Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 gormand

gormand

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 27 August 2012 - 02:05 PM

Hi folks,

Having an issue where I get redirected to other sites while searching using Google or Bing. Any help would be appreciated


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by LPWyllie at 14:53:54 on 2012-08-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.2998.1200 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
D:\Program Files\Dell\Reader 2.1\DVMExportService.exe
C:\Program Files\Kaseya\OTST9964527048417640\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
D:\Program Files\Dell\Reader 2.1\DellBtrEvent.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Kaseya\OTST9964527048417640\KaUsrTsk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Users\lpwhyllie\Downloads\uod8y6ww.exe
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Users\lpwhyllie\Downloads\uod8y6ww.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: @c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [DellBtrEvent] d:\program files\dell\reader 2.1\DellBtrEvent.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio\oem\roxio burn\RoxioBurnLauncher.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Bell Canada Connection Manager] "c:\program files\bell\mobile connect\BellCanadaCM.exe" -a
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking11\Ereg.ini
mRun: [KASHOTST9964527048417640] "c:\program files\kaseya\otst9964527048417640\KaUsrTsk.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellsy~1.lnk - c:\program files\dell\dell system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\scieplgn.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.52.6 207.181.101.4
TCP: Interfaces\{D03D25C2-A902-4F9A-B686-AA9BA0FF3CBA} : DhcpNameServer = 207.164.79.254 204.101.237.136
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08} : DhcpNameServer = 192.168.52.6 207.181.101.4
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}\33035326 : DhcpNameServer = 192.168.52.6 207.164.234.193
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}\3756E6D616E6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}\7597C6C69656 : DhcpNameServer = 64.71.255.198
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}\86F6473707F647F52456C6C6 : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}\F41434341434F57457563747 : DhcpNameServer = 172.16.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0f~\adialhk.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2011-3-24 17072]
R1 DVMIO;DVMIO;d:\program files\dell\reader 2.1\dvmio.sys [2010-5-4 18320]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-9 22104]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-3-24 81920]
R2 AVP;Kaspersky Anti-Virus 6.0;c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe [2011-6-10 342280]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-10-25 826272]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-10-25 32160]
R2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\dell\dell system manager\DCPSysMgrSvc.exe [2010-8-24 388464]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 DvmMDES;DeviceVM Meta Data Export Service;d:\program files\dell\reader 2.1\DVMExportService.exe [2010-5-4 327680]
R2 KAOTST9964527048417640;Kaseya Agent;c:\program files\kaseya\otst9964527048417640\AgentMon.exe [2012-7-4 847872]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-11-20 82944]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2011-3-24 59904]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2011-3-24 42672]
R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2011-3-24 300584]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-3-24 33320]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-3-24 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2011-3-24 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-3-24 224424]
R3 fwxcypow;fwxcypow;C:\fwxcypow.sys [2012-8-27 100864]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-3-24 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-3-24 246272]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [2012-7-4 17920]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2009-9-3 24848]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-3-24 6814720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-8-21 136176]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-3-24 13336]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CASMSI;SMSI Con App Svc;c:\program files\bell\mobile connect\ConAppsSvc.exe [2010-5-23 124184]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-3-24 134144]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-8-21 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 NWRmNet;Novatel Wireless RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet.sys [2009-8-31 118784]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-7-15 174720]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 ProfileImpSvc;Native WiFi Profile Importer;c:\program files\bell\mobile connect\ProfileImpSvc.exe [2010-5-23 169240]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2011-3-24 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2011-3-24 38912]
S3 RMWPService;RMWPService;c:\program files\reference manager 12\webpublisher\thirdparty\apache2\bin\RMWP_Apache_Admin.exe [2004-1-28 20537]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 SMSIRcAppSvc;SMSI Rc App Svc;c:\program files\bell\mobile connect\RcAppSvc.exe [2010-5-23 120088]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-4 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-08-27 18:12:13 100864 ----a-w- C:\fwxcypow.sys
2012-08-27 17:38:03 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-27 15:16:06 -------- d-----w- c:\users\lpwhyllie\appdata\local\VirtualStore
2012-08-24 12:43:57 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-08-22 13:01:28 -------- d-----w- c:\users\lpwhyllie\appdata\local\Adobe
2012-08-21 18:59:23 -------- d-----w- c:\users\lpwhyllie\DoctorWeb
2012-08-21 18:45:22 -------- d-----w- c:\users\lpwhyllie\appdata\local\Google
2012-08-21 18:45:21 -------- d-----w- c:\users\lpwhyllie\appdata\roaming\SUPERAntiSpyware.com
2012-08-21 18:45:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-21 18:37:50 110080 ----a-r- c:\users\lpwhyllie\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-425a-b1b6-5b164a598450}\IconF7A21AF7.exe
2012-08-21 18:37:50 110080 ----a-r- c:\users\lpwhyllie\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-425a-b1b6-5b164a598450}\IconD7F16134.exe
2012-08-21 18:37:50 110080 ----a-r- c:\users\lpwhyllie\appdata\roaming\microsoft\installer\{cc1f6da0-21d2-425a-b1b6-5b164a598450}\IconCF33A0CE.exe
2012-08-21 18:37:50 -------- d-----w- C:\sh4ldr
2012-08-21 18:37:49 -------- d-----w- c:\program files\Enigma Software Group
2012-08-21 18:37:36 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
.
==================== Find3M ====================
.
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-05 17:48:23 163840 --sha-r- c:\windows\system32\CATROOT2K.DLL
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
.
============= FINISH: 14:54:21.58 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-27 14:52:24
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LH01
Running: uod8y6ww.exe; Driver: C:\Users\LPWHYL~1\AppData\Local\Temp\fwxcypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8AFA0AC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8AFA1298]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8AFA16C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateFile [0x8AFA548C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0x8AFA098C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x8AFA276E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8AFA103C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8AFA21A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8AFA1492]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8AFA2BB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwFsControlFile [0x8AFA1344]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8AFA2232]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenFile [0x8AFA52D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8AFA0CF6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8AFA2798]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8AFA0BF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8AFA24C6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplaceKey [0x8AF9FE5C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8AFA2026]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRestoreKey [0x8AF9FFBE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8AFA2A84]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSaveKey [0x8AF9FC5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8AFA1582]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8AFA113C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSecurityObject [0x8AFA232C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8AFA27C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8AFA28A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8AFA2962]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8AFA20CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8AFA0E90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8AFA0DE6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8AFA0F70]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E933C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82ED3D8C 4 Bytes [C6, 0A, FA, 8A]
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82ED3E24 4 Bytes [98, 12, FA, 8A]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82ED3E48 4 Bytes [C0, 16, FA, 8A]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82ED3E64 4 Bytes [8C, 54, FA, 8A] {MOV WORD [EDX+EDI*8-0x76], SS}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11D3 82ED3E88 4 Bytes [8C, 09, FA, 8A]
.text ...
.text autochk.exe 004011D1 42 Bytes [C4, 08, 5D, C3, CC, CC, CC, ...]
.text autochk.exe 004011FC 5 Bytes [8B, E5, 5D, C2, 08]
.text autochk.exe 00401202 41 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text autochk.exe 0040122C 5 Bytes [8B, E5, 5D, C2, 08]
.text autochk.exe 00401232 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

