Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis.log Please help Diagnose


  • Please log in to reply
12 replies to this topic

#1 Nuance

Nuance

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 24 January 2013 - 04:28 PM

Hi All

Before we start I want to say thanks for taking the time to help me out.

This computer is running slow through out the day and using 50% of the CPU while idle. CPu usage drops to normal levels when the computer is in use

I could really use some help looking through this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:07:11 PM, on 01/24/13
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\PDF Complete\pdfsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\U2VSvr.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\MWUltraVnc\winvnc.exe
C:\Program Files\Symantec.cloud\AntiVirus\AVAgent.exe
c:\program files\symantec.cloud\antivirus\ssDVAgent.exe
C:\Program Files\MWUltraVnc\winvnc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\system32\MTri1+.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Xactware\Xactimate27\CORE\x.exe
C:\Program Files\Xactware\Common\QA.exe
C:\pcm\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: 24RadioBar - {eec7cc31-73f4-4f7f-ac41-80994c84711b} - C:\Program Files\Online_Radio_Canada\prxtbOnl2.dll
O3 - Toolbar: 24RadioBar Toolbar - {eec7cc31-73f4-4f7f-ac41-80994c84711b} - C:\Program Files\Online_Radio_Canada\prxtbOnl2.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Util] C:\WINDOWS\system32\Util.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SymantecPaui] "C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: BlackBerry Desktop Redirector.lnk = Program Files\Research In Motion\BlackBerry\Redirector.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BlackBerry Desktop Redirector.lnk = Program Files\Research In Motion\BlackBerry\Redirector.exe (User 'Default user')
O4 - .DEFAULT Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (User 'Default user')
O4 - Startup: BlackBerry Desktop Redirector.lnk = Program Files\Research In Motion\BlackBerry\Redirector.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=smb&pf=desktop
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: *.xactimate.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.0.20:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.0.20:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1330896730304
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} (Encrypt Class) - https://192.168.0.20:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} (Security Server Management Console) - https://192.168.0.20:4343/SMB/console/html/root/AtxConsole.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.11.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Al-Care.local
O17 - HKLM\Software\..\Telephony: DomainName = Al-Care.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Al-Care.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Al-Care.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist Remote Support Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Remote Support Customer\430\g2ax_service.exe
O23 - Service: Intel® PROSet Monitoring Service - Intel Corporation - C:\WINDOWS\system32\IProsetMonitor.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: Endpoint Protection.cloud (NIS) - Symantec Corporation - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Symantec.cloud Cloud Agent (SsPaAdm) - Symantec Corporation - C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe
O23 - Service: Symantec.cloud Endpoint Protection (ssSpnAv) - Symantec Corporation - C:\Program Files\Symantec.cloud\AntiVirus\AVAgent.exe
O23 - Service: U2VSvr - Unknown owner - C:\WINDOWS\system32\U2VSvr.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\MWUltraVnc\winvnc.exe

--
End of file - 14494 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 28 January 2013 - 09:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 Nuance

Nuance
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 January 2013 - 05:07 PM

Hi Nasdaq

Thanks for the responds.
I have an issue
Link 1 doesn't work
and I can't find the actual download button for Link 2

Can you help me out?

Nuance

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 30 January 2013 - 07:46 AM

ComboFix has been removed from the links.
It's not to be used as it it infected. The owner is working a cleaning it. Please run this tool instead.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#5 Nuance

Nuance
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 31 January 2013 - 04:30 PM

Hi Nasdaq

Here are the logs as your requested sorry for the delay.


OTL logfile created on: 01/31/13 4:10:56 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = \\server4\users\peterd\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

1.93 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 47.89% Memory free
3.78 Gb Paging File | 2.84 Gb Available in Paging File | 75.30% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 109.90 Gb Free Space | 73.74% Space Free | Partition Type: NTFS
Drive S: | 1862.96 Gb Total Space | 1031.86 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive U: | 558.88 Gb Total Space | 426.27 Gb Free Space | 76.27% Space Free | Partition Type: NTFS
Drive V: | 1862.96 Gb Total Space | 1031.86 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive Z: | 279.37 Gb Total Space | 199.45 Gb Free Space | 71.39% Space Free | Partition Type: NTFS

Computer Name: AL21 | User Name: peterd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - \\server4\users\peterd\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\Symantec.cloud\AntiVirus\ssDVAgent.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec.cloud\AntiVirus\AVAgent.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe (Symantec Corporation)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\IPROSetMonitor.exe (Intel Corporation)
PRC - C:\Program Files\MWUltraVnc\winvnc.exe (UltraVNC)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe (Research In Motion Limited)
PRC - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe (Research In Motion Limited)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\WINDOWS\system32\MTri1+.exe (Magic Control Technology Corporation)
PRC - C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
PRC - C:\WINDOWS\system32\U2VSvr.exe ()
PRC - C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe (Lexmark International Inc.)
PRC - C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe ()
PRC - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (KYOCERA MITA Corporation)
PRC - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
PRC - C:\WINDOWS\system32\lxdxcoms.exe ( )
PRC - C:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity)
PRC - C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity)
PRC - C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6585a5fcaaa1b49b9a1bd9ca5c5c306e\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\da4bcb702feb770ce40cf1371b0c4d02\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\d35b50eb6bb7b1bfb6592419d9feba47\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\90ad0c96693527ae685ff40019bb33b0\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\3add69b075f3da012fb97ce00cd795c0\mscorlib.ni.dll ()
MOD - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\wincfi39.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL ()
MOD - C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\WINDOWS\system32\U2VSvr.exe ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxcaps.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxscw.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxdrs.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\iptk.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxdatr.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxcnv4.dll ()
MOD - C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdxdrpp.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxdrui.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxdr.dll ()
MOD - C:\WINDOWS\system32\lxdxcaps.dll ()
MOD - C:\WINDOWS\system32\lxdxdrs.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxptpc.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxdatr.dll ()
MOD - C:\WINDOWS\system32\lxdxcnv4.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxhpec.dll ()
MOD - C:\WINDOWS\system32\aicext.dll ()
MOD - C:\Program Files\Lexmark 3600-4600 Series\lxdxptp.dll ()
MOD - C:\Program Files\Kyocera\FileUtility\HgTiff2Pdf.dll ()


========== Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (ssSpnAv) -- C:\Program Files\Symantec.cloud\AntiVirus\AVAgent.exe (Symantec Corporation)
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (GoToAssist Remote Support Customer) -- C:\Program Files\Citrix\GoToAssist Remote Support Customer\430\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (NIS) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe (Symantec Corporation)
SRV - (SsPaAdm) -- C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe (Symantec Corporation)
SRV - (Intel® -- C:\WINDOWS\system32\IPROSetMonitor.exe (Intel Corporation)
SRV - (uvnc_service) -- C:\Program Files\MWUltraVnc\winvnc.exe (UltraVNC)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (U2VSvr) -- C:\WINDOWS\system32\U2VSvr.exe ()
SRV - (UNS) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
SRV - (pdfcDispatcher) -- C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
SRV - (lxdx_device) -- C:\WINDOWS\system32\lxdxcoms.exe ( )
SRV - (lxdxCATSCustConnectService) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe ()
SRV - (accoca) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20130130.033\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20130130.033\NAVENG.SYS (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20130116.013\BHDrvx86.sys (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20130130.001\IDSXpx86.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\srtsp.sys (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\SymEFA.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\SymDS.sys (Symantec Corporation)
DRV - (ccSet_NIS) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\ccSetx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\symtdi.sys (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\Ironx86.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\NIS\1402000.013\srtspx.sys (Symantec Corporation)
DRV - (ccSet_Cloud) -- C:\WINDOWS\system32\drivers\Symantec.cloud\ccSetx86.sys (Symantec Corporation)
DRV - (e1kexpress) -- C:\WINDOWS\system32\drivers\e1k5132.sys (Intel Corporation)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (T1PMrGrp) -- C:\WINDOWS\system32\drivers\T1PMrGrp.sys (Magic Control Technology Corp.)
DRV - (T1PExGrp) -- C:\WINDOWS\system32\drivers\T1PExGrp.sys (Magic Control Technology Corp.)
DRV - (t1pusb) -- C:\WINDOWS\system32\drivers\t1pusb.sys (Magic Control Technology Corp.)
DRV - (HECI) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (SFAUDIO) -- C:\WINDOWS\system32\drivers\sfaudio.sys (Sonic Focus, Inc)
DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (Symmpi) -- C:\WINDOWS\system32\drivers\symmpi.sys (LSI Logic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{47AB5F07-5AD2-4B3C-91A8-DF3AE226DB95}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1100&query={searchTerms}&invocationType=tb50hpcmdtie7-en-ca

