Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit infection, undeletable temp files


  • This topic is locked This topic is locked
28 replies to this topic

#1 Damiac

Damiac

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 February 2013 - 04:11 PM

Hi Guys,

I was directed here after some preliminary troubleshooting.  I started looking for a possible infection after I noticed my laptop running a bit slowly, and then I noticed three temp files which could not be deleted. Those files are located in the C:\windows\temp folder:

gnserv.dat - 1kb

hlktmp - 8209 kb

spserv.dat 1kb

 

So far I have run:

SuperAntiSpyware, full scan in safe mode:

ADW Cleaner:

JRT:

TFC

ASWMBR

 

I attached a text file with all the logs from those programs called scans.txt

 

I was then directed to run DDS and start a new post here.

 

The attach.txt is attached

The DDS Log follows:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16464
Run by Danian at 15:41:14 on 2013-02-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1789.803 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe
C:\PROGRAM FILES\COMMON FILES\SIEMENS\ALMPANELPLUGIN\ALMPANELPLUGIN.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Siemens\Step7\s7bin\s7hspsvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Siemens\SimNetCom\PNIOMGR.exe
C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008 Runtime\SmartServer.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\eCatcher-Talk2M\Talk2mVpnService\bin\Talk2MVpnService.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe
C:\Program Files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv9.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [WinCC flexible Smart Start] "c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\HmiSmartStart.exe" /startup
mRun: [S7UB Start] "c:\program files\common files\siemens\s7ubtoox\s7ubtstx.exe" -StartDB
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 192.168.0.10 68.87.71.226
TCP: Interfaces\{BDC1A98C-1873-47CC-8572-8065410C042B} : DHCPNameServer = 192.168.0.10 68.87.71.226
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
P2 smartserver;Sm@rtServer;c:\program files\siemens\simatic wincc flexible\wincc flexible 2008 runtime\SmartServer.exe [2011-12-6 558416]
R1 dpmconv;SIMATIC NET DP Driver;c:\windows\system32\drivers\dpmconv32.sys [2011-4-19 288256]
R1 Dpmtrcdd;SIMATIC NET Softnet Trace Driver;c:\windows\system32\drivers\DPMTRCDD32.sys [2010-3-22 72248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-3-5 20384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vsnl2ada;SIMATIC NET FDL Driver;c:\windows\system32\drivers\vsnl2ada32.sys [2011-4-19 140288]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2011-12-11 1138312]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-5-14 93312]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\rockwell software\factorytalk activation\tools\FTActivationBoost.exe [2008-9-29 66848]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 s7hspsvx;S7 HSP Service;c:\program files\siemens\step7\s7bin\s7hspsvx.exe [2008-7-14 61493]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2011-11-4 412808]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [2010-3-1 31232]
R2 S7otranx32;SIMATIC Transport;c:\windows\system32\drivers\S7otranx32.sys [2011-5-6 521216]
R2 s7ousbu32x;SIMATIC USB Service;c:\windows\system32\drivers\s7ousbu32x.sys [2011-9-29 641280]
R2 s7sn2srtx;PROFINET IO RT-Protocol V2.0;c:\windows\system32\drivers\s7sn2srtx.sys [2011-6-16 63104]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2009-2-24 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2011-11-4 556168]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-3-9 317592]
R2 Talk2MVpnService;Talk2MVpnService;c:\program files\ecatcher-talk2m\talk2mvpnservice\bin\Talk2MVpnService.exe [2011-8-22 94208]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [2012-4-11 21464]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]
R3 S7odpx2x32;SIMATIC Knotentaufe;c:\windows\system32\drivers\S7odpx2x32.sys [2011-5-6 87552]
R3 s7otsadx32;SIMATIC TS Adapter RS232-32;c:\windows\system32\drivers\s7otsadx32.sys [2011-9-29 182784]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2011-9-15 27648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [2005-7-4 68280]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2011-9-15 55808]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-3-5 954368]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2008-7-5 39067]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [2008-7-5 155440]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
S4 AgilentIOLibrariesService;Agilent IO Libraries Service;c:\program files\agilent\io libraries suite\AgilentIOLibrariesService.exe [2009-10-9 51712]
S4 AgtMdnsResponder;Agilent mDNS Responder Service;c:\program files\agilent\io libraries suite\LxiMdnsResponder.exe [2009-7-14 330240]
S4 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
S4 ICONICSOPCServerSuiteLoggerV5;ICONICS OPC Server Suite 5.3 Event Logger;c:\program files\iconics\iconics opc server suite 5\server_eventlog.exe [2010-6-25 105248]
S4 ICONICSOPCServerSuiteV5;ICONICS OPC Server Suite 5.3;c:\program files\iconics\iconics opc server suite 5\server_runtime.exe [2010-6-25 436000]
.
=============== File Associations ===============
.
FileExt: .scr: DWGTrueViewScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2013-02-15 17:03:59 -------- d-----w- c:\windows\ERUNT
2013-02-15 17:03:44 -------- d-----w- C:\JRT
2013-02-13 13:20:47 -------- d-----w- c:\users\danian\appdata\roaming\SUPERAntiSpyware.com
2013-02-13 13:20:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-02-13 13:20:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-02-12 23:59:31 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-12 23:47:36 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-12 23:47:35 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-12 23:47:33 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-12 23:47:32 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-12 23:47:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-05 19:23:32 -------- d-----w- c:\program files\Citrix
2013-02-05 19:22:29 -------- d-----w- c:\users\danian\appdata\local\Citrix
2013-01-29 23:10:04 -------- d-----w- c:\users\danian\appdata\local\Discovery Freelancer 4.86.0
2013-01-29 23:03:40 695578 ----a-w- c:\program files\microsoft games\freelancer\unins000.exe
2013-01-29 23:03:40 65536 ----a-w- c:\program files\microsoft games\freelancer\exe\gls_workaround.dll
2013-01-29 23:03:40 104960 ----a-w- c:\program files\microsoft games\freelancer\exe\libcurl.dll
2013-01-25 22:58:07 -------- d-----w- c:\users\danian\appdata\local\Freelancer
.
==================== Find3M  ====================
.
2013-02-12 23:59:14 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-12 23:59:13 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-15 00:01:04 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 00:01:03 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-08 22:11:21 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-01-08 22:03:20 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-01-08 22:03:12 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-01-08 21:59:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2013-01-08 21:58:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-01-08 21:56:23 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-30 18:28:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2012-12-30 18:28:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-20 04:22:50 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 15:43:33.70 ===============