? c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1652] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1652] USER32.dll!NotifyWinEvent + 6AE 7586D66C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}
? c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[2288] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[2288] USER32.dll!NotifyWinEvent + 6AE 7586D66C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!EnableWindow 75858D02 5 Bytes JMP 6C6B9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextExW 75865894 5 Bytes JMP 02440045
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextW 75865B6A 5 Bytes JMP 0243FE83
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SetClipboardData 75872962 5 Bytes JMP 0243FAF9
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxParamW 75873B9B 5 Bytes JMP 0243EAB5
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextA 7587AE29 5 Bytes JMP 0243FDA8
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextExA 7587AE60 5 Bytes JMP 0243FF5E
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxIndirectParamW 75883B7F 5 Bytes JMP 6C808D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxParamA 7589CF42 5 Bytes JMP 6C808D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxIndirectParamA 7589D274 5 Bytes JMP 6C808DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxIndirectA 758AE869 5 Bytes JMP 6C808CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxIndirectW 758AE963 5 Bytes JMP 6C808C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxExA 758AE9C9 5 Bytes JMP 6C808BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxExW 758AE9ED 5 Bytes JMP 6C808B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!ExtTextOutW 75ED8192 5 Bytes JMP 02440210
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!GetGlyphIndicesW 75EDB78F 5 Bytes JMP 0244069D
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!TextOutW 75EDFDE4 5 Bytes JMP 0243FCDC
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!ExtTextOutA 75EE03F9 5 Bytes JMP 0244012C
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!TextOutA 75EE077D 5 Bytes JMP 0243FC10
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!GetGlyphIndicesA 75EFBB6A 5 Bytes JMP 024405D0
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WININET.dll!InternetCloseHandle 75ACC664 5 Bytes JMP 0243EC23
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WININET.dll!InternetCrackUrlW 75AF3059 5 Bytes JMP 02440AAC
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WININET.dll!HttpOpenRequestW 75AF5FEF 5 Bytes JMP 0243EB80
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WININET.dll!HttpSendRequestW 75AF632D 5 Bytes JMP 02440D34
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!closesocket 75813918 5 Bytes JMP 0243FA52
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!getaddrinfo 75814296 5 Bytes JMP 0243E5FB
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSASend 75814406 5 Bytes JMP 0243F71A
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!GetAddrInfoW 75814889 5 Bytes JMP 0243E6DB
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!recv 75816B0E 5 Bytes JMP 0243F66C
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!send 75816F01 5 Bytes JMP 0243F5C7
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSARecv 75817089 5 Bytes JMP 0243F7EE
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSAAsyncGetHostByName 7582726A 5 Bytes JMP 0243E9D6
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!gethostbyname 75827673 5 Bytes JMP 0243E53A
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[5044] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[5044] USER32.dll!NotifyWinEvent + 6AE 7586D66C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] kernel32.dll!CreateThread 759BDCC2 5 Bytes JMP 6C6775CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!EnableWindow 75858D02 5 Bytes JMP 6C6B9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!CallNextHookEx 7585ABE1 5 Bytes JMP 6C6D7FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!UnhookWindowsHookEx 7585ADF9 5 Bytes JMP 6C6FECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DefWindowProcA 7585BB1C 7 Bytes JMP 6C6797F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!CreateWindowExA 7585BF40 5 Bytes JMP 6C68362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!SetWindowsHookExW 7585E30C 5 Bytes JMP 6C6B25AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!CreateWindowExW 7585EC7C 5 Bytes JMP 6C6E03B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DefWindowProcW 7586507D 7 Bytes JMP 6C6D8042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DrawTextExW 75865894 5 Bytes JMP 00280045
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DrawTextW 75865B6A 5 Bytes JMP 0027FE83
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!SetClipboardData 75872962 5 Bytes JMP 0027FAF9
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DialogBoxParamW 75873B9B 5 Bytes JMP 6C61187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DrawTextA 7587AE29 5 Bytes JMP 0027FDA8
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DrawTextExA 7587AE60 5 Bytes JMP 0027FF5E
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DialogBoxIndirectParamW 75883B7F 5 Bytes JMP 6C808D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DialogBoxParamA 7589CF42 5 Bytes JMP 6C808D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!DialogBoxIndirectParamA 7589D274 5 Bytes JMP 6C808DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!MessageBoxIndirectA 758AE869 5 Bytes JMP 6C808CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!MessageBoxIndirectW 758AE963 5 Bytes JMP 6C808C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!MessageBoxExA 758AE9C9 5 Bytes JMP 6C808BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] USER32.dll!MessageBoxExW 758AE9ED 5 Bytes JMP 6C808B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!ExtTextOutW 75ED8192 5 Bytes JMP 00280210
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!GetGlyphIndicesW 75EDB78F 5 Bytes JMP 0028069D
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!TextOutW 75EDFDE4 5 Bytes JMP 0027FCDC
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!ExtTextOutA 75EE03F9 5 Bytes JMP 0028012C
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!TextOutA 75EE077D 5 Bytes JMP 0027FC10
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] GDI32.dll!GetGlyphIndicesA 75EFBB6A 5 Bytes JMP 002805D0
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] ole32.dll!OleLoadFromStream 75FC6143 5 Bytes JMP 6C80955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WININET.dll!InternetCloseHandle 75ACC664 5 Bytes JMP 0027EC23
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WININET.dll!InternetCrackUrlW 75AF3059 5 Bytes JMP 00280AAC
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WININET.dll!HttpOpenRequestW 75AF5FEF 5 Bytes JMP 0027EB80
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WININET.dll!HttpSendRequestW 75AF632D 5 Bytes JMP 00280D34
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!closesocket 75813918 5 Bytes JMP 0027FA52
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!getaddrinfo 75814296 5 Bytes JMP 0027E5FB
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!WSASend 75814406 5 Bytes JMP 0027F71A
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!GetAddrInfoW 75814889 5 Bytes JMP 0027E6DB
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!recv 75816B0E 5 Bytes JMP 0027F66C
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!send 75816F01 5 Bytes JMP 0027F5C7
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!WSARecv 75817089 5 Bytes JMP 0027F7EE
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!WSAAsyncGetHostByName 7582726A 5 Bytes JMP 0027E9D6
.text C:\Program Files\Internet Explorer\iexplore.exe[5480] WS2_32.dll!gethostbyname 75827673 5 Bytes JMP 0027E53A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000083 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000085 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000005a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004eed4d3a
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004eed4d3a (not active ControlSet)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 27 August 2012 - 02:57 PM

Good evening. :)

When you ran DDS it should have created a second log, attach.txt. Will you let me have the contents of that in your next reply - you may need to run DDS again if you didn't save it originally.

So long, and thanks for all the fish.

 

 


#3 gormand

gormand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 27 August 2012 - 03:14 PM

Sorry forgot to attach it :)Attached File  Attach.txt   17.38KB   3 downloads

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 27 August 2012 - 04:02 PM

For x32 bit systems download Farbar Recovery Scan Tool x32.
For x64 bit systems download Farbar Recovery Scan Tool x64.

Save the appropriate file to a flashdrive. Plug the flashdrive into the infected PC and then enter System Recovery Options.

  • To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt.
  • In the Command Window type in notepad and hit <ENTER>.
  • When a notepad window opens, under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and hit <ENTER>.

    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • A log, called FRST.txt, will be created on the flash drive - please copy and paste the contents in your reply.

So long, and thanks for all the fish.

 

 


#5 gormand

gormand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 August 2012 - 07:36 AM

Hi, please see below. Thanks

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 28-08-2012
Ran by SYSTEM at 28-08-2012 08:34:06
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [292208 2010-06-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2010-05-26] (IDT, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [DellBtrEvent] D:\Program Files\Dell\Reader 2.1\DellBtrEvent.exe [x]
HKLM\...\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
HKLM\...\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] "C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [Bell Canada Connection Manager] "C:\Program Files\Bell\Mobile Connect\BellCanadaCM.exe" -a [87320 2010-05-26] (BellCanada)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [41944 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640480 2012-07-30] (Adobe Systems Inc.)
HKLM\...\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini [343 2012-08-27] ()
HKLM\...\Run: [KASHOTST9964527048417640] "C:\Program Files\Kaseya\OTST9964527048417640\KaUsrTsk.exe" [409600 2012-03-21] (Kaseya International Limited)
HKLM\...\Run: [AVP] "c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [342280 2011-06-10] (Kaspersky Lab)
HKU\kstelmacovich\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex [x]
HKU\lpwhyllie\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718208 2010-03-15] (Microsoft Corporation)
HKU\lpwhyllie\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2010-07-23] (Acresso Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.52.6 207.181.101.4
AppInit_DLLs: c:\PROGRA~1\KASPER~1\KASPER~1.0F~\adialhk.dll
Lsa: [Authentication Packages] msv1_0
wvauth
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Dell System Manager.lnk
ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\VPN Client.lnk
ShortcutTarget: VPN Client.lnk -> C:\Windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico ()

========================== Services (Whitelisted) ========================

3 CASMSI; "C:\Program Files\Bell\Mobile Connect\ConAppsSvc.exe" /n "CASMSI" [124184 2010-05-23] (SmithMicro Inc.)
2 Credential Vault Host Control Service; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe" [826272 2010-10-25] (Broadcom Corporation)
2 Credential Vault Host Storage; "C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe" [32160 2010-10-25] (Broadcom Corporation)
2 CVPND; "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" [1528608 2008-06-19] (Cisco Systems, Inc.)
2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-07-23] (Nuance Communications, Inc.)
2 KAOTST9964527048417640; "C:\Program Files\Kaseya\OTST9964527048417640\AgentMon.exe" [847872 2012-06-07] (Kaseya International Limited)
2 NvtlService; "C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe" [82944 2009-11-20] ()
3 ProfileImpSvc; "C:\Program Files\Bell\Mobile Connect\ProfileImpSvc.exe" /n "ProfileImpSvc" [169240 2010-05-23] (SmithMicro Inc.)
3 RMWPService; "C:\Program Files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe" -k runservice [20537 2004-01-28] (Apache Software Foundation)
3 RoxMediaDB12OEM; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)
2 RoxWatch12; "C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
3 SecureStorageService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe" [1477632 2010-11-03] (Wave Systems Corp.)
3 SMSIRcAppSvc; "C:\Program Files\Bell\Mobile Connect\RcAppSvc.exe" /n "SMSIRcAppSvc" [120088 2010-05-23] (SmithMicro Inc.)
2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [245842 2010-05-26] (IDT, Inc.)
2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
2 TdmService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe" [2336104 2010-10-16] (Wave Systems Corp.)
2 WinVNC4; "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service [1492344 2009-07-24] (RealVNC Ltd.)
2 AVP; "c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" -r [x]
2 dcpsysmgrsvc; "c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe" [x]
2 DvmMDES; "C:\Program Files\Dell\Reader 2.1\DVMExportService.exe" [x]