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2436590
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: jqs@sun.com:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\IPSFFPlgn\ [2013/01/05 04:35:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\coFFPlgn\ [2013/01/26 04:36:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/11 06:48:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/05/27 19:08:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\peterd\Application Data\Mozilla\Extensions
[2012/06/16 16:34:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/30 06:32:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/06/16 16:34:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2012/04/30 06:32:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/10/21 02:01:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/11/16 16:03:10 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/16 16:03:08 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2006/02/28 02:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEC7CC31-73F4-4F7F-AC41-80994C84711B} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [lxdxmon.exe] C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe ()
O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [SymantecPaui] C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe (Symantec Corporation)
O4 - HKLM..\Run: [Util] C:\WINDOWS\system32\Util.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner File Utility.lnk = C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (KYOCERA MITA Corporation)
O4 - Startup: C:\Documents and Settings\peterd\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk = File not found
O4 - Startup: C:\Documents and Settings\peterd\Start Menu\Programs\Startup\Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: Appsvr1 ([]file in Local intranet)
O15 - HKCU\..Trusted Domains: assuredsoftware.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: server2 ([]file in Local intranet)
O15 - HKCU\..Trusted Domains: sites ([]HTTPS in Local intranet)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://192.168.0.20:4343/officescan/console/ClientInstall/WinNTChk.cab (ObjWinNTCheck Class)
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://192.168.0.20:4343/officescan/console/ClientInstall/setup.cab (OfficeScan Corp Edition Web-Deployment SetupCtrl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1330896730304 (MUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} https://192.168.0.20:4343/SMB/console/html/root/AtxEnc.cab (Encrypt Class)
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} https://192.168.0.20:4343/SMB/console/html/root/AtxConsole.cab (Security Server Management Console)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.11.0.cab (SysInfo Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Al-Care.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6BB0C81-7343-489D-9136-689511FAC75E}: DhcpNameServer = 192.168.0.24
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - (C:\WINDOWS\system32\ackpbsc.dll) - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - (C:\Program Files\ActivIdentity\ActivClient\acunlock.dll) - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - (C:\Program Files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll) - C:\Program Files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\peterd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\peterd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{61b225f2-7d7e-11e0-8ee2-001f3b90396d}\Shell - "" = AutoRun
O33 - MountPoints2\{61b225f2-7d7e-11e0-8ee2-001f3b90396d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{61b225f2-7d7e-11e0-8ee2-001f3b90396d}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{7f228d42-79a1-11e0-8ee1-001fe1ee8da5}\Shell - "" = AutoRun
O33 - MountPoints2\{7f228d42-79a1-11e0-8ee1-001fe1ee8da5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7f228d42-79a1-11e0-8ee1-001fe1ee8da5}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{7f228d49-79a1-11e0-8ee1-001fe1ee8da5}\Shell - "" = AutoRun
O33 - MountPoints2\{7f228d49-79a1-11e0-8ee1-001fe1ee8da5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7f228d49-79a1-11e0-8ee1-001fe1ee8da5}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk /p \??\C:)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2013/01/31 16:09:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- \\server4\users\peterd\Desktop\OTL.exe
[2013/01/07 07:34:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2013/01/03 10:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\BringMeSports_1cEI
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/31 16:11:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/31 16:09:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- \\server4\users\peterd\Desktop\OTL.exe
[2013/01/31 10:46:14 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\peterd\Local Settings\Application Data\d3d9caps.dat
[2013/01/31 01:00:09 | 000,049,664 | ---- | M] () -- C:\WINDOWS\RemComSvc.exe
[2013/01/29 14:13:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/01/28 07:51:24 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/26 04:32:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/26 04:31:31 | 000,002,334 | RHS- | M] () -- C:\Documents and Settings\peterd\ntuser.pol
[2013/01/26 04:31:07 | 000,012,916 | ---- | M] () -- C:\WINDOWS\System32\MTri1+.ini
[2013/01/26 04:00:52 | 000,647,429 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1402000.013\Cat.DB
[2013/01/19 09:00:00 | 1600,061,439 | ---- | M] () -- C:\kernel.etl
[2013/01/19 09:00:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\XperfStart.job
[2013/01/19 07:05:04 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf0700.job
[2013/01/19 05:05:15 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf0500.job
[2013/01/19 03:05:04 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf0300.job
[2013/01/19 01:05:15 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf0100.job
[2013/01/18 23:05:16 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf2300.job
[2013/01/18 21:05:04 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf2100.job
[2013/01/18 19:05:04 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf1900.job
[2013/01/18 17:05:16 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Xperf1700.job
[2013/01/16 22:42:33 | 000,014,818 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1402000.013\VT20130115.021
[2013/01/12 04:07:14 | 000,001,809 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/12 04:02:24 | 000,675,404 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/12 04:02:24 | 000,156,694 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/09 04:11:31 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/09 04:11:31 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/09 04:11:28 | 015,739,912 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2013/01/05 04:33:14 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/25 12:27:06 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2012/10/25 12:27:04 | 000,000,146 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2012/10/25 12:16:06 | 000,000,768 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/10/23 06:41:38 | 002,313,440 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/10/15 13:17:07 | 000,112,272 | ---- | C] () -- C:\Documents and Settings\peterd\g2ax_customer_downloadhelper_win32_x86.exe
[2012/08/14 11:24:32 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\peterd\Local Settings\Application Data\d3d9caps.dat
[2012/07/27 10:47:31 | 000,049,664 | ---- | C] () -- C:\WINDOWS\RemComSvc.exe
[2012/06/15 21:32:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/06/27 09:30:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/23 13:22:51 | 000,000,031 | ---- | C] () -- C:\Documents and Settings\peterd\tmuninst.ini
[2010/08/11 10:43:21 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\peterd\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/26 14:12:22 | 000,022,291 | ---- | C] () -- C:\Documents and Settings\peterd\Application Data\Microsoft Excel.ADR
[2010/05/26 14:09:04 | 000,038,488 | ---- | C] () -- C:\Documents and Settings\peterd\Application Data\Comma Separated Values (Windows).ADR
[2010/03/01 07:25:09 | 000,002,334 | RHS- | C] () -- C:\Documents and Settings\peterd\ntuser.pol
[2009/10/19 12:54:53 | 000,025,904 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2009/10/17 13:58:33 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/12/22 00:21:02 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 04:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/01/07 07:34:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2013/01/31 05:40:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010/06/25 09:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ODIR
[2010/11/23 13:01:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/07/22 01:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2010/06/14 06:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/20 12:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2012/05/27 19:07:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Bell
[2012/05/27 19:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Blackberry Desktop
[2012/05/27 19:07:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Infineon
[2012/05/27 19:07:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\InterVideo
[2012/05/27 19:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\NetSpell
[2012/05/27 19:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Research In Motion
[2012/05/27 19:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\SampleView
[2012/05/27 19:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Sierra Wireless
[2012/05/27 19:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\WebEx
[2012/05/27 19:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Windows Desktop Search
[2012/05/27 19:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\Windows Small Business Server
[2012/05/27 19:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peterd\Application Data\XRite

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >
[2006/05/16 09:01:39 | 000,000,006 | -H-- | C] () -- C:\WINDOWS\Tasks\SA.DAT
[2006/05/16 09:01:39 | 000,000,065 | RH-- | C] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/20 12:12:02 | 000,000,284 | ---- | C] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2012/08/01 06:39:16 | 000,000,830 | ---- | C] () -- C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
[2012/10/23 15:14:56 | 000,000,236 | ---- | C] () -- C:\WINDOWS\Tasks\XperfStart.job
[2012/10/23 15:18:41 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf0100.job
[2012/10/23 15:19:04 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf0300.job
[2012/10/23 15:21:14 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf0500.job
[2012/10/23 15:22:30 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf0700.job
[2012/10/23 15:23:34 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf1900.job
[2012/10/23 15:24:43 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf2100.job
[2012/10/23 15:25:44 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf1700.job
[2012/10/23 15:29:51 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Xperf2300.job

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-01-26 09:00:57

< MD5 for: AGP440.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2006/02/28 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 23:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 23:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2006/02/28 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2008/04/14 04:42:14 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\ServicePackFiles\i386\autochk.exe
[2008/04/14 04:42:14 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\system32\autochk.exe
[2006/02/28 07:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\i386\AUTOCHK.EXE
[2006/02/28 07:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\$NtServicePackUninstall$\autochk.exe

