3749192 ----a-w- c:\windows\system32\filecabinet5.dll
2011-11-02 18:38 . 2009-11-23 18:05 247112 ----a-w- c:\windows\system32\alaiphone.dll
2011-10-25 18:23 . 2010-05-06 11:56 815104 ----a-w- c:\windows\system32\alaaird.ocx
2011-10-18 15:22 . 2009-04-07 04:08 1642496 ----a-w- c:\windows\system32\alaform2.ocx
2011-10-07 13:33 . 2009-04-07 04:08 2377032 ----a-w- c:\windows\system32\alamapctrl.dll
2011-10-04 16:50 . 2009-04-07 04:08 423240 ----a-w- c:\windows\system32\alaxml.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-04 6957600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Launch Utility Application.lnk - c:\users\Administrator\AppData\Roaming\Verizon\UA_ar\UtilityApplication.exe [2011-1-27 487424]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
backup=c:\windows\pss\HP LaserJet Director.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-11-20 14:06 178688 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmiboot]
2007-02-12 14:08 65536 ----a-w- c:\windows\cmiboot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-06-29 22:56 278528 ----a-w- c:\program files\Portrait Displays\HP My Display\dthtml.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-01-30 05:10 46632 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 16:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 18:36 36864 ----a-w- c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-16 21:04 3632744 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-16 21:04 111208 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-30 05:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-03-04 22:07 6957600 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17 1174016 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 19:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Assistant]
2007-04-16 12:18 99840 ----a-w- c:\program files\a la mode\Sched\eSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-05-07 12:36 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9be0f5004360;Google Update Service (gupdate1c9be0f5004360);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 133104]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-06-06 211984]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 133104]
R3 MSICDSetup;MSICDSetup;D:\CDriver.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-18 1343400]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
R4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-05-07 92008]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-28 55128]
S2 MSSQL$ALAMODE;SQL Server (ALAMODE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-16 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-10-13 49152]
S3 CMISTOR;CMIUCR.SYS CM320/CM220 Card Reader Driver;c:\windows\system32\DRIVERS\cmiucr.SYS [2007-09-10 95616]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-11-12 122984]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:13]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
Trusted Zone: bing.com
Trusted Zone: eappraiseit.com\talon
Trusted Zone: fnismls.com
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: xmlsweb.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{448CD02B-25D3-4D80-A2AE-172D7D0CF03B}: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DEE8747C-EC09-449D-80A0-CFA8EC577434}: DhcpNameServer = 192.168.1.1
DPF: {CD27EEF6-55B8-4F24-99C5-E1191D814445} - file:///C:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-InstallShield_{BF36BCF3-FA5C-402B-AA20-3909B813142A} - c:\users\Administrator\AppData\Roaming\InstallShield Installation Information\{BF36BCF3-FA5C-402B-AA20-3909B813142A}\setup.exe/uninst -removeonly
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,0b,33,71,1a,ca,a3,4c,87,e4,1f,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,05,0f,5d,93,9b,69,b8,47,a8,f1,eb,\
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3GP\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wordview.exe"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Microsoft Internet Mail Message WLMail"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hol\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.hol"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ibc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.ibc"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ics\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.ics"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.msg"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Microsoft Internet Mail VCard WLMail"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcs\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.vcs"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-4263895640-4010197635-618819606-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\fxssvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\program files\Kodak\KODAK Share Button App\Listener.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\a la mode\WinTOTAL\Utils\alaNetXDlg.exe
.
**************************************************************************
.
Completion time: 2011-12-28 22:18:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 03:18
.
Pre-Run: 144,298,856,448 bytes free
Post-Run: 144,237,051,904 bytes free
.
- - End Of File - - 96003FCD9CEF98E54843B978D8995224

Edited by AndyButler, 29 December 2011 - 05:18 PM.


#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 30 December 2011 - 02:50 AM

Good Evening!

It looks like ComboFix was able to do what it needed to do and fix a few things.

I'd like to have you run a new scan with TDSSKiller. Please pay careful attention to the instructions below:

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 30 December 2011 - 12:39 PM

tdsskiller didn't find any threats so it didn't produce a log. OMG eset found 1 file and deleted it. I thought I had unchecked "remove found threats"



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Administrator :: BUTLER-PC [administrator]

12/30/2011 12:29:06 PM
mbam-log-2011-12-30 (12-29-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196100
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Security Check

Results of screen317's Security Check version 0.99.30
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

avast! Free Antivirus
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Wise Registry Cleaner Professional V5.8.2
Java™ 7 Update 2
Adobe Flash Player 10.3.181.26 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

ESET ESET Online Scanner OnlineCmdLineScanner.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````

ESET

C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-275404cf a variant of Java/Agent.DZ trojan deleted - quarantined

Edited by AndyButler, 30 December 2011 - 04:43 PM.


#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 31 December 2011 - 04:26 AM

Good Evening!

It looks like the threat that was found by ESET was an infection in your Java cache.

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.


Your version of Internet Explorer is outdated.



NEXT:



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 31 December 2011 - 12:22 PM

Not experiencing any issues that I can see. Here are the OTL logs:


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\Windows\system32\drivers\etc\hosts
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 38991056 bytes
->Temporary Internet Files folder emptied: 42648856 bytes
->Java cache emptied: 1830460 bytes
->Flash cache emptied: 41519 bytes

User: All Users

User: Andy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3543205 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 23061 bytes
RecycleBin emptied: 18623419 bytes

Total Files Cleaned = 101.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Andy

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12312011_121542

Files\Folders moved on Reboot...
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF06136ADAE501CFA1.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF1ABF5051F9FCCC5F.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF1B69CBE1506DCC66.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF3C51F71A3FB93852.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF5A76577F8C8E52EE.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF6173B03F7741F09E.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF646DBD3DA948684B.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF752FC2A9F74C3D82.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DF78333539543D2DB5.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFB45D1909A85F9C4D.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFB9E3E90CB1951761.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFDD0E4A66E52D43AD.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFE6B5A6C9DBEF249F.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFF4E7E37A0EF48674.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFF88B018C753B89AF.TMP not found!
File\Folder C:\Users\Administrator\AppData\Local\Temp\~DFFE6A4655A37456A6.TMP not found!
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

OTL logfile created on: 12/31/2011 12:24:00 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.14 Gb Available Physical Memory | 65.81% Memory free
6.50 Gb Paging File | 5.39 Gb Available in Paging File | 82.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 141.09 Gb Free Space | 47.33% Space Free | Partition Type: NTFS

Computer Name: BUTLER-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/23 09:57:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2011/11/28 13:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/09/22 13:26:26 | 000,107,008 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
PRC - [2011/08/02 09:19:22 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/16 16:04:04 | 000,803,432 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2011/01/16 15:13:52 | 000,378,984 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/10/26 14:46:54 | 001,458,176 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2009/07/13 20:14:46 | 000,115,200 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2007/04/16 07:18:04 | 000,099,840 | ---- | M] (a la mode, inc.) -- C:\Program Files\a la mode\Sched\eSched.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/30 18:23:29 | 001,670,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\dd759df05fad8dc6d3404e8e02b40819\Microsoft.VisualBasic.ni.dll
MOD - [2011/12/30 12:36:07 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b559a471eef00081f0b5c2719d1d9623\System.Runtime.Remoting.ni.dll
MOD - [2011/12/08 11:50:51 | 014,410,024 | ---- | M] () -- C:\Program Files\Steam\bin\libcef.dll
MOD - [2011/12/08 11:50:49 | 000,194,344 | ---- | M] () -- C:\Program Files\Steam\bin\chromehtml.dll
MOD - [2011/12/08 11:50:47 | 000,091,432 | ---- | M] () -- C:\Program Files\Steam\bin\avutil-50.dll
MOD - [2011/12/08 11:50:45 | 000,155,432 | ---- | M] () -- C:\Program Files\Steam\bin\avformat-52.dll
MOD - [2011/12/08 11:50:43 | 000,914,216 | ---- | M] () -- C:\Program Files\Steam\bin\avcodec-52.dll
MOD - [2011/10/12 10:45:24 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/12 10:44:56 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/12 10:44:52 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/12 10:44:48 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/12 10:44:42 | 007,963,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/12 10:44:35 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2006/11/17 18:18:50 | 000,122,880 | ---- | M] () -- C:\Windows\System32\ala32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (XMLProvS)
SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [Disabled | Stopped] -- -- (LMIGuardianSvc)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/11/14 10:51:08 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/18 02:00:54 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/01/16 15:13:52 | 000,378,984 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/05/07 07:36:10 | 000,092,008 | ---- | M] (TomTom) [Disabled | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2007/06/29 17:54:16 | 000,073,728 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 12:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/06/06 17:06:54 | 000,211,984 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtihdW73.sys -- (AtiHDAudioService)
DRV - [2011/01/16 18:53:00 | 010,480,296 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/12 02:10:52 | 000,122,984 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2010/01/27 11:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/10/26 15:09:06 | 001,095,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2009/10/13 01:16:02 | 000,049,152 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\l160x86.sys -- (AtcL001)
DRV - [2009/09/30 09:33:56 | 000,104,976 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/01/14 16:43:50 | 000,083,808 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2008/09/08 22:58:14 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/09/10 06:49:46 | 000,095,616 | ---- | M] (C-Media Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmiucr.SYS -- (CMISTOR)
DRV - [2007/06/29 13:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006/11/16 17:20:48 | 000,015,920 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2006/10/18 16:44:48 | 000,007,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2006/02/07 14:52:58 | 000,006,912 | ---- | M] (JMicron ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\JGOGO.sys -- (JGOGO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/intl/searchpane/en-au/prov2.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/09/22 12:29:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/09/22 12:29:30 | 000,000,000 | ---D | M]