==================== Drivers (Whitelisted) ===================

3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [42672 2010-01-18] (ST Microelectronics)
3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [300584 2011-03-23] (Broadcom Corporation.)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [306299 2008-06-19] (Cisco Systems, Inc.)
3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2010-08-20] (Broadcom Corporation)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [125328 2008-03-29] (Deterministic Networks, Inc.)
3 KAPFA; \??\C:\Windows\system32\drivers\KAPFA.SYS [17920 2011-06-23] (Kaseya)
1 kl1; C:\Windows\System32\DRIVERS\kl1.sys [126480 2009-11-12] (Kaspersky Lab)
3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab)
1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [233560 2012-07-23] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [22104 2010-04-09] (Kaspersky Lab ZAO)
3 NAL; \??\C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )
3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [6814720 2010-07-14] (Intel Corporation)
3 NWRmNet; C:\Windows\System32\DRIVERS\NWRmNet.sys [118784 2009-08-31] (Novatel Wireless Inc.)
3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [174720 2009-07-15] (Novatel Wireless Inc.)
0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45648 2010-03-19] (Sonic Solutions)
2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [59904 2010-03-21] (REDC)
3 rixdpcie; C:\Windows\system32\DRIVERS\rixdpe86.sys [38912 2010-03-21] (REDC)
0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [17072 2010-01-18] (ST Microelectronics)
3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [24840 2008-02-29] ()
3 catchme; \??\C:\Users\LPWHYL~1\AppData\Local\Temp\catchme.sys [x]
1 DVMIO; \??\D:\Program Files\Dell\Reader 2.1\dvmio.sys [x]

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-08-27 10:58 - 2012-08-27 10:58 - 00017797 ____A C:\Users\lpwhyllie\Documents\Attach.txt
2012-08-27 10:56 - 2012-08-27 10:56 - 00607260 ____A (Swearware) C:\Users\lpwhyllie\Downloads\dds (1).com
2012-08-27 10:54 - 2012-08-27 10:54 - 00020460 ____A C:\Users\lpwhyllie\Documents\DDS.txt
2012-08-27 10:53 - 2012-08-27 10:53 - 00607260 ____R (Swearware) C:\Users\lpwhyllie\Downloads\dds.com
2012-08-27 10:52 - 2012-08-27 10:52 - 00029223 ____A C:\Users\lpwhyllie\Documents\gmer.log
2012-08-27 10:12 - 2012-08-27 10:12 - 00100864 ____A (GMER) C:\fwxcypow.sys
2012-08-27 10:11 - 2012-08-27 10:11 - 00302592 ____A C:\Users\lpwhyllie\Downloads\uod8y6ww.exe
2012-08-27 09:38 - 2012-08-27 09:38 - 00014611 ____A C:\ComboFix.txt
2012-08-27 09:34 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-27 09:34 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-27 07:19 - 2012-08-27 07:19 - 00082072 ____A C:\Users\lpwhyllie\Report.html
2012-08-27 07:16 - 2012-08-27 07:16 - 00000000 ____D C:\Users\lpwhyllie\AppData\Local\VirtualStore
2012-08-27 07:01 - 2012-08-27 07:01 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2012-08-27 07:00 - 2012-08-27 07:00 - 00000000 ____D C:\Users\user\Downloads\tdsskiller
2012-08-27 06:59 - 2012-08-27 07:00 - 02193184 ____A C:\Users\user\Downloads\tdsskiller.zip
2012-08-27 06:59 - 2012-08-27 06:59 - 00000000 ____D C:\Users\user\AppData\Roaming\Adobe
2012-08-27 06:59 - 2012-08-27 06:59 - 00000000 ____D C:\Users\user\AppData\Local\Bell
2012-08-27 06:59 - 2012-08-27 06:59 - 00000000 ____D C:\Users\user\AppData\Local\Adobe
2012-08-27 06:58 - 2012-08-27 06:58 - 00126488 ____A C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\Documents\Bluetooth Exchange Folder
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\AppData\Roaming\Roxio Burn
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\AppData\Roaming\Roxio
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\AppData\Roaming\Intel Corporation
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\AppData\Roaming\Creative
2012-08-27 06:58 - 2012-08-27 06:58 - 00000000 ____D C:\Users\user\AppData\Local\Broadcom
2012-08-27 06:57 - 2012-08-27 06:57 - 00000020 __ASH C:\Users\user\ntuser.ini
2012-08-27 06:57 - 2011-04-05 10:36 - 00000000 ____D C:\Users\user\AppData\Roaming\Macromedia
2012-08-27 06:53 - 2012-08-27 06:59 - 00000000 ____D C:\Users\lpwhyllie\Downloads\RootRepeal (1)
2012-08-27 06:53 - 2012-08-27 06:53 - 00464491 ____A C:\Users\lpwhyllie\Downloads\RootRepeal (1).zip
2012-08-27 06:34 - 2012-08-27 06:40 - 00000000 ____D C:\Users\lpwhyllie\Downloads\RootRepeal
2012-08-27 06:33 - 2012-08-27 06:33 - 00464491 ____A C:\Users\lpwhyllie\Downloads\RootRepeal.zip
2012-08-27 06:26 - 2012-08-27 06:26 - 00104242 ____A C:\Users\lpwhyllie\GPReport.html
2012-08-27 06:12 - 2012-08-27 09:59 - 00005636 ____A C:\Users\lpwhyllie\Desktop\Rkill.txt
2012-08-27 06:12 - 2012-08-27 06:12 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\lpwhyllie\Downloads\rkill.exe
2012-08-24 04:43 - 2009-08-19 19:50 - 00022872 ___RA (Adobe Systems Inc.) C:\Windows\System32\AdobePDFUI.dll
2012-08-22 05:01 - 2012-08-22 05:50 - 00000000 ____D C:\Users\lpwhyllie\AppData\Local\Adobe
2012-08-21 10:59 - 2012-08-21 10:59 - 00000000 ____D C:\Users\lpwhyllie\DoctorWeb
2012-08-21 10:46 - 2012-08-21 10:46 - 00002203 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-21 10:45 - 2012-08-28 04:30 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-21 10:45 - 2012-08-27 12:11 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-21 10:45 - 2012-08-21 10:46 - 00000000 ____D C:\Users\lpwhyllie\AppData\Local\Google
2012-08-21 10:45 - 2012-08-21 10:46 - 00000000 ____D C:\Program Files\Google
2012-08-21 10:45 - 2012-08-21 10:45 - 00000000 ____D C:\Users\lpwhyllie\AppData\Roaming\SUPERAntiSpyware.com
2012-08-21 10:45 - 2012-08-21 10:45 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-08-21 10:40 - 2012-08-21 10:40 - 00000000 ____D C:\Users\lpwhyllie\Downloads\tdsskiller (2)
2012-08-21 10:39 - 2012-08-21 10:40 - 02193345 ____A C:\Users\lpwhyllie\Downloads\tdsskiller (2).zip
2012-08-21 10:37 - 2012-08-21 10:41 - 00000000 ____D C:\sh4ldr
2012-08-21 10:37 - 2012-08-21 10:37 - 00002252 ____A C:\Users\lpwhyllie\Desktop\SpyHunter.lnk
2012-08-21 10:37 - 2012-08-21 10:37 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-21 10:37 - 2012-08-21 10:37 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-21 05:21 - 2012-08-21 05:20 - 01932256 ____A (Symantec Corporation) C:\Users\lpwhyllie\Desktop\FixTDSS.exe
2012-08-21 05:04 - 2012-08-21 05:05 - 02193345 ____A C:\Users\lpwhyllie\Downloads\tdsskiller (1).zip
2012-08-21 05:04 - 2012-08-21 05:04 - 00000000 ____D C:\Users\lpwhyllie\Documents\tdsskiller