< MD5 for: BEEP.SYS >
[2001/08/17 15:47:38 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 04:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 04:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 02:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 02:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: IASTOR.SYS >
[2008/08/13 11:08:44 | 000,325,144 | ---- | M] (Intel Corporation) MD5=42BE6406094936A23280D68D9AEC33D0 -- C:\Compaq\MSD\IaStor.sys
[2008/08/13 11:08:44 | 000,325,144 | ---- | M] (Intel Corporation) MD5=42BE6406094936A23280D68D9AEC33D0 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: KERNEL32.DLL >
[2012/10/02 23:57:29 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=6CBFEEB384F04681AF75F495AA48DD32 -- C:\WINDOWS\$hf_mig$\KB2758857\SP3QFE\kernel32.dll
[2012/10/02 23:58:13 | 000,990,208 | ---- | M] (Microsoft Corporation) MD5=6FE42512AB1B89F32A7407F261B1D2D0 -- C:\WINDOWS\system32\dllcache\kernel32.dll
[2012/10/02 23:58:13 | 000,990,208 | ---- | M] (Microsoft Corporation) MD5=6FE42512AB1B89F32A7407F261B1D2D0 -- C:\WINDOWS\system32\kernel32.dll
[2004/08/04 02:56:44 | 000,983,552 | ---- | M] (Microsoft Corporation) MD5=888190E31455FAD793312F8D087146EB -- C:\WINDOWS\$NtServicePackUninstall$\kernel32.dll
[2009/03/21 09:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\$NtUninstallKB2758857$\kernel32.dll
[2008/04/14 04:41:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll
[2008/04/14 04:41:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\ServicePackFiles\i386\kernel32.dll
[2009/03/21 08:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll

< MD5 for: MSWSOCK.DLL >
[2004/08/04 02:56:46 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll
[2008/06/20 12:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/14 04:42:02 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/04/14 04:42:02 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 12:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[2008/06/20 12:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NDIS.SYS >
[2008/04/13 23:50:38 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\$NtUninstallKB952117-v2$\ndis.sys
[2008/04/13 23:50:38 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys
[2004/08/04 01:14:30 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\$NtUninstallKB952117-v2_0$\ndis.sys
[2008/04/25 04:41:50 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=83F1B9DD1BC1F8D0A4A00F1B34DDE5EF -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
[2008/04/24 06:49:54 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=8716356E49A665BDC7B114725B60A456 -- C:\WINDOWS\$hf_mig$\KB952117-v2\SP3QFE\ndis.sys
[2008/04/24 06:49:54 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=8716356E49A665BDC7B114725B60A456 -- C:\WINDOWS\system32\dllcache\ndis.sys
[2008/04/24 06:49:54 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=8716356E49A665BDC7B114725B60A456 -- C:\WINDOWS\system32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 04:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 04:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 02:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NTFS.SYS >
[2008/04/13 23:45:54 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\ServicePackFiles\i386\ntfs.sys
[2008/04/13 23:45:54 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\system32\drivers\ntfs.sys
[2006/02/28 07:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\i386\NTFS.SYS
[2006/02/28 07:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\$NtServicePackUninstall$\ntfs.sys

< MD5 for: NTMSSVC.DLL >
[2008/04/14 04:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\ServicePackFiles\i386\ntmssvc.dll
[2008/04/14 04:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\system32\ntmssvc.dll
[2004/08/04 02:56:46 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\$NtServicePackUninstall$\ntmssvc.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 02:56:56 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/14 04:42:34 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/14 04:42:34 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: QMGR.DLL >
[2004/08/04 02:56:46 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll
[2008/04/14 04:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll
[2008/04/14 04:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll
[2008/04/14 04:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 02:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 04:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 04:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 02:56:46 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll
[2008/04/14 04:42:06 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll
[2008/04/14 04:42:06 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\sfcfiles.dll

< MD5 for: SPOOLSV.EXE >
[2010/08/17 08:19:36 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=258DD5D4283FD9F9A7166BE9AE45CE73 -- C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[2010/08/17 08:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\dllcache\spoolsv.exe
[2010/08/17 08:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\spoolsv.exe
[2004/08/04 02:56:58 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=7435B108B935E42EA92CA94F59C8E717 -- C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
[2008/04/14 04:42:38 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\$NtUninstallKB2347290$\spoolsv.exe
[2008/04/14 04:42:38 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe

< MD5 for: SRSVC.DLL >
[2008/04/14 04:42:08 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ServicePackFiles\i386\srsvc.dll
[2008/04/14 04:42:08 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll
[2004/08/04 02:56:46 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 02:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: TERMSRV.DLL >
[2004/08/04 02:56:48 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
[2008/04/14 04:42:08 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
[2008/04/14 04:42:08 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\system32\termsrv.dll

< MD5 for: USERINIT.EXE >
[2004/08/04 02:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: XMLPROV.DLL >
[2008/04/14 04:42:12 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\ServicePackFiles\i386\xmlprov.dll
[2008/04/14 04:42:12 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\system32\xmlprov.dll
[2004/08/04 02:56:48 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\$NtServicePackUninstall$\xmlprov.dll

< End of report >




OTL Extras logfile created on: 01/31/13 4:10:57 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = \\server4\users\peterd\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

1.93 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 47.89% Memory free
3.78 Gb Paging File | 2.84 Gb Available in Paging File | 75.30% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 109.90 Gb Free Space | 73.74% Space Free | Partition Type: NTFS
Drive S: | 1862.96 Gb Total Space | 1031.86 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive U: | 558.88 Gb Total Space | 426.27 Gb Free Space | 76.27% Space Free | Partition Type: NTFS
Drive V: | 1862.96 Gb Total Space | 1031.86 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive Z: | 279.37 Gb Total Space | 199.45 Gb Free Space | 71.39% Space Free | Partition Type: NTFS

Computer Name: AL21 | User Name: peterd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\dllhost.exe:localsubnet:Enabled:MBSA" = %windir%\system32\dllhost.exe:localsubnet:Enabled:MBSA -- (Microsoft Corporation)
"%programfiles%\MWUltravnc\winvnc.exe:localsubnet:Enabled:uvnc_service" = %programfiles%\MWUltravnc\winvnc.exe:localsubnet:Enabled:uvnc_service -- (UltraVNC)
"%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance" = %windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance -- (Microsoft Corporation)
"%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance" = %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance -- (Microsoft Corporation)
"%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice" = %windir%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice -- (Microsoft Corporation)
"%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled::Offer Remote Assistance" = %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"5900:TCP:localsubnet:Enabled:Vncport" = 5900:TCP:localsubnet:Enabled:Vncport
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = localsubnet,192.168.0.0/24,192.168.10.0/24