[2011/04/17 19:19:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
[2010/06/14 21:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions\home2@tomtom.com
[2011/04/17 19:08:00 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2011/12/31 12:15:45 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Utility Application.lnk = C:\Users\Administrator\AppData\Roaming\Verizon\UA_ar\UtilityApplication.exe (Samsung Electronices Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKCU\..Trusted Domains: bing.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: eappraiseit.com ([talon] https in Trusted sites)
O15 - HKCU\..Trusted Domains: fnismls.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: live.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: rdesk.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: rexplorer.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: safemls.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: xmlsweb.com ([]* in Trusted sites)
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} http://rcar.fnismls.com/Paragon/Codebase/FNISPrintControl.cab (PrintPreview Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 10.2.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {CD27EEF6-55B8-4F24-99C5-E1191D814445} file:///C:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB (alaWeb5.cUtil)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{448CD02B-25D3-4D80-A2AE-172D7D0CF03B}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89F87965-3244-4356-BDA3-95C1CD7FACC7}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DEE8747C-EC09-449D-80A0-CFA8EC577434}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codec - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: wave2 - C:\Windows\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/12/31 12:15:42 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/30 13:24:15 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\My Print Creations
[2011/12/30 12:23:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Virus logs
[2011/12/28 22:11:04 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/28 22:07:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2011/12/28 15:59:30 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/23 10:22:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\MigWiz
[2011/12/23 09:57:55 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2011/12/21 13:41:19 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Kodak
[2011/12/21 13:40:35 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2011/12/21 13:39:44 | 000,000,000 | ---D | C] -- C:\ProgramData\{A0559A84-0A11-425F-BFFC-532378694B25}
[2011/12/20 19:14:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/12/20 19:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/12/20 11:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/12/19 16:14:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/19 16:14:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/19 16:14:30 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/19 16:14:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/19 16:14:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/19 16:09:28 | 004,354,974 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2011/12/19 15:39:07 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2011/12/19 14:56:59 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2011/12/19 12:51:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/12/19 12:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/12/19 12:24:00 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/12/17 18:19:10 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/12/17 18:19:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/12/17 18:19:09 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/12/17 18:19:07 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/12/17 18:19:07 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/12/17 18:19:06 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/12/17 18:19:04 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/12/17 18:17:58 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/12/17 18:17:58 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/12/17 14:41:53 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/12/17 14:41:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/12/17 14:39:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/12/17 14:39:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/12/17 14:39:16 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/12/17 14:11:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/17 14:11:44 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/15 14:03:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOTAL Sketch
[2009/04/06 23:08:29 | 000,098,304 | ---- | C] ( ) -- C:\Windows\System32\AutoLicense.dll
[2009/04/06 23:08:29 | 000,045,056 | ---- | C] ( ) -- C:\Windows\System32\AutoPAX.dll
[2009/04/06 23:08:26 | 000,122,880 | ---- | C] ( ) -- C:\Windows\System32\alauploader.exe