 

Thank you for your assistance, I really appreciate the help.

Attached Files



BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 16 February 2013 - 05:59 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

I notice you said this about aswMBR:

 

After this i hit fix MBR and restarted.

 

This is actually a rather a dangerous move, as making changes to the MBR if it is actually fine can actually damage it. Please bear this in mind when using tools.

 

=====

 

Please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.


Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 16 February 2013 - 08:26 PM

Hi Dark Knight,

 

Thanks for your help,

 

By the way, I ran all those tools under the directions of Boopme on the Am I Infected forum, I would be too nervous to mess with the MBR on my own.

 

The MBAR scan came back clean, here are the logs.

 

Did you see anything suspicious in the DDS logs?

 

 

System Log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1020

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.000000 GHz
Memory total: 1876004864, free: 903733248

------------ Kernel report ------------
     02/16/2013 19:34:50
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\system32\DRIVERS\tos_sps32.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\AtiPcie.sys
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\FwLnk.sys
\SystemRoot\system32\DRIVERS\processr.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\athr.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\??\C:\Windows\system32\drivers\fwkbdrtm.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\teamviewervpn.sys
\SystemRoot\system32\DRIVERS\tap0901.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\s7ousbu32x.sys
\SystemRoot\System32\Drivers\S7otranx32.sys
\SystemRoot\System32\Drivers\S7odpx2x32.sys
\SystemRoot\system32\DRIVERS\vsnl2ada32.sys
\SystemRoot\system32\DRIVERS\dpmconv32.sys
\SystemRoot\System32\DRIVERS\dpmtrcdd32.sys
\SystemRoot\System32\Drivers\s7otsadx32.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\evsbc.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\AGRSM.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ehdrv.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\RTSTOR.SYS
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\jswpslwf.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\ckldrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\eamon.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\sntie.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\s7opcsrtx.sys
\SystemRoot\system32\DRIVERS\s7sn2srtx.sys
\SystemRoot\system32\DRIVERS\s7snsrtx.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\Haspnt.sys
\SystemRoot\system32\DRIVERS\epfwwfpr.sys
\SystemRoot\system32\drivers\hardlock.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff84f86210
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff84f52b98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.02.16.07
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff84f86210, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff84f9d588, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff84f86210, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff84f56658, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff84f52b98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xffffffffadb35098, 0xffffffff84f86210, 0xffffffff85060980
Lower DeviceData: 0xffffffffb4a16360, 0xffffffff84f52b98, 0xffffffff85cfd658
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 220ED127