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = localsubnet

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"4481:TCP" = 4481:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4481:UDP" = 4481:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery
"4482:TCP" = 4482:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4482:UDP" = 4482:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery
"56002:TCP" = 56002:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"56002:TCP" = 56002:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\WINDOWS\system32\mstsc.exe" = C:\WINDOWS\system32\mstsc.exe:*:Enabled:Remote Desktop Connection -- (Microsoft Corporation)
"C:\Program Files\Kyocera\FileUtility\NsCatCom.exe" = C:\Program Files\Kyocera\FileUtility\NsCatCom.exe:*:Enabled:NsCatCom -- (KYOCERA MITA Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\WINDOWS\system32\lxdxcoms.exe" = C:\WINDOWS\system32\lxdxcoms.exe:*:Enabled:3600-4600 Series Server -- ( )
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxpswx.exe:*:Enabled:Printer Status Window Interface -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxtime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxtime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.)
"C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" = C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe:*:Enabled:Printer Device Monitor -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdxjswx.exe:*:Enabled:Job Status Window Interface -- ()
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe" = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe:*:Enabled:BlackBerry Desktop Manager -- (Research In Motion Limited)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Xactware\Xactimate27\CORE\x.exe" = C:\Program Files\Xactware\Xactimate27\CORE\x.exe:*:Enabled:Xactimate -- (Xactware)
"C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe" = C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe:*:Enabled:BlackBerry Desktop Software -- (Research In Motion)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe" = C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe:*:Disabled:Printer Device Monitor -- ()
"C:\Program Files\Kyocera\FileUtility\NsCatCom.exe" = C:\Program Files\Kyocera\FileUtility\NsCatCom.exe:*:Disabled:NsCatCom -- (KYOCERA MITA Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00270000-8116-4423-99E0-4A5D07E678E8}" = Xactimate 27
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 33
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (XACTWARE)
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{3032BC7D-E713-452D-AAF7-F5ED073226C8}" = Windows Small Business Server 2011 Standard ClientAgent
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{458F24ED-DEB5-4729-81EE-B989CEA2C217}" = Symantec.cloud - Endpoint Protection
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F38594F-2C4A-4C42-B2C4-505E225F6F80}" = HP Product Detection
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{61C79AE1-5403-4687-AC68-28BFA5EF3895}" = Kyocera Scanner File Utility
"{63B7AC7E-0178-4F4F-A79B-08D97ADD02D7}" = System Requirements Lab for Intel
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{735EF746-77A8-44E8-821F-4C77F038AA90}" = Symantec.cloud - Cloud Agent
"{75157F34-02C6-4831-BD66-3BC49E7A8394}" = BlackBerry Desktop Software 6.1
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{81C5AD1D-C7C6-48AC-AC85-8F04293B1780}" = USB Display Device (Trigger 1+) 9.18.1030.0159
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{901C0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Access 2002 Runtime
"{928D2FB1-291A-362B-89A4-7075A9D904A4}" = Microsoft Windows SDK for Windows 7 (7.1)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C29910B-82FF-48D6-9A21-6C3934127267}" = JPP
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient 6.1 x86
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}" = BlackBerry Desktop Software 6.0
"{D2B1C10F-369B-40BC-B550-271F968C5EE0}" = Intel® Network Connections 17.3.63.0
"{D3AE96EE-2876-4B3F-847C-D3A4AD689E43}" = LogMeIn
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E7F9E526-2324-437B-A609-E8C5309465CB}" = Microsoft Windows Performance Toolkit
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F3215EE0-FE33-4AE4-90DA-62E39AF0C922}" = Symbility mobile claims
"{F7A8377A-3062-43B8-94F4-4E30EA43A9E9}" = Windows Small Business Server 2011 Standard WMI Provider
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"BlackBerry_{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.1
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GoToAssist Express Customer" = GoToAssist Customer 1.6.0.430
"HECI" = Intel® Management Engine Interface
"ie8" = Windows Internet Explorer 8
"Lexmark 3600-4600 Series" = Lexmark 3600-4600 Series
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NIS" = Endpoint Protection.cloud
"ODIR_is1" = ODIR
"Online_Radio_Canada Toolbar" = Online_Radio_Canada Toolbar
"PDF Complete" = PDF Complete
"SDKSetup_7.1.7600.0.30514" = Microsoft Windows SDK for Windows 7 (7.1)
"Symantec Hosted Services ARP" = Symantec.cloud
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 01/14/13 4:23:57 AM | Computer Name = AL21 | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy engine.

Error - 01/18/13 9:53:01 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 8313
Description = Error in mapping SQL Server performance object/counter indexes to
object/counter names. SQL Server performance counters are disabled.

Error - 01/18/13 9:53:01 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 3409
Description = Performance counter shared memory setup failed with error -1. Reinstall
sqlctr.ini for this instance, and ensure that the instance login account has correct
registry permissions.

Error - 01/18/13 9:59:09 AM | Computer Name = AL21 | Source = Application Error | ID = 1000
Description = Faulting application desktopmgr.exe, version 5.0.1.18, faulting module
desktopmgr.exe, version 5.0.1.18, fault address 0x000e6535.

Error - 01/20/13 6:40:20 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 8313
Description = Error in mapping SQL Server performance object/counter indexes to
object/counter names. SQL Server performance counters are disabled.

Error - 01/20/13 6:40:20 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 3409
Description = Performance counter shared memory setup failed with error -1. Reinstall
sqlctr.ini for this instance, and ensure that the instance login account has correct
registry permissions.