========== Files - Modified Within 30 Days ==========

[2011/12/31 12:26:15 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 12:26:15 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 12:24:59 | 000,673,552 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/31 12:24:59 | 000,124,622 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/31 12:19:01 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/31 12:18:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/31 12:18:30 | 2616,549,376 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/31 12:15:45 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/12/31 12:11:56 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/12/31 12:01:53 | 000,001,407 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/31 11:58:00 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/12/31 11:51:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/30 20:07:53 | 000,052,966 | ---- | M] () -- C:\Windows\alaredun.ini
[2011/12/30 20:07:53 | 000,004,853 | ---- | M] () -- C:\Windows\alamode.ini
[2011/12/30 20:07:27 | 000,000,364 | ---- | M] () -- C:\Windows\MercuryWT.ini
[2011/12/30 20:04:41 | 001,574,865 | ---- | M] () -- C:\Users\Administrator\Desktop\414 Stoneridge Dr.PDF
[2011/12/30 17:23:08 | 001,412,454 | ---- | M] () -- C:\Users\Administrator\Desktop\1737 Yaphank Rd.PDF
[2011/12/30 12:35:29 | 000,879,683 | ---- | M] () -- C:\Users\Administrator\Desktop\SecurityCheck.exe
[2011/12/30 12:28:41 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 12:26:35 | 001,558,406 | ---- | M] () -- C:\Users\Administrator\Desktop\tdsskiller.zip
[2011/12/29 14:45:04 | 001,684,686 | ---- | M] () -- C:\Users\Administrator\Desktop\415 S Seminole Dr.PDF
[2011/12/29 12:42:47 | 000,634,859 | ---- | M] () -- C:\Users\Administrator\Desktop\703 Hathaway Dr.PDF
[2011/12/28 15:58:08 | 004,354,974 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2011/12/28 15:50:40 | 001,487,982 | ---- | M] () -- C:\Users\Administrator\Desktop\2253 Laurel Hills Dr NW.PDF
[2011/12/28 11:27:23 | 001,613,329 | ---- | M] () -- C:\Users\Administrator\Desktop\615 Georgia Avenue.PDF
[2011/12/27 15:50:40 | 001,539,507 | ---- | M] () -- C:\Windows\System32\alaXML.xtf
[2011/12/27 13:02:23 | 001,516,941 | ---- | M] () -- C:\Users\Administrator\Desktop\5606 Crestview Dr.PDF
[2011/12/23 12:13:57 | 001,153,699 | ---- | M] () -- C:\Users\Administrator\Desktop\1911 Thompson St SE.PDF
[2011/12/23 09:57:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2011/12/23 09:50:43 | 000,294,195 | ---- | M] () -- C:\Users\Administrator\Desktop\gmer.zip
[2011/12/22 17:18:24 | 001,674,088 | ---- | M] () -- C:\Users\Administrator\Desktop\3938 Laird Ln.PDF
[2011/12/22 16:54:29 | 000,000,059 | ---- | M] () -- C:\Windows\Ltdlgfileu.INI
[2011/12/22 14:48:33 | 001,767,832 | ---- | M] () -- C:\Users\Administrator\Desktop\3810 Forest Highland Dr.PDF
[2011/12/22 12:29:23 | 058,504,192 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mbb
[2011/12/22 12:29:23 | 026,430,464 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mb
[2011/12/21 18:26:08 | 001,663,181 | ---- | M] () -- C:\Users\Administrator\Desktop\1414 Brentwood Dr.PDF
[2011/12/20 11:44:18 | 000,395,875 | ---- | M] () -- C:\Users\Administrator\Desktop\MiniToolBox.exe
[2011/12/20 00:45:32 | 001,888,930 | ---- | M] () -- C:\Users\Administrator\Desktop\65 Whispering Pine Dr.PDF
[2011/12/19 19:39:21 | 001,601,564 | ---- | M] () -- C:\Users\Administrator\Desktop\900 Tippings Ct.PDF
[2011/12/19 15:39:12 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2011/12/19 15:29:17 | 000,050,477 | ---- | M] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2011/12/19 14:57:11 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
[2011/12/19 12:51:14 | 000,002,999 | ---- | M] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/12/17 18:19:10 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/12/17 18:19:04 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/12/17 14:39:23 | 000,001,216 | ---- | M] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2011/12/17 14:08:04 | 000,010,416 | -HS- | M] () -- C:\Users\Administrator\AppData\Local\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 14:08:04 | 000,010,416 | -HS- | M] () -- C:\ProgramData\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 12:35:28 | 000,103,365 | ---- | M] () -- C:\Windows\System32\itusbcore.dat
[2011/12/17 12:35:28 | 000,000,197 | ---- | M] () -- C:\Windows\System32\itlsvc.dat
[2011/12/17 12:30:15 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2011/12/16 16:34:45 | 001,608,437 | ---- | M] () -- C:\Users\Administrator\Desktop\219 E Farrell St.PDF
[2011/12/16 14:59:11 | 001,446,141 | ---- | M] () -- C:\Users\Administrator\Desktop\9503 Vine St.PDF
[2011/12/15 14:58:31 | 001,608,193 | ---- | M] () -- C:\Users\Administrator\Desktop\184 Hunters Run Pl NW.PDF
[2011/12/15 14:03:16 | 000,000,876 | ---- | M] () -- C:\Users\Public\Desktop\TOTAL Sketch.lnk
[2011/12/15 12:50:45 | 001,052,846 | ---- | M] () -- C:\Users\Administrator\Desktop\3510 Timber Hill Dr SE.PDF
[2011/12/14 16:02:09 | 001,662,445 | ---- | M] () -- C:\Users\Administrator\Desktop\627 N Valley Dr.PDF
[2011/12/14 14:24:58 | 006,100,639 | ---- | M] () -- C:\Users\Administrator\Desktop\233 County Road 587.PDF
[2011/12/14 13:39:39 | 001,767,895 | ---- | M] () -- C:\Users\Administrator\Desktop\1625 John Ross Rd.PDF
[2011/12/13 18:09:11 | 000,488,248 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/13 16:55:16 | 001,625,019 | ---- | M] () -- C:\Users\Administrator\Desktop\149 County Road 29.PDF
[2011/12/13 14:13:31 | 001,715,324 | ---- | M] () -- C:\Users\Administrator\Desktop\3015 13th Ave.PDF
[2011/12/12 17:41:29 | 003,842,048 | ---- | M] () -- C:\Users\Administrator\Documents\My Money.mny
[2011/12/12 17:41:27 | 000,557,552 | R--- | M] () -- C:\Users\Administrator\Documents\My Money Backup_2011-12-12_174125.mbf
[2011/12/12 16:13:53 | 001,555,428 | ---- | M] () -- C:\Users\Administrator\Desktop\3112 Huntingdon Trace.PDF
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/09 15:39:28 | 001,711,406 | ---- | M] () -- C:\Users\Administrator\Desktop\3619 Tanaka Trail.PDF
[2011/12/07 13:44:17 | 001,363,691 | ---- | M] () -- C:\Users\Administrator\Desktop\7990 Trout Lily Dr.PDF
[2011/12/07 12:07:34 | 001,505,911 | ---- | M] () -- C:\Users\Administrator\Desktop\7012 Windcrest Ln.PDF
[2011/12/06 13:46:04 | 001,368,718 | ---- | M] () -- C:\Users\Administrator\Desktop\235 Shenandoah Ln NW.PDF
[2011/12/06 11:45:21 | 001,653,537 | ---- | M] () -- C:\Users\Administrator\Desktop\402 Emmett Ave NW.PDF
[2011/12/05 17:12:07 | 001,636,883 | ---- | M] () -- C:\Users\Administrator\Desktop\3906 Kemp Cir.PDF
[2011/12/05 13:10:26 | 001,559,046 | ---- | M] () -- C:\Users\Administrator\Desktop\4914 Saint Elmo Ave.PDF
[2011/12/02 18:25:02 | 001,641,430 | ---- | M] () -- C:\Users\Administrator\Desktop\1179 Penobscot Dr.PDF
[2011/12/02 16:38:57 | 001,516,011 | ---- | M] () -- C:\Users\Administrator\Desktop\675 Pinhook Rd.PDF
[2011/12/01 16:51:28 | 001,683,082 | ---- | M] () -- C:\Users\Administrator\Desktop\2426 Jenkins Rd.PDF
[2011/12/01 15:21:25 | 001,960,652 | ---- | M] () -- C:\Users\Administrator\Desktop\1523 Rowewood Dr.PDF