============ 3 Months Modified Files ========================

2012-08-28 04:31 - 2009-07-13 20:55 - 01547939 ____A C:\Windows\WindowsUpdate.log
2012-08-28 04:30 - 2012-08-21 10:45 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-27 12:11 - 2012-08-21 10:45 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-27 10:58 - 2012-08-27 10:58 - 00017797 ____A C:\Users\lpwhyllie\Documents\Attach.txt
2012-08-27 10:56 - 2012-08-27 10:56 - 00607260 ____A (Swearware) C:\Users\lpwhyllie\Downloads\dds (1).com
2012-08-27 10:54 - 2012-08-27 10:54 - 00020460 ____A C:\Users\lpwhyllie\Documents\DDS.txt
2012-08-27 10:53 - 2012-08-27 10:53 - 00607260 ____R (Swearware) C:\Users\lpwhyllie\Downloads\dds.com
2012-08-27 10:52 - 2012-08-27 10:52 - 00029223 ____A C:\Users\lpwhyllie\Documents\gmer.log
2012-08-27 10:17 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-27 10:17 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-27 10:14 - 2011-03-23 20:47 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-27 10:12 - 2012-08-27 10:12 - 00100864 ____A (GMER) C:\fwxcypow.sys
2012-08-27 10:11 - 2012-08-27 10:11 - 00302592 ____A C:\Users\lpwhyllie\Downloads\uod8y6ww.exe
2012-08-27 10:10 - 2011-03-31 10:45 - 00000112 ____A C:\Windows\System32\config\netlogon.ftl
2012-08-27 10:09 - 2012-06-05 09:48 - 00000320 ____A C:\Windows\Tasks\Wknwxskz.job
2012-08-27 10:09 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-27 10:09 - 2009-07-13 20:39 - 00084489 ____A C:\Windows\setupact.log
2012-08-27 09:59 - 2012-08-27 06:12 - 00005636 ____A C:\Users\lpwhyllie\Desktop\Rkill.txt
2012-08-27 09:45 - 2011-03-23 22:35 - 00284690 ____A C:\Windows\PFRO.log
2012-08-27 09:38 - 2012-08-27 09:38 - 00014611 ____A C:\ComboFix.txt
2012-08-27 09:37 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2012-08-27 07:19 - 2012-08-27 07:19 - 00082072 ____A C:\Users\lpwhyllie\Report.html
2012-08-27 07:17 - 2011-08-11 11:58 - 00001758 _RASH C:\Users\lpwhyllie\ntuser.pol
2012-08-27 07:17 - 2011-03-31 10:48 - 00002958 _RASH C:\Users\All Users\ntuser.pol
2012-08-27 07:00 - 2012-08-27 06:59 - 02193184 ____A C:\Users\user\Downloads\tdsskiller.zip
2012-08-27 06:58 - 2012-08-27 06:58 - 00126488 ____A C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-27 06:57 - 2012-08-27 06:57 - 00000020 __ASH C:\Users\user\ntuser.ini
2012-08-27 06:53 - 2012-08-27 06:53 - 00464491 ____A C:\Users\lpwhyllie\Downloads\RootRepeal (1).zip
2012-08-27 06:33 - 2012-08-27 06:33 - 00464491 ____A C:\Users\lpwhyllie\Downloads\RootRepeal.zip
2012-08-27 06:26 - 2012-08-27 06:26 - 00104242 ____A C:\Users\lpwhyllie\GPReport.html
2012-08-27 06:12 - 2012-08-27 06:12 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\lpwhyllie\Downloads\rkill.exe
2012-08-24 16:42 - 2012-07-24 13:26 - 00000064 ____A C:\dvmaccounts.ini
2012-08-21 10:46 - 2012-08-21 10:46 - 00002203 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-21 10:40 - 2012-08-21 10:39 - 02193345 ____A C:\Users\lpwhyllie\Downloads\tdsskiller (2).zip
2012-08-21 10:37 - 2012-08-21 10:37 - 00002252 ____A C:\Users\lpwhyllie\Desktop\SpyHunter.lnk
2012-08-21 09:55 - 2012-07-06 06:39 - 04734695 ____R (Swearware) C:\Users\lpwhyllie\Desktop\ComboFix.exe
2012-08-21 05:20 - 2012-08-21 05:21 - 01932256 ____A (Symantec Corporation) C:\Users\lpwhyllie\Desktop\FixTDSS.exe
2012-08-21 05:05 - 2012-08-21 05:04 - 02193345 ____A C:\Users\lpwhyllie\Downloads\tdsskiller (1).zip
2012-08-21 04:30 - 2012-07-06 06:18 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 06:32 - 2009-07-13 20:53 - 00032540 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-27 08:06 - 2012-07-27 08:06 - 00090739 ____A C:\Users\lpwhyllie\Desktop\Advanced Access - OHTAC discussion_revised.pptx
2012-07-23 07:38 - 2012-07-23 07:26 - 00116189 ____A C:\Windows\System32\Drivers\klin.dat
2012-07-23 07:38 - 2012-07-23 07:26 - 00098168 ____A C:\Windows\System32\Drivers\klick.dat
2012-07-23 07:25 - 2012-07-23 07:25 - 00233560 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\klif.sys
2012-07-06 06:13 - 2012-07-06 06:13 - 00003694 ____A C:\Users\lpwhyllie\Desktop\RKreport[1].txt
2012-07-06 06:11 - 2012-07-06 06:11 - 00000452 ____A C:\rkill.log
2012-07-06 06:11 - 2012-07-06 06:10 - 02116179 ____A C:\Users\lpwhyllie\Downloads\tdsskiller.zip
2012-07-03 09:46 - 2012-07-06 06:18 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-22 04:56 - 2011-10-28 03:54 - 00000287 ____A C:\Users\lpwhyllie\.JavaPowUpload.properties
2012-06-18 13:26 - 2012-06-18 13:26 - 00002424 ____A C:\Users\lpwhyllie\Downloads\ce_message_en_html.htm
2012-06-18 06:19 - 2012-06-18 06:19 - 03354624 ____A C:\Users\lpwhyllie\Downloads\Multiple IV OHTAC_for presentation.ppt
2012-06-14 05:12 - 2009-07-13 20:33 - 00465168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 13:12 - 2011-07-21 10:15 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-05 09:48 - 2012-06-05 09:48 - 00163840 _RASH C:\Windows\System32\CATROOT2K.DLL
2012-06-02 14:19 - 2012-06-26 05:11 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-26 05:11 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-26 05:11 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-26 05:11 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-26 05:11 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-26 05:11 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-26 05:11 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-26 05:11 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-26 05:11 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2997.83 MB
Available physical RAM: 2514.54 MB
Total Pagefile: 2996.11 MB
Available Pagefile: 2518.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.7 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:146.28 GB) (Free:107.23 GB) NTFS
2 Drive d: (READER) (Fixed) (Total:2 GB) (Free:1.86 GB) NTFS
3 Drive f: (Smith & Nephew) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS
4 Drive g: (LEXAR) (Removable) (Total:29.23 GB) (Free:12.85 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 1024 KB
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 752 MB 40 MB
Partition 3 Primary 146 GB 792 MB
Partition 0 Extended 2044 MB 147 GB
Partition 4 Logical 2043 MB 147 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 752 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 146 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D READER NTFS Partition 2043 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 1416 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G LEXAR FAT32 Removable 29 GB Healthy

==================================================================================

Last Boot: 2012-08-17 08:16

==================== End Of Log =============================

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 28 August 2012 - 02:34 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Check the Scan All User box at the top.
  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    • netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      consrv.dll
      explorer.exe
      winlogon.exe
      Userinit.exe
      svchost.exe
      /md5stop
      C:\Windows\assembly\tmp\U\*.* /s
      %Temp%\smtmp\1\*.*
      %Temp%\smtmp\2\*.*
      %Temp%\smtmp\3\*.*
      %Temp%\smtmp\4\*.*
      >C:\commands.txt echo list vol /raw /hide /c
      /wait
      >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
      /wait
      type c:\diskreport.txt /c
      /wait
      erase c:\commands.txt /hide /c
      /wait
      erase c:\diskreport.txt /hide /c
      CREATERESTOREPOINT
  • Click the Run Scan button and allow it to do it's thing.
  • Once the scan has completed two notepad windows, OTL.Txt and Extras.Txt, will open - these text files will be saved in the same location as OTL.
  • Please post the contents of both in your next reply - you may need to post each seperately if they are overly long.

So long, and thanks for all the fish.

 

 


#7 gormand

gormand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 August 2012 - 03:13 PM

OTL logfile created on: 8/28/2012 4:04:03 PM - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\lpwhyllie\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.93 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 46.68% Memory free
5.85 Gb Paging File | 4.48 Gb Available in Paging File | 76.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.28 Gb Total Space | 106.76 Gb Free Space | 72.99% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.86 Gb Free Space | 93.40% Space Free | Partition Type: NTFS
Drive E: | 16.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 29.23 Gb Total Space | 12.84 Gb Free Space | 43.94% Space Free | Partition Type: FAT32
Drive L: | 1116.55 Gb Total Space | 353.10 Gb Free Space | 31.62% Space Free | Partition Type: NTFS
Drive Z: | 1116.55 Gb Total Space | 353.10 Gb Free Space | 31.62% Space Free | Partition Type: NTFS