Error - 01/26/13 5:33:15 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 8313
Description = Error in mapping SQL Server performance object/counter indexes to
object/counter names. SQL Server performance counters are disabled.

Error - 01/26/13 5:33:15 AM | Computer Name = AL21 | Source = MSSQL$XACTWARE | ID = 3409
Description = Performance counter shared memory setup failed with error -1. Reinstall
sqlctr.ini for this instance, and ensure that the instance login account has correct
registry permissions.

Error - 01/30/13 5:05:13 PM | Computer Name = AL21 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 12.0.6665.5003, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 01/30/13 5:05:21 PM | Computer Name = AL21 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 12.0.6665.5003, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 03/07/11 4:18:13 PM | Computer Name = AL21 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 142
seconds with 120 seconds of active time. This session ended with a crash.

Error - 05/07/12 9:19:09 AM | Computer Name = AL21 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3462
seconds with 2940 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 01/18/13 9:53:09 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdxCATSCustConnectService
service to connect.

Error - 01/18/13 9:53:09 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7000
Description = The lxdxCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 01/18/13 10:38:18 AM | Computer Name = AL21 | Source = DCOM | ID = 10010
Description = The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register
with DCOM within the required timeout.

Error - 01/20/13 6:40:23 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdxCATSCustConnectService
service to connect.

Error - 01/20/13 6:40:23 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7000
Description = The lxdxCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 01/25/13 8:44:20 AM | Computer Name = AL21 | Source = DCOM | ID = 10010
Description = The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register
with DCOM within the required timeout.

Error - 01/25/13 4:46:23 PM | Computer Name = AL21 | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{E6BB0C81-7343-489D-9136-689511FAC75E}. The
backup browser is stopping.

Error - 01/26/13 5:31:37 AM | Computer Name = AL21 | Source = DCOM | ID = 10010
Description = The server {C2BFE331-6739-4270-86C9-493D9A04CD38} did not register
with DCOM within the required timeout.

Error - 01/26/13 5:33:19 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdxCATSCustConnectService
service to connect.

Error - 01/26/13 5:33:19 AM | Computer Name = AL21 | Source = Service Control Manager | ID = 7000
Description = The lxdxCATSCustConnectService service failed to start due to the
following error: %%1053


< End of report >



Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Symantec Endpoint Protection.cloud
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner (remove only)
Java™ 6 Update 33
Java™ 6 Update 7
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (7.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Symantec.cloud AntiVirus AVAgent.exe
symantec.cloud antivirus ssDVAgent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````

# AdwCleaner v2.109 - Logfile created 01/31/2013 at 16:29:02
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : peterd - AL21
# Boot Mode : Normal
# Running from : \\server4\users\peterd\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\WINDOWS\system32\conduitEngine.tmp
Folder Found : C:\Documents and Settings\Administrator.AL-CARE\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\Administrator.AL-CARE\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Documents and Settings\peterd\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\peterd\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Program Files\BringMeSports_1cEI
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Online_Radio_Canada

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEC7CC31-73F4-4F7F-AC41-80994C84711B}
Key Found : HKCU\Software\Online_Radio_Canada
Key Found : HKCU\Software\SmartBar
Key Found : HKCU\Toolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2436590
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D0C9D48-0922-4A60-9691-103921002C57}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A280B71-0EB8-45B6-A891-9D59ADDB8E19}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Online_Radio_Canada Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online_Radio_Canada Toolbar
Key Found : HKLM\Software\Online_Radio_Canada
Key Found : HKU\S-1-5-21-1091572873-3027672263-4103654450-1138\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEC7CC31-73F4-4F7F-AC41-80994C84711B}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v7.0.1 (en-US)

File : C:\Documents and Settings\peterd\Application Data\Mozilla\Firefox\Profiles\qy6gq8dd.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3663 octets] - [31/01/2013 16:29:02]

########## EOF - U:\AdwCleaner[R1].txt - [3663 octets] ##########


Thanks again

Nuance

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 01 February 2013 - 10:04 AM

Please execute the instructions on my post no 2.

ComboFix has been fixed and is available.

Run the other tools as well and post the logs.

Let me know what problem persists.

#7 Nuance

Nuance
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 February 2013 - 04:57 PM

Here are the logs. It will take a day or so before I can figure out if the issue is resolved and the Client is in and out of the office