========== Files Created - No Company Name ==========

[2011/12/31 12:11:56 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/12/31 12:11:56 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/12/31 11:58:00 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/12/30 20:07:53 | 000,052,966 | ---- | C] () -- C:\Windows\alaredun.ini
[2011/12/30 20:04:36 | 001,574,865 | ---- | C] () -- C:\Users\Administrator\Desktop\414 Stoneridge Dr.PDF
[2011/12/30 17:23:08 | 001,412,454 | ---- | C] () -- C:\Users\Administrator\Desktop\1737 Yaphank Rd.PDF
[2011/12/30 12:35:27 | 000,879,683 | ---- | C] () -- C:\Users\Administrator\Desktop\SecurityCheck.exe
[2011/12/30 12:28:41 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/29 14:44:58 | 001,684,686 | ---- | C] () -- C:\Users\Administrator\Desktop\415 S Seminole Dr.PDF
[2011/12/29 12:42:44 | 000,634,859 | ---- | C] () -- C:\Users\Administrator\Desktop\703 Hathaway Dr.PDF
[2011/12/28 15:50:33 | 001,487,982 | ---- | C] () -- C:\Users\Administrator\Desktop\2253 Laurel Hills Dr NW.PDF
[2011/12/28 11:27:15 | 001,613,329 | ---- | C] () -- C:\Users\Administrator\Desktop\615 Georgia Avenue.PDF
[2011/12/27 15:50:40 | 001,539,507 | ---- | C] () -- C:\Windows\System32\alaXML.xtf
[2011/12/27 13:02:23 | 001,516,941 | ---- | C] () -- C:\Users\Administrator\Desktop\5606 Crestview Dr.PDF
[2011/12/23 12:13:51 | 001,153,699 | ---- | C] () -- C:\Users\Administrator\Desktop\1911 Thompson St SE.PDF
[2011/12/23 09:50:42 | 000,294,195 | ---- | C] () -- C:\Users\Administrator\Desktop\gmer.zip
[2011/12/22 17:18:19 | 001,674,088 | ---- | C] () -- C:\Users\Administrator\Desktop\3938 Laird Ln.PDF
[2011/12/22 14:48:28 | 001,767,832 | ---- | C] () -- C:\Users\Administrator\Desktop\3810 Forest Highland Dr.PDF
[2011/12/21 18:26:08 | 001,663,181 | ---- | C] () -- C:\Users\Administrator\Desktop\1414 Brentwood Dr.PDF
[2011/12/20 11:44:13 | 000,395,875 | ---- | C] () -- C:\Users\Administrator\Desktop\MiniToolBox.exe
[2011/12/20 00:45:26 | 001,888,930 | ---- | C] () -- C:\Users\Administrator\Desktop\65 Whispering Pine Dr.PDF
[2011/12/19 19:39:15 | 001,601,564 | ---- | C] () -- C:\Users\Administrator\Desktop\900 Tippings Ct.PDF
[2011/12/19 16:14:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/19 16:14:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/19 16:14:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/19 16:14:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/19 16:14:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/19 15:29:17 | 000,050,477 | ---- | C] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2011/12/19 12:51:14 | 000,002,999 | ---- | C] () -- C:\Users\Administrator\Desktop\HiJackThis.lnk
[2011/12/19 12:20:42 | 001,558,406 | ---- | C] () -- C:\Users\Administrator\Desktop\tdsskiller.zip
[2011/12/17 18:19:10 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/12/17 14:39:23 | 000,001,216 | ---- | C] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2011/12/17 12:35:28 | 000,103,365 | ---- | C] () -- C:\Windows\System32\itusbcore.dat
[2011/12/17 12:35:28 | 000,000,197 | ---- | C] () -- C:\Windows\System32\itlsvc.dat
[2011/12/17 12:22:46 | 000,010,416 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\mcovru1q8brh1wun5tli0c265t8p
[2011/12/17 12:22:46 | 000,010,416 | -HS- | C] () -- C:\ProgramData\mcovru1q8brh1wun5tli0c265t8p
[2011/12/16 16:34:41 | 001,608,437 | ---- | C] () -- C:\Users\Administrator\Desktop\219 E Farrell St.PDF
[2011/12/16 14:59:06 | 001,446,141 | ---- | C] () -- C:\Users\Administrator\Desktop\9503 Vine St.PDF
[2011/12/15 14:58:26 | 001,608,193 | ---- | C] () -- C:\Users\Administrator\Desktop\184 Hunters Run Pl NW.PDF
[2011/12/15 14:03:16 | 000,000,876 | ---- | C] () -- C:\Users\Public\Desktop\TOTAL Sketch.lnk
[2011/12/15 12:50:41 | 001,052,846 | ---- | C] () -- C:\Users\Administrator\Desktop\3510 Timber Hill Dr SE.PDF
[2011/12/14 16:02:04 | 001,662,445 | ---- | C] () -- C:\Users\Administrator\Desktop\627 N Valley Dr.PDF
[2011/12/14 14:24:58 | 006,100,639 | ---- | C] () -- C:\Users\Administrator\Desktop\233 County Road 587.PDF
[2011/12/14 13:39:34 | 001,767,895 | ---- | C] () -- C:\Users\Administrator\Desktop\1625 John Ross Rd.PDF
[2011/12/13 16:55:11 | 001,625,019 | ---- | C] () -- C:\Users\Administrator\Desktop\149 County Road 29.PDF
[2011/12/13 14:13:26 | 001,715,324 | ---- | C] () -- C:\Users\Administrator\Desktop\3015 13th Ave.PDF
[2011/12/12 17:41:27 | 000,557,552 | R--- | C] () -- C:\Users\Administrator\Documents\My Money Backup_2011-12-12_174125.mbf
[2011/12/12 16:13:53 | 001,555,428 | ---- | C] () -- C:\Users\Administrator\Desktop\3112 Huntingdon Trace.PDF