Computer Name: OHQC-ADMIN-PC15 | User Name: lpwyllie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/28 15:45:32 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\lpwhyllie\Desktop\OTL.exe
PRC - [2012/07/30 15:02:22 | 000,640,480 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/06/07 11:15:28 | 000,847,872 | ---- | M] (Kaseya International Limited) -- C:\Program Files\Kaseya\OTST9964527048417640\AgentMon.exe
PRC - [2012/03/21 17:50:54 | 000,409,600 | ---- | M] (Kaseya International Limited) -- C:\Program Files\Kaseya\OTST9964527048417640\KaUsrTsk.exe
PRC - [2011/06/24 00:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/06/10 18:37:18 | 000,342,280 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
PRC - [2011/06/10 18:37:18 | 000,342,280 | ---- | M] (Kaspersky Lab) -- c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/17 11:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2010/10/29 14:49:28 | 000,505,064 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/10/25 09:33:04 | 000,826,272 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
PRC - [2010/10/25 09:33:04 | 000,032,160 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
PRC - [2010/10/16 17:10:52 | 002,336,104 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
PRC - [2010/10/15 19:14:08 | 002,843,936 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2010/10/15 19:14:08 | 000,836,896 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2010/10/15 19:14:08 | 000,656,672 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2010/09/15 12:14:36 | 000,057,168 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\SPBA\upeksvr.exe
PRC - [2010/08/24 17:54:34 | 001,458,032 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
PRC - [2010/08/24 17:51:50 | 000,388,464 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
PRC - [2010/07/23 13:24:48 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Common Files\Nuance\dgnsvc.exe
PRC - [2010/07/23 12:50:49 | 000,222,496 | ---- | M] (Acresso Corporation) -- C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2010/07/19 18:42:16 | 000,866,576 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2010/07/19 18:23:28 | 000,477,456 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2010/06/29 15:15:18 | 000,073,728 | ---- | M] (Software 2000 Limited) -- C:\Windows\System32\spool\drivers\w32x86\3\HP1006MC.EXE
PRC - [2010/06/04 06:29:14 | 000,292,208 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2010/05/31 08:57:12 | 000,056,032 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2010/05/31 05:17:06 | 000,054,640 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2010/05/26 07:54:36 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2010/05/26 07:54:32 | 000,245,842 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\stacsv.exe
PRC - [2010/05/26 07:53:26 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\IDT\WDM\AEstSrv.exe
PRC - [2010/05/04 16:06:34 | 000,327,680 | ---- | M] (DeviceVM, Inc.) -- D:\Program Files\Dell\Reader 2.1\DVMExportService.exe
PRC - [2010/05/04 16:06:34 | 000,147,456 | ---- | M] (DeviceVM, Inc.) -- D:\Program Files\Dell\Reader 2.1\DellBtrEvent.exe
PRC - [2010/03/16 02:58:36 | 000,718,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
PRC - [2010/03/12 11:42:02 | 000,462,993 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
PRC - [2010/03/03 21:16:04 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/02/17 19:34:40 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2009/11/20 16:48:18 | 000,082,944 | ---- | M] () -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
PRC - [2009/07/25 00:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2009/07/06 15:22:04 | 000,087,336 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
PRC - [2008/06/19 18:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/14 09:14:28 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/06/14 09:14:10 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/05/10 10:54:15 | 000,452,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\635b3aec298ad5e8c903b2323d79cc5a\IAStorUtil.ni.dll
MOD - [2012/05/10 09:19:18 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/10 09:18:24 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/05/10 09:18:21 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/05/10 09:18:20 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/10 09:18:13 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2011/11/07 14:21:10 | 000,925,696 | ---- | M] () -- C:\Program Files\Kaseya\OTST9964527048417640\libkacm.dll
MOD - [2010/11/24 23:44:02 | 000,375,280 | ---- | M] () -- c:\Program Files\Common Files\Roxio Shared\DLLShared\SQLite352.dll
MOD - [2010/11/17 11:35:54 | 000,698,864 | ---- | M] () -- C:\Program Files\Roxio\OEM\Roxio Burn\RBVirtualFolder.dll
MOD - [2010/11/17 11:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2010/10/15 19:14:18 | 000,132,384 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2010/03/24 21:17:36 | 008,794,464 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/01/30 02:41:12 | 004,254,560 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2009/02/27 16:39:29 | 000,019,968 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU
MOD - [2009/02/27 16:32:27 | 000,020,480 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA


========== Services (SafeList) ==========

SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/06/07 11:15:28 | 000,847,872 | ---- | M] (Kaseya International Limited) [Auto | Running] -- C:\Program Files\Kaseya\OTST9964527048417640\AgentMon.exe -- (KAOTST9964527048417640)
SRV - [2011/09/13 13:26:33 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/10 18:37:18 | 000,342,280 | ---- | M] (Kaspersky Lab) [Auto | Running] -- c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe -- (AVP)
SRV - [2011/04/01 11:10:55 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/11/25 06:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 06:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/11/03 17:12:58 | 001,477,632 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2010/10/25 09:33:04 | 000,826,272 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV - [2010/10/25 09:33:04 | 000,032,160 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV - [2010/10/16 17:10:52 | 002,336,104 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2010/10/15 19:14:08 | 000,656,672 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2010/08/24 17:51:50 | 000,388,464 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV - [2010/07/23 13:24:48 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Nuance\dgnsvc.exe -- (DragonSvc)
SRV - [2010/07/19 18:42:16 | 000,866,576 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2010/07/19 18:23:28 | 000,477,456 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2010/07/13 15:02:32 | 001,629,696 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2010/05/26 07:54:32 | 000,245,842 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2010/05/26 07:53:26 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AEstSrv.exe -- (AESTFilters)
SRV - [2010/05/23 07:37:04 | 000,120,088 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Bell\Mobile Connect\RcAppSvc.exe -- (SMSIRcAppSvc)
SRV - [2010/05/23 07:36:34 | 000,169,240 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Bell\Mobile Connect\ProfileImpSvc.exe -- (ProfileImpSvc)
SRV - [2010/05/23 07:32:40 | 000,124,184 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Bell\Mobile Connect\ConAppsSvc.exe -- (CASMSI)
SRV - [2010/05/04 16:06:34 | 000,327,680 | ---- | M] (DeviceVM, Inc.) [Auto | Running] -- D:\Program Files\Dell\Reader 2.1\DVMExportService.exe -- (DvmMDES)
SRV - [2010/03/25 10:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2010/03/03 21:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2009/11/20 16:48:18 | 000,082,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe -- (NvtlService)
SRV - [2009/07/25 00:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\winvnc4.exe -- (WinVNC4)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/06/19 18:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2004/01/28 17:25:24 | 000,020,537 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- C:\Program Files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe -- (RMWPService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\LPWHYL~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/07/23 11:25:19 | 000,233,560 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2011/06/23 11:09:02 | 000,017,920 | ---- | M] (Kaseya) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\KAPFA.sys -- (KAPFA)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/20 18:58:40 | 000,033,832 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2010/07/14 08:42:24 | 006,814,720 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwNs32.sys -- (NETwNs32)
DRV - [2010/06/21 12:59:30 | 000,255,096 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2010/06/21 06:44:36 | 000,246,272 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud)
DRV - [2010/05/26 07:54:38 | 000,424,448 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2010/05/23 07:10:30 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2010/05/04 16:06:34 | 000,018,320 | ---- | M] (DeviceVM, Inc.) [Kernel | System | Running] -- D:\Program Files\Dell\Reader 2.1\dvmio.sys -- (DVMIO)
DRV - [2010/04/09 17:41:44 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2010/04/06 04:36:20 | 000,224,424 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1k6232.sys -- (e1kexpress)
DRV - [2010/03/21 15:25:04 | 000,059,904 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2010/03/21 15:25:04 | 000,048,640 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rimspe86.sys -- (rimspci)
DRV - [2010/03/21 15:25:04 | 000,038,912 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rixdpe86.sys -- (rixdpcie)
DRV - [2010/02/26 20:31:22 | 000,132,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV - [2010/02/03 01:10:32 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\iqvw32.sys -- (NAL)
DRV - [2010/01/18 08:56:26 | 000,042,672 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/01/18 08:56:26 | 000,017,072 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\stdfltn.sys -- (stdflt)
DRV - [2009/11/12 18:49:02 | 000,126,480 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2009/09/16 17:07:42 | 000,144,576 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV - [2009/09/03 16:24:40 | 000,024,848 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klfltdev.sys -- (KLFLTDEV)
DRV - [2009/08/31 14:39:18 | 000,118,784 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NWRmNet.sys -- (NWRmNet)
DRV - [2009/07/15 15:41:42 | 000,230,400 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/07/15 15:41:40 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/07/15 15:41:40 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/07/15 15:41:40 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2009/05/28 11:48:20 | 000,134,144 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CtAudDrv.sys -- (CtAudDrv)
DRV - [2008/06/19 18:07:50 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/06/04 14:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\PBADRV.sys -- (PBADRV)
DRV - [2008/03/29 17:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/02/29 18:08:08 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2007/01/18 17:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/08/17 07:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd)
DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/23
IE - HKLM\..\SearchScopes,DefaultScope = {21B60A7E-FE2D-4414-98BC-34322FFF9AD8}
IE - HKLM\..\SearchScopes\{21B60A7E-FE2D-4414-98BC-34322FFF9AD8}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/23
IE - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=5.0: C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\Firefox [2011/03/24 01:13:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/03/24 01:13:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/03/24 01:14:14 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.83\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.83\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: Bing Bar (Enabled) = C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll

O1 HOSTS File: ([2012/08/21 09:12:02 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVP] c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Bell Canada Connection Manager] C:\Program Files\Bell\Mobile Connect\BellCanadaCM.exe (BellCanada)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellBtrEvent] D:\Program Files\Dell\Reader 2.1\DellBtrEvent.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [KASHOTST9964527048417640] C:\Program Files\Kaseya\OTST9964527048417640\KaUsrTsk.exe (Kaseya International Limited)
O4 - HKLM..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RemoteControl9] C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)
O4 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-535683054-4239906057-3132855710-1524\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Anti-Banner - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm ()
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll (Kaspersky Lab)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} https://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab (LogMeIn Rescue Applet Downloader)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.52.6 207.181.101.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ohqc.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D03D25C2-A902-4F9A-B686-AA9BA0FF3CBA}: DhcpNameServer = 207.164.79.254 204.101.237.136
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F5A17EF5-7B0D-4A36-AF26-8A618A126F08}: DhcpNameServer = 192.168.52.6 207.181.101.4
O20 - AppInit_DLLs: (c:\PROGRA~1\KASPER~1\KASPER~1.0F~\adialhk.dll) - c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\spba: DllName - (C:\Program Files\Common Files\SPBA\homefus2.dll) - C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\Windows\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012/07/16 15:31:54 | 000,032,768 | ---- | M] () - F:\Automatic Response for OHTAC Comments.doc -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/28 15:56:48 | 000,598,528 | ---- | C] (OldTimer Tools) -- C:\Users\lpwhyllie\Desktop\OTL.exe
[2012/08/28 15:49:01 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
[2012/08/28 12:34:02 | 000,000,000 | ---D | C] -- C:\FRST
[2012/08/27 14:12:13 | 000,100,864 | ---- | C] (GMER) -- C:\fwxcypow.sys
[2012/08/27 13:38:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/27 13:38:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/08/27 11:16:06 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\AppData\Local\VirtualStore
[2012/08/24 08:43:57 | 000,022,872 | R--- | C] (Adobe Systems Inc.) -- C:\Windows\System32\AdobePDFUI.dll
[2012/08/22 09:01:28 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\AppData\Local\Adobe
[2012/08/21 14:59:23 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\DoctorWeb
[2012/08/21 14:46:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/21 14:45:22 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\AppData\Local\Google
[2012/08/21 14:45:21 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\AppData\Roaming\SUPERAntiSpyware.com
[2012/08/21 14:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/08/21 14:45:15 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/08/21 14:37:50 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
[2012/08/21 14:37:50 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/08/21 14:37:49 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/08/21 09:21:23 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Users\lpwhyllie\Desktop\FixTDSS.exe
[2012/08/21 09:04:10 | 000,000,000 | ---D | C] -- C:\Users\lpwhyllie\Documents\tdsskiller
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/28 16:00:05 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/28 15:54:54 | 000,014,256 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/28 15:54:54 | 000,014,256 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/28 15:51:34 | 000,631,778 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/28 15:51:34 | 000,111,870 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/28 15:47:48 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/28 15:46:25 | 000,000,320 | ---- | M] () -- C:\Windows\tasks\Wknwxskz.job
[2012/08/28 15:46:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/28 15:46:11 | 2357,587,968 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/28 15:45:32 | 000,598,528 | ---- | M] (OldTimer Tools) -- C:\Users\lpwhyllie\Desktop\OTL.exe
[2012/08/27 14:12:13 | 000,100,864 | ---- | M] (GMER) -- C:\fwxcypow.sys
[2012/08/27 11:19:25 | 000,082,072 | ---- | M] () -- C:\Users\lpwhyllie\Report.html
[2012/08/27 11:17:13 | 000,002,958 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/08/27 11:17:13 | 000,001,758 | RHS- | M] () -- C:\Users\lpwhyllie\ntuser.pol
[2012/08/27 10:26:26 | 000,104,242 | ---- | M] () -- C:\Users\lpwhyllie\GPReport.html
[2012/08/24 20:42:53 | 000,000,064 | ---- | M] () -- C:\dvmaccounts.ini
[2012/08/21 14:46:21 | 000,002,203 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/08/21 14:46:21 | 000,002,187 | ---- | M] () -- C:\Users\lpwhyllie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/08/21 14:37:50 | 000,002,252 | ---- | M] () -- C:\Users\lpwhyllie\Desktop\SpyHunter.lnk
[2012/08/21 13:55:34 | 004,734,695 | R--- | M] (Swearware) -- C:\Users\lpwhyllie\Desktop\ComboFix.exe
[2012/08/21 09:20:52 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Users\lpwhyllie\Desktop\FixTDSS.exe
[2012/08/21 08:30:27 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/27 13:34:56 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/27 13:34:56 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/27 11:19:25 | 000,082,072 | ---- | C] () -- C:\Users\lpwhyllie\Report.html
[2012/08/27 10:26:25 | 000,104,242 | ---- | C] () -- C:\Users\lpwhyllie\GPReport.html
[2012/08/21 14:46:21 | 000,002,203 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/08/21 14:46:21 | 000,002,187 | ---- | C] () -- C:\Users\lpwhyllie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/08/21 14:45:25 | 000,000,890 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/21 14:45:25 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/21 14:37:50 | 000,002,252 | ---- | C] () -- C:\Users\lpwhyllie\Desktop\SpyHunter.lnk
[2012/07/23 11:26:42 | 000,116,189 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2012/07/23 11:26:42 | 000,098,168 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2012/07/06 10:41:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/06 10:41:26 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/06 10:41:26 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/06/05 13:48:23 | 000,163,840 | RHS- | C] () -- C:\Windows\System32\CATROOT2K.DLL
[2012/02/20 18:37:47 | 000,002,674 | ---- | C] () -- C:\Users\lpwhyllie\AppData\Roaming\SAS7_000.DAT
[2012/02/20 18:15:51 | 000,000,000 | ---- | C] () -- C:\Windows\DVEdit.INI
[2012/02/20 18:02:38 | 000,124,264 | R--- | C] () -- C:\Windows\System32\mp3dec.dll
[2011/10/28 07:54:26 | 000,000,287 | ---- | C] () -- C:\Users\lpwhyllie\.JavaPowUpload.properties
[2011/09/13 13:14:14 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/08/11 15:58:44 | 000,001,758 | RHS- | C] () -- C:\Users\lpwhyllie\ntuser.pol
[2011/06/23 11:53:59 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/04/05 14:59:14 | 000,065,536 | ---- | C] () -- C:\Windows\System32\HPPLVS.dll
[2011/03/31 14:48:13 | 000,002,958 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/03/24 03:24:12 | 000,870,560 | ---- | C] () -- C:\Windows\System32\igkrng575.bin
[2011/03/24 03:24:12 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2011/03/24 03:24:12 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2011/03/24 03:24:12 | 000,104,796 | ---- | C] () -- C:\Windows\System32\igfcg575m.bin
[2011/03/24 03:24:12 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2011/03/24 03:24:11 | 000,127,868 | ---- | C] () -- C:\Windows\System32\igcompkrng575.bin
[2011/03/24 03:24:11 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2011/03/24 00:57:18 | 000,080,368 | ---- | C] () -- C:\Windows\System32\pbadrvdll.dll
[2011/03/24 00:56:28 | 000,308,624 | ---- | C] () -- C:\Windows\System32\brcmbsp.dll
[2011/03/24 00:56:28 | 000,205,192 | ---- | C] () -- C:\Windows\System32\bipbsp.dll
[2010/10/01 16:56:28 | 000,087,040 | ---- | C] () -- C:\Windows\System32\Internationalization_th.dll
[2010/10/01 16:56:28 | 000,074,752 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-HK.dll
[2010/10/01 16:56:26 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_sl.dll
[2010/10/01 16:56:24 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_sk.dll
[2010/10/01 16:56:22 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_hr.dll
[2010/10/01 16:56:20 | 000,088,064 | ---- | C] () -- C:\Windows\System32\Internationalization_tr.dll
[2010/10/01 16:56:18 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_ro.dll
[2010/10/01 16:56:18 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_pt-BR.dll
[2010/10/01 16:56:16 | 000,091,136 | ---- | C] () -- C:\Windows\System32\Internationalization_hu.dll
[2010/10/01 16:56:14 | 000,084,480 | ---- | C] () -- C:\Windows\System32\Internationalization_he.dll
[2010/10/01 16:56:12 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_fi.dll
[2010/10/01 16:56:10 | 000,095,744 | ---- | C] () -- C:\Windows\System32\Internationalization_el.dll
[2010/10/01 16:56:10 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_cs.dll
[2010/10/01 16:56:08 | 000,086,016 | ---- | C] () -- C:\Windows\System32\Internationalization_ar.dll
[2010/10/01 16:56:06 | 000,074,752 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-CHT.dll
[2010/10/01 16:56:06 | 000,074,240 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-CHS.dll
[2010/10/01 16:56:04 | 000,090,624 | ---- | C] () -- C:\Windows\System32\Internationalization_sv.dll
[2010/10/01 16:56:02 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_ru.dll
[2010/10/01 16:56:00 | 000,093,184 | ---- | C] () -- C:\Windows\System32\Internationalization_pt.dll
[2010/10/01 16:56:00 | 000,092,160 | ---- | C] () -- C:\Windows\System32\Internationalization_pl.dll
[2010/10/01 16:55:58 | 000,088,576 | ---- | C] () -- C:\Windows\System32\Internationalization_no.dll
[2010/10/01 16:55:56 | 000,096,256 | ---- | C] () -- C:\Windows\System32\Internationalization_nl.dll
[2010/10/01 16:55:56 | 000,078,848 | ---- | C] () -- C:\Windows\System32\Internationalization_ko.dll
[2010/10/01 16:55:54 | 000,080,384 | ---- | C] () -- C:\Windows\System32\Internationalization_ja.dll
[2010/10/01 16:55:52 | 000,093,696 | ---- | C] () -- C:\Windows\System32\Internationalization_it.dll
[2010/10/01 16:55:50 | 000,093,696 | ---- | C] () -- C:\Windows\System32\Internationalization_fr.dll
[2010/10/01 16:55:50 | 000,093,184 | ---- | C] () -- C:\Windows\System32\Internationalization_es.dll
[2010/10/01 16:55:46 | 000,094,720 | ---- | C] () -- C:\Windows\System32\Internationalization_de.dll
[2010/10/01 16:55:44 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_da.dll