ComboFix 13-02-06.01 - peterd 02/06/13 16:33:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.843 [GMT -5:00]
Running from: \\server4\users\peterd\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection.cloud *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Symantec Endpoint Protection.cloud *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\peterd\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\peterd\WINDOWS
c:\documents and settings\peterd\WINDOWS\inifile.upd
c:\documents and settings\peterd\WINDOWS\ODBC.INI
c:\documents and settings\peterd\WINDOWS\win.ctx
c:\documents and settings\peterd\WINDOWS\win.ini
C:\Install.exe
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\OLD13.tmp
c:\windows\system32\OLDB.tmp
c:\windows\system32\OLDF.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_UVNC_SERVICE
-------\Service_uvnc_service
.
.
((((((((((((((((((((((((( Files Created from 2013-01-06 to 2013-02-06 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-06 07:02 . 2012-07-27 15:47 49664 ----a-w- c:\windows\RemComSvc.exe
2013-01-09 09:11 . 2012-04-12 14:00 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 09:11 . 2011-10-11 11:36 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-09 09:11 . 2012-12-12 07:11 15739912 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-12-16 12:23 . 2004-08-04 07:56 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2004-08-04 06:17 1866368 ----a-w- c:\windows\system32\win32k.sys
2011-11-16 21:03 . 2011-06-27 14:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2009-05-20 680616]
"EzPrint"="c:\program files\Lexmark 3600-4600 Series\ezprint.exe" [2009-05-20 107176]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"Util"="c:\windows\system32\Util.exe" [2009-08-26 189816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"SymantecPaui"="c:\program files\Symantec.cloud\PlatformAgent\PAUI.exe" [2012-11-07 2234320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-08-28 129536]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-08-28 164352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-08-28 141312]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-8-31 1799512]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2009-10-19 348160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-11-28 00:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-11-28 00:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2012-10-15 18:17 610448 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-01 12:36 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"56002:TCP"= 56002:TCP:Trend Micro Client/Server Security Agent Listener
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [10/17/09 1:35 PM 24064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1402000.013\SymDS.sys [01/04/13 2:29 AM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1402000.013\SymEFA.sys [01/04/13 2:29 AM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20130116.013\BHDrvx86.sys [01/15/13 9:51 PM 997464]
R1 ccSet_Cloud;CC Standalone Settings Manager;c:\windows\system32\drivers\Symantec.cloud\ccSetx86.sys [08/31/12 12:57 PM 132768]
R1 ccSet_NIS;Endpoint Protection.cloud Settings Manager;c:\windows\system32\drivers\NIS\1402000.013\ccSetx86.sys [01/04/13 2:29 AM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1402000.013\Ironx86.sys [01/04/13 2:29 AM 175264]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/07 7:42 PM 185896]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [07/27/12 1:30 AM 112968]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/08/10 12:11 PM 374704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [09/17/10 2:40 PM 12856]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/10 5:29 PM 29293408]
R2 NIS;Endpoint Protection.cloud;c:\program files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe [01/04/13 2:29 AM 143928]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [10/17/09 2:10 PM 576024]
R2 SsPaAdm;Symantec.cloud Cloud Agent;c:\program files\Symantec.cloud\PlatformAgent\ccSvcHst.exe [08/31/12 12:57 PM 138272]
R2 ssSpnAv;Symantec.cloud Endpoint Protection;c:\program files\Symantec.cloud\AntiVirus\AVAgent.exe [01/04/13 2:28 AM 414752]
R2 U2VSvr;U2VSvr;c:\windows\system32\U2VSvr.exe [05/07/10 12:12 PM 198008]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/17/09 2:07 PM 2054680]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [10/17/09 1:53 PM 237224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/02/13 3:11 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20130205.001\IDSXpx86.sys [02/05/13 10:41 PM 373728]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/17/09 1:32 PM 44800]
R3 T1PExGrp;T1PExGrp;c:\windows\system32\drivers\T1PExGrp.sys [05/07/10 12:12 PM 25600]
R3 T1PMrGrp;T1PMrGrp;c:\windows\system32\drivers\T1PMrGrp.sys [05/07/10 12:12 PM 26496]
R3 t1pusb;Trigger 1+ Graphics Card;c:\windows\system32\drivers\t1pusb.sys [05/07/10 12:12 PM 108032]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [12/21/09 9:22 AM 98984]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [06/02/11 10:08 AM 11336]
S3 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\430\g2ax_service.exe [10/15/12 2:16 PM 610960]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 09:11]
.
2013-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2013-01-19 c:\windows\Tasks\Xperf0100.job
- c:\xperf\Xperf0100.bat [2012-10-23 20:04]
.
2013-01-19 c:\windows\Tasks\Xperf0300.job
- c:\xperf\Xperf0300.bat [2012-10-23 20:05]
.
2013-01-19 c:\windows\Tasks\Xperf0500.job
- c:\xperf\Xperf0500.bat [2012-10-23 20:07]
.
2013-01-19 c:\windows\Tasks\Xperf0700.job
- c:\xperf\Xperf0700.bat [2012-10-23 20:07]
.
2013-01-18 c:\windows\Tasks\Xperf1700.job
- c:\xperf\Xperf1700.bat [2012-10-23 20:07]
.
2013-01-19 c:\windows\Tasks\Xperf1900.job
- c:\xperf\Xperf1900.bat [2012-10-23 20:08]
.
2013-01-19 c:\windows\Tasks\Xperf2100.job
- c:\xperf\Xperf2100.bat [2012-10-23 20:08]
.
2013-01-19 c:\windows\Tasks\Xperf2300.job
- c:\xperf\Xperf2300.bat [2012-10-23 20:08]
.
2013-01-19 c:\windows\Tasks\XperfStart.job
- c:\xperf\XperfStart.bat [2012-10-23 12:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
TCP: DhcpNameServer = 192.168.0.24
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.20:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} - hxxps://192.168.0.20:4343/SMB/console/html/root/AtxConsole.cab
FF - ProfilePath - c:\documents and settings\peterd\Application Data\Mozilla\Firefox\Profiles\qy6gq8dd.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{EEC7CC31-73F4-4F7F-AC41-80994C84711B} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-06 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Symantec.cloud\EndpointProtectionAgent\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WININET.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'winlogon.exe'(2256)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\430\g2ax_winlogon.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(4164)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\lxdxcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\symantec.cloud\antivirus\ssDVAgent.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\sessmgr.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\430\g2ax_processfactory.exe
c:\windows\system32\rdpclip.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\windows\system32\dumprep.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2013-02-06 16:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-06 21:48
.
Pre-Run: 117,509,042,176 bytes free
Post-Run: 118,277,218,304 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6D1E428E666A0592D0217E853D7B8132


Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Symantec Endpoint Protection.cloud
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner (remove only)
Java™ 6 Update 33
Java™ 6 Update 7
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (7.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Symantec.cloud AntiVirus AVAgent.exe
symantec.cloud antivirus ssDVAgent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````

# AdwCleaner v2.109 - Logfile created 02/06/2013 at 16:56:11
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : peterd - AL21
# Boot Mode : Normal
# Running from : C:\pcm\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\WINDOWS\system32\conduitEngine.tmp
Folder Found : C:\Documents and Settings\Administrator.AL-CARE\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\Administrator.AL-CARE\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Documents and Settings\peterd\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\peterd\Local Settings\Application Data\Online_Radio_Canada
Folder Found : C:\Program Files\BringMeSports_1cEI
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Online_Radio_Canada