[2011/12/09 15:39:23 | 001,711,406 | ---- | C] () -- C:\Users\Administrator\Desktop\3619 Tanaka Trail.PDF
[2011/12/07 13:44:13 | 001,363,691 | ---- | C] () -- C:\Users\Administrator\Desktop\7990 Trout Lily Dr.PDF
[2011/12/07 12:07:30 | 001,505,911 | ---- | C] () -- C:\Users\Administrator\Desktop\7012 Windcrest Ln.PDF
[2011/12/06 13:46:00 | 001,368,718 | ---- | C] () -- C:\Users\Administrator\Desktop\235 Shenandoah Ln NW.PDF
[2011/12/06 11:45:10 | 001,653,537 | ---- | C] () -- C:\Users\Administrator\Desktop\402 Emmett Ave NW.PDF
[2011/12/05 17:12:02 | 001,636,883 | ---- | C] () -- C:\Users\Administrator\Desktop\3906 Kemp Cir.PDF
[2011/12/05 13:10:21 | 001,559,046 | ---- | C] () -- C:\Users\Administrator\Desktop\4914 Saint Elmo Ave.PDF
[2011/12/02 18:24:57 | 001,641,430 | ---- | C] () -- C:\Users\Administrator\Desktop\1179 Penobscot Dr.PDF
[2011/12/02 16:38:53 | 001,516,011 | ---- | C] () -- C:\Users\Administrator\Desktop\675 Pinhook Rd.PDF
[2011/12/01 16:51:23 | 001,683,082 | ---- | C] () -- C:\Users\Administrator\Desktop\2426 Jenkins Rd.PDF
[2011/12/01 15:21:20 | 001,960,652 | ---- | C] () -- C:\Users\Administrator\Desktop\1523 Rowewood Dr.PDF
[2011/08/24 17:59:16 | 000,207,549 | ---- | C] () -- C:\Windows\hpwins28.dat.temp
[2011/08/24 17:59:16 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat.temp
[2011/08/24 15:46:17 | 000,206,559 | ---- | C] () -- C:\Windows\hpwins28.dat
[2011/07/28 16:49:12 | 000,053,760 | ---- | C] () -- C:\Windows\System32\OVDecode.dll
[2011/05/20 21:35:28 | 000,304,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
[2011/04/19 11:22:59 | 000,007,607 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2011/04/18 13:29:26 | 000,000,022 | ---- | C] () -- C:\Users\Administrator\AppData\Local\kodakpcd.ini
[2011/04/17 19:59:49 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/04/17 19:33:22 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2011/03/13 09:51:55 | 000,000,118 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\wklnhst.dat
[2011/02/18 12:59:03 | 000,000,059 | ---- | C] () -- C:\Windows\Ltdlgfileu.INI
[2010/08/05 13:37:14 | 000,000,282 | ---- | C] () -- C:\Windows\TECHUSER.INI
[2009/12/09 23:17:42 | 000,000,016 | ---- | C] () -- C:\Windows\popcinfo.dat
[2009/10/01 14:04:31 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/08/18 02:18:40 | 000,000,418 | ---- | C] () -- C:\Windows\hpwmdl28.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,488,248 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,673,552 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,124,622 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009/05/17 22:00:24 | 000,000,244 | ---- | C] () -- C:\Windows\ACIeServices.INI
[2009/04/08 12:51:55 | 000,000,364 | ---- | C] () -- C:\Windows\MercuryWT.ini
[2009/04/08 12:51:55 | 000,000,000 | ---- | C] () -- C:\Windows\Mercury.ini
[2009/04/07 14:29:06 | 000,417,792 | ---- | C] () -- C:\Windows\System32\fxdb.dll
[2009/04/07 14:28:30 | 001,213,440 | ---- | C] () -- C:\Windows\System32\opengl.dll
[2009/04/07 14:28:30 | 000,315,904 | ---- | C] () -- C:\Windows\System32\glu.dll
[2009/04/07 14:28:30 | 000,154,624 | ---- | C] () -- C:\Windows\System32\glut.dll
[2009/04/07 12:05:27 | 000,148,900 | ---- | C] () -- C:\Windows\hpoins19.dat
[2009/04/07 12:05:18 | 000,026,952 | ---- | C] () -- C:\Windows\hpomdl19.dat
[2009/04/06 23:08:49 | 000,034,304 | ---- | C] () -- C:\Windows\System32\UnlockFile.exe
[2009/04/06 23:08:48 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx14_ic.ini
[2009/04/06 23:08:46 | 000,327,680 | ---- | C] () -- C:\Windows\System32\SmaRTEng.dll
[2009/04/06 23:08:44 | 000,577,536 | ---- | C] () -- C:\Windows\System32\PAXMeta.dll
[2009/04/06 23:08:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\P2kDesk.dll
[2009/04/06 23:08:34 | 000,338,944 | ---- | C] () -- C:\Windows\System32\LFfpx7.dll
[2009/04/06 23:08:34 | 000,118,784 | ---- | C] () -- C:\Windows\System32\LFKodak.dll
[2009/04/06 23:08:33 | 000,024,576 | ---- | C] () -- C:\Windows\System32\fmt_jb2.dll
[2009/04/06 23:08:33 | 000,018,944 | ---- | C] () -- C:\Windows\System32\fmt_xcx.dll
[2009/04/06 23:08:33 | 000,011,264 | ---- | C] () -- C:\Windows\System32\fmt_xmf.dll
[2009/04/06 23:08:33 | 000,000,313 | ---- | C] () -- C:\Windows\System32\ic32.ini
[2009/04/06 23:08:31 | 000,040,960 | ---- | C] () -- C:\Windows\System32\DeskSkt.dll
[2009/04/06 23:08:31 | 000,036,864 | ---- | C] () -- C:\Windows\System32\DP2kFrms.dll
[2009/04/06 23:08:29 | 000,401,408 | ---- | C] () -- C:\Windows\System32\AXF_AXS.dll
[2009/04/06 23:08:29 | 000,220,160 | ---- | C] () -- C:\Windows\System32\Carcla30.dll