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2011/03/24 03:30:58 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=00B0358734CAA32C39D181FE6916B178 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_523cdab8f40fe558\explorer.exe
[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011/02/26 01:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2011/03/24 03:31:09 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\erdnt\cache\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2011/03/24 03:31:02 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2011/03/24 03:31:02 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2011/03/24 03:31:09 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
[2011/03/24 03:30:58 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=FC89FACA0473641CB625EDA9277D0885 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_51c00e6ddae85c4b\explorer.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\erdnt\cache\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\erdnt\cache\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2011/03/24 03:31:09 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2011/03/24 03:31:09 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\erdnt\cache\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/07/13 21:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< type c:\diskreport.txt /c >
Microsoft DiskPart version 6.1.7601
Copyright © 1999-2008 Microsoft Corporation.
On computer: OHQC-ADMIN-PC15
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E Smith & Nep CDFS DVD-ROM 16 MB Healthy
Volume 1 RECOVERY NTFS Partition 752 MB Healthy System
Volume 2 C OS NTFS Partition 146 GB Healthy Boot
Volume 3 D READER NTFS Partition 2043 MB Healthy
Volume 4 F LEXAR FAT32 Removable 29 GB Healthy

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:0FF263E8

< End of report >

OTL Extras logfile created on: 8/28/2012 4:04:04 PM - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\lpwhyllie\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.93 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 46.68% Memory free
5.85 Gb Paging File | 4.48 Gb Available in Paging File | 76.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.28 Gb Total Space | 106.76 Gb Free Space | 72.99% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.86 Gb Free Space | 93.40% Space Free | Partition Type: NTFS
Drive E: | 16.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 29.23 Gb Total Space | 12.84 Gb Free Space | 43.94% Space Free | Partition Type: FAT32
Drive L: | 1116.55 Gb Total Space | 353.10 Gb Free Space | 31.62% Space Free | Partition Type: NTFS
Drive Z: | 1116.55 Gb Total Space | 353.10 Gb Free Space | 31.62% Space Free | Partition Type: NTFS

Computer Name: OHQC-ADMIN-PC15 | User Name: lpwyllie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-535683054-4239906057-3132855710-1524\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{10E93AFA-F066-4BB5-A7B0-964CBD7FED15}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{277E8208-B41F-4FCA-84F1-8208CE2C7CAA}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{4579DA21-075D-472C-B90B-6BB131C338D9}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{52338801-3617-4F42-8021-6757C157AFEA}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{630C62F8-7827-4471-908C-CB94A31BFD10}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{65CA0F56-B806-42FE-A44C-B4CD8A4F1381}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7B9A20BB-51EF-4034-9370-4FC8B8F05801}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{836626B2-A3F4-4F3D-9720-DDA915B0C3F6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{84760D1F-5B17-4942-A4C0-F31D971696DF}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{93B99EFE-13DF-48A4-BC73-DA6447EF074F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C3C2FB07-3EC7-4BD7-B356-9E3D6E1D722F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C512BB15-C097-46FD-972A-90D1C7580014}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{D8422067-E98B-4AE2-8EFB-83A15CC3296E}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{D8AB4952-F382-4F7E-A385-B210FB685470}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{FD6D0596-723E-48DB-9858-730A6D4283EA}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1425BA97-149F-49CB-8C75-4E0A02A42B3D}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe |
"{21088C8A-1F65-4A85-95A1-A39888C73C75}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{24602A25-A2FE-4366-A3D6-3CFBC23494F7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{312A9BBC-A963-4EA0-9B69-31E4A44DBA87}" = dir=in | app=c:\program files\windows live\mesh\moe.exe |
"{3345C467-126B-4E0F-9920-2CDAECE00FC7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{424B8E07-F15F-4FAB-800E-08C2E67C3C1B}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{5CA0784E-508D-49C5-974E-6844686CB923}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{6FF1A39B-49F5-4980-8873-0FF35A23C643}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe |
"{88101D61-FFA0-4C84-AD9F-8E511AA0D3E3}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe |
"{A33386D7-9D32-46A3-9A86-2DC2F185F8AB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{A9C40708-3D48-4468-9ED9-12A089000B9F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{AFEE53A9-82FF-4233-A544-8E6A471026A7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{BEF097A1-3349-406F-ABD7-7B772EFC84B3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{C7431CB1-17A8-40F7-A823-30A91BF8D26B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{D8973CC9-EA3D-4135-BA3E-05CDEEC35089}" = dir=in | app=c:\program files\cyberlink\powerdvd9\powerdvd cinema\powerdvdcinema.exe |
"{DC1EA382-B1A9-4190-9707-DCDD760C44FB}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe |
"{E54D2282-A35E-4B6B-A588-8D734B38E9AE}" = dir=in | app=c:\program files\cyberlink\powerdvd9\powerdvd9.exe |
"{FB46B464-43AE-4766-8CB7-6080DBE930F2}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"TCP Query User{D8F6D80A-1C05-453C-89EC-16C669D9F20E}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{F1AC506E-8268-4A78-B6AC-EBC4076DE531}C:\users\kstelmacovich\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe" = protocol=6 | dir=in | app=c:\users\kstelmacovich\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe |
"UDP Query User{03C6CC50-EDDE-4E6C-A43D-60EAE5353DC3}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{EC79B524-2E71-465B-AB28-A360F2416DE5}C:\users\kstelmacovich\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe" = protocol=17 | dir=in | app=c:\users\kstelmacovich\appdata\local\temp\lmir0001.tmp\lmi_rescue.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software Installer
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0CCAF47C-E428-48C2-82B2-5F25CE1D67DA}" = Gemalto
"{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 24
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2EECD5EF-5095-467C-B80C-4AB3096EFD60}" = SPBA 5.9
"{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CF8818E-E902-4393-BDF3-FE5032A41625}" = CCI/ICD-10-CA 2009
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology
"{42F0FD29-7EB3-4CAA-AF10-BC2619B96D80}" = MrvlUsgTracking
"{4327107B-E95E-415C-9194-458FCED6BF12}" = Intel® PROSet/Wireless WiFi Software
"{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}" = WIDCOMM Bluetooth Software
"{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9999-9A47FBE60C9F}" = Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
"{4BACF7B1-CC1B-49BB-8991-8B2B6E6ABA4A}" = Mobile Broadband Generic Drivers
"{4E4E65EE-C456-45AC-B5AD-C62C3A325BD0}" = Dell Data Protection | Access | Drivers
"{4E60E212-3177-4B16-BCB3-616CCC52357D}" = Upek Touchchip Fingerprint Reader
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6AC87FB3-ACFC-4416-890C-8976D5A9B371}" = Trusted Drive Manager
"{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}" = Digital Voice Editor 3
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{7206B668-FEE0-455B-BB1F-9B5A2E0EC94A}" = Custom
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75E0B85A-085F-4BA3-B2BF-1995AFD8024D}" = NTRU TCG Software Stack
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{77C4850C-3592-4A2F-B652-ACB77A1EF77C}" = Bing Bar Platform
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7AAA00C4-26E6-4EC0-8069-955B0A9D6009}" = Intel® Network Connections 15.2.89.0
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{841CBDD5-4BB5-403E-AEE3-2FADC3890BE8}" = Dell Data Protection | Access | Middleware
"{87434D51-51DB-4109-B68F-A829ECDCF380}" = AccelerometerP11
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8BCAC105-C501-41F9-AED1-587024ABCA8C}" = Reference Manager 12 Professional Edition
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8F023021-A7EB-45D3-9269-D65264C81729}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DAED4FC-2B0E-4F3F-8141-F2ABF02CCFCB}" = BioAPI Framework
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{9E384B32-59C8-46EF-BEA6-4DC8F27CDB8E}" = InstallVC90Support
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A32F592F-AA0E-49AF-8E85-A0A25AF83314}" = Wave Infrastructure Installer
"{A7091E1D-36A4-47F1-A739-173CC341414F}" = Cisco Systems VPN Client 5.0.03.0560
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A7D91856-258D-4C87-8041-B170851CE432}" = Dell Data Protection | Access
"{A82D052A-0806-42DF-80CD-1730A1AC0ED3}" = MrvlUsgTracking
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9.5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Data Protection | Access
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_952" = Adobe Acrobat 9.5.2 - CPSID_83708
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{BD3068DE-D53B-4CE8-B2BC-32E1323441CD}" = PC-CCID
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C8B8C745-D288-41B4-9512-01E397F77449}" = Dell System Manager
"{CC1F6DA0-21D2-425A-B1B6-5B164A598450}" = SpyHunter
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}" = Dragon NaturallySpeaking 11
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F3FE2AE3-BE3D-441B-B840-C34247DAA49A}" = Mobile Connect
"{F839C6BD-E92E-48FA-9CE6-7BFAF94F7096}" = DellAccess
"{F8D2BE6A-B725-47CD-A931-639A24B8EF10}" = Reader 2.1
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFFE5DAD-27EF-40C8-9C13-546224F9A2D3}" = Dell ControlVault Host Components Installer
"9512AA21B791B05A54E27065C45BBC417AB282DF" = Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
"ActiveTouchMeetingClient" = Cisco WebEx Meetings
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Dell Webcam Central" = Dell Webcam Central
"Google Chrome" = Google Chrome
"HP LaserJet P1500 series" = HP LaserJet P1500 series
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9.5
"ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
"KAOTST9964527048417640" = Kaseya Agent (ohqc-admin-pc15.site-130bloor.managed.health-quality-ontario - manage.oitc.ca)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mobile Broadband Generic Drivers" = Mobile Broadband Generic Drivers
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"PRJPRO" = Microsoft Office Project Professional 2007
"ProInst" = Intel PROSet Wireless
"PROSetDX" = Intel® Network Connections 15.2.89.0
"Reader2.1" = Reader 2.1
"RealVNC_is1" = VNC Enterprise Edition E4.5.1
"VISPRO" = Microsoft Office Visio Professional 2007
"WinLiveSuite" = Windows Live Essentials