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 297136128
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 300210176  Numsec = 12369920
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-312561808-312581808)...
Done!
Performing system, memory and registry scan...
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\GameStopApp_setup.dat" is compressed (flags = 1)
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\GameStopApp_setup.lnk" is compressed (flags = 1)
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\instance.dat" is compressed (flags = 1)
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\GameStopApp_setup.dat" is compressed (flags = 1)
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\GameStopApp_setup.lnk" is compressed (flags = 1)
Read File: File "c:\ProgramData\{BB404D86-96D5-49BA-BE2E-955F3901C656}\instance.dat" is compressed (flags = 1)
Done!
Scan finished
=======================================

 

 

Mbar log

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.16.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Danian :: DAMIAN-LAPTOP [administrator]

2/16/2013 8:07:28 PM
mbar-log-2013-02-16 (20-07-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 36222
Time elapsed: 30 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


 

Thanks again



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 17 February 2013 - 04:38 AM

Hey Damiac,

 

By the way, I ran all those tools under the directions of Boopme on the
Am I Infected forum, I would be too nervous to mess with the MBR on my
own.

Ah not a problem!

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 17 February 2013 - 10:47 AM

Hi Dark Knight,

 

I ran combofix, it took a while, but it says it deleted some files.  After I ran it, and opened internet explorer, I got a window asking if I want to make internet explorer my default browser.  It already was before, is that a normal effect of running combofix?

 

EDIT: Also, I keep getting security warnings from internet explorer after combofix, saying I'm about to enter a secure connection, or an unsecure connection.  I assume this is because of security settings getting defaulted or something, but I just want to make sure that's normal.

 

Thanks for the help,

 

Here is the combofix log:

 

ComboFix 13-02-15.01 - Danian 02/17/2013  10:21:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1789.757 [GMT -5:00]
Running from: c:\users\Danian\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Danian\AppData\Local\assembly\tmp
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
c:\windows\system32\temp.010
c:\windows\system32\UNWISE.EXE
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-17 to 2013-02-17  )))))))))))))))))))))))))))))))
.
.
2013-02-17 15:35 . 2013-02-17 15:36 -------- d-----w- c:\users\Danian\AppData\Local\temp
2013-02-17 15:35 . 2013-02-17 15:35 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2013-02-17 15:35 . 2013-02-17 15:35 -------- d-----w- c:\users\ICONICS_USER\AppData\Local\temp
2013-02-17 15:35 . 2013-02-17 15:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-15 17:03 . 2013-02-15 17:03 -------- d-----w- c:\windows\ERUNT
2013-02-15 17:03 . 2013-02-15 17:03 -------- d-----w- C:\JRT
2013-02-13 13:20 . 2013-02-13 13:20 -------- d-----w- c:\users\Danian\AppData\Roaming\SUPERAntiSpyware.com
2013-02-13 13:20 . 2013-02-13 13:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-02-13 13:20 . 2013-02-13 13:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-02-12 23:59 . 2013-02-12 23:59 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-12 23:47 . 2013-01-04 11:28 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-12 23:47 . 2013-01-04 01:38 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-12 23:47 . 2013-01-05 05:26 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-12 23:47 . 2013-01-05 05:26 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-12 23:47 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-05 19:23 . 2013-02-05 19:23 -------- d-----w- c:\program files\Citrix
2013-02-05 19:22 . 2013-02-05 19:22 -------- d-----w- c:\users\Danian\AppData\Local\Citrix
2013-01-29 23:10 . 2013-01-29 23:22 -------- d-----w- c:\users\Danian\AppData\Local\Discovery Freelancer 4.86.0
2013-01-29 23:03 . 2013-01-29 23:03 695578 ----a-w- c:\program files\Microsoft Games\Freelancer\unins000.exe
2013-01-29 23:03 . 2008-05-22 03:41 65536 ----a-w- c:\program files\Microsoft Games\Freelancer\EXE\gls_workaround.dll
2013-01-29 23:03 . 2007-10-02 08:37 104960 ----a-w- c:\program files\Microsoft Games\Freelancer\EXE\libcurl.dll
2013-01-25 22:58 . 2013-01-25 22:58 -------- d-----w- c:\users\Danian\AppData\Local\Freelancer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-12 23:59 . 2012-05-20 19:42 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-12 23:59 . 2011-02-09 13:54 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-15 00:01 . 2012-03-30 21:33 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-15 00:01 . 2011-08-03 12:11 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 18:28 . 2012-12-30 18:28 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2012-12-30 18:28 . 2012-12-30 18:28 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2012-12-16 13:12 . 2012-12-22 18:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-22 18:48 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-11-18 14:16 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-20 04:22 . 2013-01-09 13:28 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2011-12-14 118784]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 13:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 13:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-06-16 05:01 448080 ----a-w- c:\program files\TOSHIBA\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 20:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-05 08:45 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2480003400-1380318090-1198948173-1000]
"EnableNotificationsRef"=dword:00000001
.
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-13 13:20]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-13 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 71.243.0.12 71.250.0.12 192.168.1.2
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-TOSCDSPD - TOSCDSPD.EXE
AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files\Coupons\uninstall.exe
AddRemove-EZWare-500_Docs - c:\maplesystems\EZ500\Docs\uninst32.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-17 10:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-02-17  10:40:22
ComboFix-quarantined-files.txt  2013-02-17 15:40
.
Pre-Run: 55,139,700,736 bytes free
Post-Run: 55,307,206,656 bytes free
.
- - End Of File - - 82CAA6950354EFFCD454150BB14285AA
 