[2009/04/06 23:08:28 | 000,204,864 | ---- | C] () -- C:\Windows\System32\AtxWrap.dll
[2009/04/06 23:08:26 | 000,018,432 | ---- | C] () -- C:\Windows\System32\alavistautils.dll
[2009/04/06 23:08:26 | 000,001,597 | ---- | C] () -- C:\Windows\System32\alaUploader.exe.config
[2009/04/06 23:08:24 | 001,159,168 | ---- | C] () -- C:\Windows\System32\alaMFC2.dll
[2009/04/06 23:08:24 | 000,151,552 | ---- | C] () -- C:\Windows\System32\alaMapi.dll
[2009/04/06 23:08:24 | 000,086,016 | ---- | C] () -- C:\Windows\System32\alaLaunch2.dll
[2009/04/06 23:08:24 | 000,073,728 | ---- | C] () -- C:\Windows\System32\alaLaunch.dll
[2009/04/06 23:08:22 | 000,122,880 | ---- | C] () -- C:\Windows\System32\ala32.dll
[2009/04/06 23:05:54 | 000,004,853 | ---- | C] () -- C:\Windows\alamode.ini
[2009/03/02 08:44:54 | 000,010,720 | ---- | C] () -- C:\Windows\TECHHELP5.INI
[2009/02/09 18:11:13 | 000,000,089 | ---- | C] () -- C:\Windows\System32\PDFWRITR.INI
[2009/02/09 18:11:13 | 000,000,089 | ---- | C] () -- C:\Windows\System32\__PDF.INI
[2009/02/03 17:22:44 | 000,049,152 | ---- | C] () -- C:\Windows\System32\usbinst32.dll
[2009/02/03 17:19:33 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2009/02/03 16:37:07 | 000,000,331 | ---- | C] () -- C:\Windows\FMTMSAM.INI
[2009/02/03 16:36:57 | 000,000,260 | ---- | C] () -- C:\Windows\hpbafd.ini
[2009/02/03 16:35:51 | 000,094,274 | ---- | C] () -- C:\Windows\System32\HPBHealr.dll
[2009/02/03 16:00:31 | 000,000,000 | ---- | C] () -- C:\Windows\D1SIG32.INI
[2009/02/03 15:55:06 | 000,495,616 | ---- | C] () -- C:\Windows\System32\Tx32.dll
[2009/02/03 13:59:35 | 000,000,305 | ---- | C] () -- C:\Windows\D1IMG32.INI
[2009/02/03 13:42:45 | 000,000,424 | -H-- | C] () -- C:\Windows\vskt7.ini
[2009/02/03 12:47:08 | 000,000,011 | ---- | C] () -- C:\Windows\LHouse.INI
[2009/02/03 12:40:45 | 000,073,360 | ---- | C] () -- C:\Windows\System32\readdll.dll
[2009/02/03 12:37:45 | 000,001,354 | ---- | C] () -- C:\Windows\DAYONE.INI
[2009/02/03 12:37:13 | 000,000,250 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/03 12:37:12 | 000,000,023 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2009/02/03 12:37:06 | 000,061,440 | ---- | C] () -- C:\Windows\System32\WRKGADM.EXE
[2009/02/03 12:37:06 | 000,032,768 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL
[2009/02/03 12:37:04 | 000,031,936 | ---- | C] () -- C:\Windows\System32\D1skt.dll
[2009/01/03 09:22:04 | 000,011,678 | ---- | C] () -- C:\Windows\d1fnc.ini
[2008/01/26 12:41:28 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2008/01/26 12:41:28 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI
[2008/01/26 12:38:47 | 000,000,225 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2008/01/26 12:38:47 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini
[2008/01/26 12:38:47 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf07a.dat
[2008/01/26 12:36:08 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2008/01/26 12:36:07 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2008/01/26 12:36:05 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll
[2008/01/26 12:34:59 | 000,031,567 | ---- | C] () -- C:\Windows\maxlink.ini
[2008/01/24 18:42:07 | 000,000,458 | ---- | C] () -- C:\Windows\MTU.INI
[2008/01/24 18:41:34 | 000,000,064 | ---- | C] () -- C:\Windows\winhelp.ini
[2008/01/14 22:13:04 | 000,464,384 | ---- | C] () -- C:\Windows\CmiUCRUninstall_x64.exe
[2008/01/14 22:13:03 | 000,311,296 | ---- | C] () -- C:\Windows\CmiUCRUninstall.exe
[2008/01/14 22:10:58 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2008/01/14 21:18:17 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2008/01/14 21:18:16 | 000,013,738 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2008/01/14 21:18:10 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2007/08/22 06:43:34 | 000,327,680 | ---- | C] () -- C:\Windows\CmUCREye.exe
[2007/06/28 11:43:00 | 000,442,368 | ---- | C] () -- C:\Windows\System32\nvappbar.exe
[2007/04/03 08:59:52 | 000,098,304 | ---- | C] () -- C:\Windows\System32\apshext.dll
[2007/02/14 07:12:22 | 000,327,680 | ---- | C] () -- C:\Windows\System32\CmUCRRm.exe
[2007/02/12 09:08:00 | 000,065,536 | ---- | C] () -- C:\Windows\cmiboot.exe
[2006/12/07 11:10:34 | 000,053,248 | ---- | C] () -- C:\Windows\System32\CmUCRRm.Dll
[2003/01/30 11:21:29 | 000,000,544 | ---- | C] () -- C:\Windows\System32\WinSkt7.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1998/09/17 01:25:24 | 000,004,096 | ---- | C] () -- C:\Windows\delttsul.exe
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== LOP Check ==========