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 10/20/2011 2:12:50 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc0000005 Fault offset: 0x00059c5f Faulting process
id: 0x1960 Faulting application start time: 0x01cc8f520b123458 Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: 1e9bcc28-fb47-11e0-b434-90004eed4d3a

Error - 10/20/2011 2:15:17 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: OUTLOOK.EXE, version: 14.0.4760.1000, time
stamp: 0x4ba8fefd Faulting module name: ole32.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96f Exception code: 0xc0000005 Fault offset: 0x00060961 Faulting process
id: 0x1c28 Faulting application start time: 0x01cc8f540aaf3091 Faulting application
path: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Faulting module path:
C:\Windows\system32\ole32.dll Report Id: 764d389f-fb47-11e0-b434-90004eed4d3a

Error - 10/21/2011 3:29:16 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: MSVCR80.dll, version: 8.0.50727.4940, time
stamp: 0x4ca2b271 Exception code: 0xc0000005 Fault offset: 0x000172d7 Faulting process
id: 0x1254 Faulting application start time: 0x01cc9027b2e54e7c Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Report
Id: f6a6a6d8-fc1a-11e0-b30f-90004eed4d3a

Error - 10/21/2011 3:29:23 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc015000f Fault offset: 0x00083f7e Faulting process
id: 0x1254 Faulting application start time: 0x01cc9027b2e54e7c Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: fa508ac0-fc1a-11e0-b30f-90004eed4d3a

Error - 10/25/2011 5:13:22 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: VISLIB.dll, version: 12.0.4518.1014, time
stamp: 0x454282c3 Exception code: 0xc0000005 Fault offset: 0x00109433 Faulting process
id: 0x1778 Faulting application start time: 0x01cc93581c91ac26 Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Program Files\Microsoft Office\Office12\VISLIB.dll Report Id: 2abe35b2-ff4e-11e0-b4c4-90004eed4d3a

Error - 10/25/2011 5:20:04 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc0000374 Fault offset: 0x000c37b7 Faulting process
id: 0x978 Faulting application start time: 0x01cc935af16dff3e Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: 1ad38be1-ff4f-11e0-b4c4-90004eed4d3a

Error - 10/25/2011 5:26:45 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc0000374 Fault offset: 0x000c37b7 Faulting process
id: 0x1630 Faulting application start time: 0x01cc935be984db5f Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: 09706b7b-ff50-11e0-b4c4-90004eed4d3a

Error - 10/26/2011 11:49:46 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: OUTLOOK.EXE, version: 14.0.4760.1000, time
stamp: 0x4ba8fefd Faulting module name: ole32.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96f Exception code: 0xc0000005 Fault offset: 0x000adf4e Faulting process
id: 0xe34 Faulting application start time: 0x01cc93f6737daaf2 Faulting application
path: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Faulting module path:
C:\Windows\system32\ole32.dll Report Id: 2097d840-ffea-11e0-b4c4-90004eed4d3a

Error - 10/26/2011 11:50:50 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: OUTLOOK.EXE, version: 14.0.4760.1000, time
stamp: 0x4ba8fefd Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc0000005 Fault offset: 0x00052d37 Faulting process
id: 0x1218 Faulting application start time: 0x01cc93f6e6e3c924 Faulting application
path: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: 46a2912e-ffea-11e0-b4c4-90004eed4d3a

Error - 10/26/2011 11:51:07 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Application Error | ID = 1000
Description = Faulting application name: VISIO.EXE, version: 12.0.4518.1014, time
stamp: 0x454281f4 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96e Exception code: 0xc0000374 Fault offset: 0x000c37b7 Faulting process
id: 0xb94 Faulting application start time: 0x01cc935cd8f33e5b Faulting application
path: C:\Program Files\Microsoft Office\Office12\VISIO.EXE Faulting module path:
C:\Windows\SYSTEM32\ntdll.dll Report Id: 50bc2ee0-ffea-11e0-b4c4-90004eed4d3a

[ OSession Events ]
Error - 8/26/2011 6:11:31 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 755
seconds with 60 seconds of active time. This session ended with a crash.

Error - 9/9/2011 4:00:48 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 28
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/9/2011 4:17:09 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 916
seconds with 600 seconds of active time. This session ended with a crash.

Error - 10/20/2011 1:46:12 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 435
seconds with 420 seconds of active time. This session ended with a crash.

Error - 10/20/2011 1:57:26 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 505
seconds with 480 seconds of active time. This session ended with a crash.

Error - 10/21/2011 3:29:22 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 15
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/25/2011 5:13:21 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1208
seconds with 1080 seconds of active time. This session ended with a crash.

Error - 11/8/2011 10:52:58 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 135
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/8/2011 12:02:25 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 10, Application Name: Microsoft Office Visio, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 113
seconds with 0 seconds of active time. This session ended with a crash.

Error - 5/3/2012 5:21:30 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 9, Application Name: Microsoft Office Project, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 9239
seconds with 600 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/28/2012 8:30:31 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR3.

Error - 8/28/2012 8:30:52 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain OHQC due to the following: %%1722 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 8/28/2012 8:30:55 AM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft-Windows-GroupPolicy | ID = 1058
Description = The processing of Group Policy failed. Windows attempted to read the
file \\ohqc.int\SysVol\ohqc.int\Policies\{CC788D42-6AD9-4F60-9DC5-993D90C61549}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could be
caused by one or more of the following: a) Name Resolution/Network Connectivity
to the current domain controller. B) File Replication Service Latency (a file created
on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Error - 8/28/2012 3:46:19 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:30:24 AM on ?28/?08/?2012 was unexpected.

Error - 8/28/2012 3:46:26 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
service which failed to start because of the following error: %%0

Error - 8/28/2012 3:46:26 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain OHQC due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 8/28/2012 3:46:31 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Microsoft-Windows-GroupPolicy | ID = 1129
Description = The processing of Group Policy failed because of lack of network connectivity
to a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for several
hours, then contact your administrator.

Error - 8/28/2012 3:47:39 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 8/28/2012 3:47:39 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 8/28/2012 3:49:06 PM | Computer Name = ohqc-admin-PC15.ohqc.int | Source = Service Control Manager | ID = 7034
Description = The Intel® Rapid Storage Technology service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 29 August 2012 - 03:19 PM

Good evening. :)

Download AHT.zip from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Click Copy HOSTS File to text file and you should get a pop-up confirming that a text file called HostsFile.txt has been saved alongside AHT.exe[/b]
  • Please let me have a copy of the contents in your next reply.

So long, and thanks for all the fish.

 

 


#9 gormand

gormand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 30 August 2012 - 07:44 AM

Hi,
See below


# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 30 August 2012 - 03:07 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#11 gormand

gormand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 August 2012 - 08:15 AM

Hi, this is what I got


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-31 08:52:00
-----------------------------
08:52:00.567 OS Version: Windows 6.1.7601 Service Pack 1
08:52:00.567 Number of processors: 4 586 0x2505
08:52:00.567 ComputerName: OHQC-ADMIN-PC15 UserName: lpwyllie
08:52:03.794 Initialize success
08:53:06.488 AVAST engine defs: 12083100
08:53:36.952 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:53:36.967 Disk 0 Vendor: TOSHIBA_ LH01 Size: 152627MB BusType: 8
08:53:37.281 Disk 0 MBR read successfully
08:53:37.281 Disk 0 MBR scan
08:53:37.578 Disk 0 Windows VISTA default MBR code
08:53:37.594 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
08:53:37.688 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 752 MB offset 81920
08:53:37.719 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 149788 MB offset 1622016
08:53:37.735 Disk 0 Partition - 00 0F Extended LBA 2044 MB offset 308387840
08:53:37.766 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 2043 MB offset 308389888
08:53:37.782 Disk 0 scanning sectors +312573952
08:53:37.860 Disk 0 scanning C:\Windows\system32\drivers
08:53:57.360 Service scanning
08:54:39.806 Modules scanning
08:54:57.677 Disk 0 trace - called modules:
08:54:57.693 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdfltn.sys ACPI.sys halmacpi.dll iaStor.sys
08:54:57.693 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87de72e8]
08:54:57.693 3 CLASSPNP.SYS[8b7bd59e] -> nt!IofCallDriver -> [0x86268df0]
08:54:57.709 5 stdfltn.sys[8b9d570c] -> nt!IofCallDriver -> [0x862621a8]
08:54:57.709 7 ACPI.sys[8b0bb3d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8628a028]
08:54:58.711 AVAST engine scan C:\Windows
08:55:02.862 AVAST engine scan C:\Windows\system32
08:59:32.392 AVAST engine scan C:\Windows\system32\drivers
08:59:54.784 AVAST engine scan C:\Users\lpwhyllie
09:03:34.394 AVAST engine scan C:\ProgramData
09:08:18.155 Scan finished successfully
09:14:00.503 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
09:14:01.657 The log file has been saved successfully to "F:\aswMBR.txt"

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 31 August 2012 - 02:25 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:25 AM

Posted 08 September 2012 - 05:09 PM

As there has been no response for over five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users