Edited by Damiac, 17 February 2013 - 11:09 AM.


#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 17 February 2013 - 03:31 PM

Good morning Damiac,

 

After I ran it, and opened internet explorer, I got a window asking
if I want to make internet explorer my default browser.  It already was
before, is that a normal effect of running combofix?

 


EDIT: Also, I keep getting security warnings from internet explorer
after combofix, saying I'm about to enter a secure connection, or an
unsecure connection.  I assume this is because of security settings
getting defaulted or something, but I just want to make sure that's
normal.

Yes. Sometimes ComboFix resets some basic settings, and this is one of them.

 

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 17 February 2013 - 04:59 PM

Hi Dark Knight,

 

Ok, I ran OTL with the custom parameters you listed.  I hit Run Scan, not Run Fix.

 

Here is OTL.Txt:

OTL logfile created on: 2/17/2013 4:37:46 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Danian\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 0.51 Gb Available Physical Memory | 29.38% Memory free
3.74 Gb Paging File | 2.21 Gb Available in Paging File | 59.16% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.69 Gb Total Space | 59.25 Gb Free Space | 41.82% Space Free | Partition Type: NTFS
 
Computer Name: DAMIAN-LAPTOP | User Name: Danian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/02/17 16:35:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Danian\Desktop\OTL.exe
PRC - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/11 20:07:24 | 001,138,312 | ---- | M] (SIEMENS AG) -- C:\Program Files\Common Files\Siemens\SWS\almsrv\almsrvx.exe
PRC - [2011/12/06 21:06:54 | 000,558,416 | ---- | M] (Siemens AG) -- C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008 Runtime\SmartServer.exe
PRC - [2011/11/09 19:51:34 | 000,218,960 | ---- | M] (Siemens AG) -- C:\Program Files\Common Files\Siemens\AlmPanelPlugin\ALMPanelPlugin.exe
PRC - [2011/11/04 00:41:34 | 000,556,168 | ---- | M] (SIEMENS AG) -- C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
PRC - [2011/11/04 00:41:30 | 000,412,808 | ---- | M] (SIEMENS AG) -- C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
PRC - [2011/10/24 10:03:54 | 002,087,424 | ---- | M] (SIEMENS AG) -- C:\Program Files\Common Files\Siemens\SimNetCom\pniomgr.exe
PRC - [2011/07/01 11:52:02 | 000,094,208 | ---- | M] (eWON s.a.) -- C:\Program Files\eCatcher-Talk2M\Talk2mVpnService\bin\Talk2MVpnService.exe
PRC - [2010/07/06 10:03:00 | 000,173,352 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
PRC - [2009/06/11 07:18:38 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RsvcHost.exe
PRC - [2009/06/10 21:34:06 | 000,028,672 | ---- | M] (Rockwell Automation Inc.) -- C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
PRC - [2009/05/29 14:19:52 | 000,126,976 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\Windows\System32\Crypserv.exe
PRC - [2009/05/14 14:47:54 | 000,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/05/14 14:47:08 | 002,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/29 13:49:46 | 000,066,848 | ---- | M] (Rockwell Automation Inc.) -- C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe
PRC - [2008/07/14 23:02:44 | 000,102,453 | ---- | M] (SIEMENS AG) -- C:\Program Files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe
PRC - [2008/07/14 20:06:30 | 000,061,493 | ---- | M] (SIEMENS AG) -- C:\Program Files\Siemens\Step7\S7BIN\s7hspsvx.exe
PRC - [2008/04/11 03:51:58 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/04/08 18:14:50 | 006,037,504 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/03/19 16:35:44 | 000,716,800 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2008/02/06 16:52:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2008/02/06 16:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/04/02 17:51:56 | 000,083,512 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Common Files\Siemens\SQLANY\dbsrv9.exe
PRC - [2007/03/09 00:00:30 | 000,317,592 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
PRC - [2006/12/21 06:30:02 | 000,206,400 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2008/04/23 01:05:08 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2008/03/06 13:14:54 | 005,121,912 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
MOD - [2007/12/25 15:03:40 | 000,015,184 | ---- | M] () -- C:\Program Files\TOSHIBA\PCDiag\NotifyPCD.dll
MOD - [2007/12/15 00:40:00 | 000,090,112 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\TWarnMsg\TWarnMsg.dll
MOD - [2006/10/10 13:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll
MOD - [2006/10/07 13:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/11 13:54:49 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2011/12/11 20:07:24 | 001,138,312 | ---- | M] (SIEMENS AG) [Auto | Running] -- C:\Program Files\Common Files\Siemens\SWS\almsrv\almsrvx.exe -- (almservice)
SRV - [2011/12/06 21:06:54 | 000,558,416 | ---- | M] (Siemens AG) [Auto | Paused] -- C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008 Runtime\SmartServer.exe -- (smartserver)