[2011/04/17 19:18:55 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ACI
[2011/04/17 19:18:56 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/09/21 22:11:10 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\DisplayTune
[2011/04/17 19:18:56 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\EServices
[2011/05/23 22:02:25 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Image Zone Express
[2011/12/17 13:06:38 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\IrfanView
[2011/05/05 19:55:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\LolClient
[2011/04/17 19:19:24 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Printer Info Cache
[2011/04/17 19:19:24 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ScanSoft
[2011/04/17 19:19:24 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Sierra Entertainment
[2009/04/07 12:20:26 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Skinux
[2011/04/17 19:19:25 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\SpinTop
[2011/04/17 19:19:25 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Template
[2011/04/17 19:19:25 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TomTom
[2011/09/22 09:58:38 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Wise Disk Cleaner
[2011/09/22 12:28:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Wise Registry Cleaner
[2011/12/17 12:30:13 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/12/31 11:58:00 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/12/31 11:58:00 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/12/31 11:58:00 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/12/31 11:58:00 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2011/12/31 11:58:00 | 000,748,336 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-12-30 17:35:35

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:76650B61

< End of report >

Edited by AndyButler, 31 December 2011 - 12:31 PM.


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:40 AM

Posted 01 January 2012 - 05:46 AM

Hi!

I'd like to have you upload a few suspicious files for me:

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: C:\Windows\System32\itusbcore.dat
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.

Please repeat the above process for the following file below:

C:\Windows\System32\itlsvc.dat

Please post the results in your next reply

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 AndyButler

AndyButler
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 01 January 2012 - 04:36 PM

When I hit compact all it said for both files was ...."not found". Here are pdf's
Attached File  VT2report.pdf   230.59KB   2 downloads
Attached File  VTreport.pdf   228.61KB   1 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users