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKCU\Software\Online_Radio_Canada
Key Found : HKCU\Toolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2436590
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D0C9D48-0922-4A60-9691-103921002C57}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A280B71-0EB8-45B6-A891-9D59ADDB8E19}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Online_Radio_Canada Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online_Radio_Canada Toolbar
Key Found : HKLM\Software\Online_Radio_Canada
Key Found : HKU\S-1-5-21-1091572873-3027672263-4103654450-1138\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v7.0.1 (en-US)

File : C:\Documents and Settings\peterd\Application Data\Mozilla\Firefox\Profiles\qy6gq8dd.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3792 octets] - [31/01/2013 16:29:02]
AdwCleaner[R2].txt - [3377 octets] - [06/02/2013 16:56:12]

########## EOF - U:\AdwCleaner[R2].txt - [3377 octets] ##########

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 08 February 2013 - 09:47 AM

Secure your system by updating 3rd party programs.
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
You can manually check your present version and update as recommended.
 
If present remove the old version(s) of Java using the Add/Remove Programs applet.
 
 
Java™ 6 Update 33 
Java™ 6 Update 7
 
 
Java 7 update 10 introduced important new security controls
You can read about it here.
 
Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===
 
Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks... 
 
 
On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.
 
You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.
 
For the users of Internet Explorer download version 11.
===
 
Get the latest version of the  Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===
 
Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 

  •  


  • Close all open programs and internet browsers.


  • Double click on AdwCleaner.exe to run the tool.


  • Click on Delete.


  • Everything that was found will be deleted.


  • Follow the prompts to reboot the computer. A text file will open after the restart.


  • Please post the content of that log file with your next answer.


  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

 
 
Please let me know if all is well.


#9 Nuance

Nuance
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 14 February 2013 - 09:44 AM

Hi Nasdaq

 

The issue still remains.

 

# AdwCleaner v2.112 - Logfile created 02/12/2013 at 16:59:05
# Updated 10/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : administrator - AL21
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator.AL-CARE\Desktop\adwcleaner0.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\WINDOWS\system32\conduitEngine.tmp
Folder Found : C:\Program Files\BringMeSports_1cEI
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Online_Radio_Canada

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEC7CC31-73F4-4F7F-AC41-80994C84711B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEC7CC31-73F4-4F7F-AC41-80994C84711B}
Key Found : HKCU\Software\Online_Radio_Canada
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2436590
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D0C9D48-0922-4A60-9691-103921002C57}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A280B71-0EB8-45B6-A891-9D59ADDB8E19}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Online_Radio_Canada Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online_Radio_Canada Toolbar
Key Found : HKLM\Software\Online_Radio_Canada
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEC7CC31-73F4-4F7F-AC41-80994C84711B}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R3].txt - [2442 octets] - [12/02/2013 16:59:05]

########## EOF - C:\AdwCleaner[R3].txt - [2502 octets] ##########



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 14 February 2013 - 10:50 AM

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
  •  
    Please let me know what problem persists.


    #11 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:06:39 PM

    Posted 20 February 2013 - 11:02 AM

    If all is well:
     
    Time for some housekeeping
    The following will implement some cleanup procedures as well as reset  System Restore points:
     
    Click Start > Run  and copy/paste the following bold text into the Run box and click OK:
     
    ComboFix /Uninstall 
    ===
     
    To remove AdwCleaner.
     
    Please double click on AdwCleaner.exe to run the tool.
    Click on Uninstall.
    Confirm with Yes.
     
    If you decide to keep the AdwCleaner tool make sure delete your version and download the latest before running it.
     
    Delete the other tools we used.
    You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
     
    Surf Safely, and Think Prevention!
    ===


    #12 Nuance

    Nuance
    • Topic Starter

    • Members
    • 6 posts
    • OFFLINE
    •  
    • Local time:05:39 PM

    Posted 20 February 2013 - 02:10 PM

    Hi Nasdaq

     

    All is not well. I am supporting this remotely and working around a user's schedule. Sorry for the delay.

     

    # AdwCleaner v2.112 - Logfile created 02/12/2013 at 16:59:20
    # Updated 10/02/2013 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : administrator - AL21
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Administrator.AL-CARE\Desktop\adwcleaner0.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
    Folder Deleted : C:\Program Files\BringMeSports_1cEI
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\Program Files\Online_Radio_Canada

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEC7CC31-73F4-4F7F-AC41-80994C84711B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEC7CC31-73F4-4F7F-AC41-80994C84711B}
    Key Deleted : HKCU\Software\Online_Radio_Canada
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0A9D4F9E-943E-4F3C-AEE2-BFFAD64DE224}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2436590
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D0C9D48-0922-4A60-9691-103921002C57}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A280B71-0EB8-45B6-A891-9D59ADDB8E19}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Online_Radio_Canada Toolbar
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4A549A2A-A88A-4E54-BBF0-FF7D223F56E8}
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online_Radio_Canada Toolbar
    Key Deleted : HKLM\Software\Online_Radio_Canada
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEC7CC31-73F4-4F7F-AC41-80994C84711B}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [OK] Registry is clean.

    *************************

    AdwCleaner[R3].txt - [2571 octets] - [12/02/2013 16:59:05]
    AdwCleaner[S1].txt - [2548 octets] - [12/02/2013 16:59:20]

    ########## EOF - C:\AdwCleaner[S1].txt - [2608 octets] ##########


    Edited by Nuance, 20 February 2013 - 02:11 PM.


    #13 nasdaq

    nasdaq

    • Malware Response Team
    • 39,531 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:06:39 PM

    Posted 21 February 2013 - 09:58 AM

    This is no longer a malware issue.
     
    Have a look at this article it may help you identify the culprit.
     
    You may want to start a new topic in this Windows XP forum
    An expert may be able to help you with this CPU problem.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users