SRV - [2011/11/04 00:41:34 | 000,556,168 | ---- | M] (SIEMENS AG) [Auto | Running] -- C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe -- (S7TraceServiceX)
SRV - [2011/11/04 00:41:30 | 000,412,808 | ---- | M] (SIEMENS AG) [Auto | Running] -- C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe -- (s7oiehsx)
SRV - [2011/07/01 11:52:02 | 000,094,208 | ---- | M] (eWON s.a.) [Auto | Running] -- C:\Program Files\eCatcher-Talk2M\Talk2mVpnService\bin\Talk2MVpnService.exe -- (Talk2MVpnService)
SRV - [2010/11/18 08:21:00 | 000,554,400 | ---- | M] (ICONICS, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\ICONICS\GenRegistrarServer.exe -- (GenRegistrar)
SRV - [2010/07/06 10:03:00 | 000,173,352 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2010/06/25 01:54:00 | 000,105,248 | ---- | M] (Kepware Technologies) [Disabled | Stopped] -- C:\Program Files\ICONICS\ICONICS OPC Server Suite 5\server_eventlog.exe -- (ICONICSOPCServerSuiteLoggerV5)
SRV - [2010/06/25 01:48:52 | 000,436,000 | ---- | M] (Kepware Technologies) [Disabled | Stopped] -- C:\Program Files\ICONICS\ICONICS OPC Server Suite 5\server_runtime.exe -- (ICONICSOPCServerSuiteV5)
SRV - [2009/10/09 16:33:40 | 000,051,712 | ---- | M] (Agilent) [Disabled | Stopped] -- C:\Program Files\Agilent\IO Libraries Suite\AgilentIOLibrariesService.exe -- (AgilentIOLibrariesService)
SRV - [2009/07/14 14:46:58 | 000,330,240 | ---- | M] (Agilent) [Disabled | Stopped] -- C:\Program Files\Agilent\IO Libraries Suite\LxiMdnsResponder.exe -- (AgtMdnsResponder)
SRV - [2009/06/11 07:18:38 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\RsvcHost.exe -- (RsvcHost)
SRV - [2009/06/11 07:17:18 | 000,148,768 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe -- (RNADiagReceiver)
SRV - [2009/06/10 21:34:06 | 000,028,672 | ---- | M] (Rockwell Automation Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe -- (RNADiagnosticsService)
SRV - [2009/05/29 14:19:52 | 000,126,976 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\Windows\System32\Crypserv.exe -- (Crypkey License)
SRV - [2009/05/14 14:54:22 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 14:47:54 | 000,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/02/05 02:04:08 | 000,139,488 | ---- | M] (OPC Foundation) [On_Demand | Stopped] -- C:\Windows\System32\OpcEnum.exe -- (OpcEnum)
SRV - [2008/09/29 13:49:46 | 000,066,848 | ---- | M] (Rockwell Automation Inc.) [Auto | Running] -- C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe -- (FTActivationBoost)
SRV - [2008/07/14 20:06:30 | 000,061,493 | ---- | M] (SIEMENS AG) [Auto | Running] -- C:\Program Files\Siemens\Step7\S7BIN\s7hspsvx.exe -- (s7hspsvx)
SRV - [2008/05/27 13:20:38 | 000,070,952 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSLinx\dnwhodisp.exe -- (dnWhoDisp)
SRV - [2008/05/24 11:25:12 | 000,202,024 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE -- (Harmony)
SRV - [2008/04/17 02:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Disabled | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2008/04/16 18:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/04/11 03:51:58 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/02/06 16:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2008/01/29 12:09:58 | 000,165,416 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/23 18:27:16 | 000,066,928 | ---- | M] () [Disabled | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/03/09 00:00:30 | 000,317,592 | ---- | M] (SafeNet, Inc.) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer)
SRV - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () [Disabled | Stopped] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/12/21 06:30:02 | 000,206,400 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Disabled | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\System32\Drivers\VirtualBackplane.sys -- (VirtualBackplane)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Danian\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2011/12/06 21:06:28 | 000,021,464 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\fwkbdrtm.sys -- (fwkbdrtm)
DRV - [2011/10/11 18:13:20 | 000,343,888 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\SNTIE.SYS -- (SNTIE)
DRV - [2011/09/29 09:48:48 | 000,641,280 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\s7ousbu32x.sys -- (s7ousbu32x)
DRV - [2011/09/29 09:47:06 | 000,182,784 | ---- | M] (SIEMENS AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\s7otsadx32.sys -- (s7otsadx32)
DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/06/16 18:10:22 | 000,063,104 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\s7sn2srtx.sys -- (s7sn2srtx)
DRV - [2011/05/06 04:08:10 | 000,521,216 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\S7otranx32.sys -- (S7otranx32)
DRV - [2011/05/06 04:03:22 | 000,087,552 | ---- | M] (SIEMENS AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\S7odpx2x32.sys -- (S7odpx2x32)
DRV - [2011/04/19 18:22:04 | 000,288,256 | ---- | M] (SIEMENS AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\dpmconv32.sys -- (dpmconv)
DRV - [2011/04/19 18:20:28 | 000,140,288 | ---- | M] (SIEMENS AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsnl2ada32.sys -- (vsnl2ada)
DRV - [2011/04/07 16:20:42 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/07/27 07:14:58 | 006,842,464 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2010/03/22 19:35:44 | 000,072,248 | ---- | M] (SIEMENS AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\DPMTRCDD32.sys -- (Dpmtrcdd)
DRV - [2010/03/11 04:17:14 | 000,025,088 | ---- | M] (TeamViewer GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\teamviewervpn.sys -- (teamviewervpn)
DRV - [2010/03/01 15:51:54 | 000,031,232 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\s7opcsrtx.sys -- (S7opcsrtx)
DRV - [2009/06/12 19:07:44 | 000,020,742 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\Ckldrv.sys -- (NetworkX)
DRV - [2009/05/14 14:49:34 | 000,093,312 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV - [2009/05/14 14:47:14 | 000,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 14:41:10 | 000,114,472 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamon.sys -- (eamon)
DRV - [2009/03/30 08:38:20 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2009/03/30 08:38:18 | 000,105,344 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2009/03/30 08:38:00 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2009/03/24 13:14:33 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2009/02/24 16:39:58 | 000,073,088 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\s7snsrtx.sys -- (s7snsrtx)
DRV - [2009/01/14 17:46:04 | 000,077,824 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2009/01/08 12:06:20 | 000,055,808 | ---- | M] (ELTIMA Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\evserial.sys -- (evserial)
DRV - [2009/01/08 12:06:20 | 000,027,648 | ---- | M] (ELTIMA Software) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\evsbc.sys -- (VSBC)
DRV - [2008/07/05 20:19:52 | 000,155,440 | ---- | M] (Rockwell Software Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\rsserial.sys -- (RSSERIAL)
DRV - [2008/07/05 20:19:50 | 000,039,067 | ---- | M] (Rockwell Software Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\RSIKT.SYS -- (RsiKtControl)
DRV - [2008/04/28 19:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/04/23 03:36:32 | 003,551,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/04/18 03:54:16 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/15 12:05:08 | 000,118,784 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/04/11 00:25:30 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/18 11:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/14 13:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/22 12:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/11/22 12:01:48 | 000,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\aksusb.sys -- (aksusb)
DRV - [2006/11/22 12:01:46 | 000,327,168 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\akshasp.sys -- (akshasp)
DRV - [2006/11/20 16:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 01:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/10/30 14:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie)
DRV - [2005/07/04 14:04:30 | 000,068,280 | ---- | M] (Siemens AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dpmcslv.sys -- (dpmcslv)
DRV - [2004/05/05 01:25:02 | 000,023,296 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\U2S2KXP.sys -- (U2SP)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{39536349-5AF7-423C-9CFB-C89A617027E7}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSHB
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {39536349-5AF7-423C-9CFB-C89A617027E7}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{39536349-5AF7-423C-9CFB-C89A617027E7}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSHB_en
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\Danian\AppData\Local\Citrix\Plugins\92\npappdetector.dll (Citrix Online)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Danian\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Users\Danian\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/08/04 08:00:40 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2013/02/17 10:35:59 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [S7UB Start] C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe (SIEMENS AG)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [WinCC flexible Smart Start] C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe (SIEMENS AG)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Agilent\IO Libraries Suite\LxiMdnsNsp.dll (Agilent Technologies, Inc.)
O15 - HKCU\..Trusted Domains: celeros2003sbs ([]file in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.243.0.12 71.250.0.12 192.168.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BDC1A98C-1873-47CC-8572-8065410C042B}: DhcpNameServer = 71.243.0.12 71.250.0.12 192.168.1.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img22.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img22.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.CSCD - C:\Windows\System32\camcodec.dll (RenderSoft Software)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)
 
 CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/17 16:35:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Danian\Desktop\OTL.exe
[2013/02/17 10:40:33 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/02/17 10:40:24 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Local\temp
[2013/02/17 10:16:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/02/17 10:16:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/02/17 10:16:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/02/17 10:15:58 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/02/17 10:15:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/17 10:14:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/02/17 10:12:19 | 005,033,715 | R--- | C] (Swearware) -- C:\Users\Danian\Desktop\ComboFix.exe
[2013/02/16 19:34:37 | 000,000,000 | ---D | C] -- C:\Users\Danian\Desktop\mbar
[2013/02/16 19:29:47 | 000,000,000 | ---D | C] -- C:\Users\Danian\Desktop\mbamrtkt
[2013/02/15 16:02:05 | 000,000,000 | ---D | C] -- C:\Users\Danian\Desktop\dds logs
[2013/02/15 15:39:34 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Danian\Desktop\dds.com
[2013/02/15 12:58:26 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Danian\Desktop\aswMBR.exe
[2013/02/15 12:03:59 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/02/15 12:03:44 | 000,000,000 | ---D | C] -- C:\JRT
[2013/02/15 12:00:09 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Danian\Desktop\TFC.exe
[2013/02/15 11:59:32 | 000,547,384 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Danian\Desktop\JRT.exe
[2013/02/13 08:20:47 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Roaming\SUPERAntiSpyware.com
[2013/02/13 08:20:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2013/02/13 08:20:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2013/02/13 08:20:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2013/02/12 18:59:54 | 000,262,560 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/02/12 18:59:31 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/02/12 18:59:31 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/02/12 18:59:31 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/02/12 18:57:31 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/12 18:57:30 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/12 18:57:30 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/12 18:57:30 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/12 18:57:30 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/12 18:57:28 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/12 18:57:28 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/12 18:57:24 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/12 18:47:35 | 002,048,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/12 18:47:33 | 003,550,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/02/12 18:47:32 | 003,602,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/12 18:47:05 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2013/02/05 14:23:32 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2013/02/05 14:22:29 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Local\Citrix
[2013/02/05 13:30:42 | 000,000,000 | ---D | C] -- C:\Users\Danian\Documents\edesign752
[2013/01/29 18:22:07 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discovery Freelancer
[2013/01/29 18:10:04 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Local\Discovery Freelancer 4.86.0
[2013/01/29 13:43:45 | 000,000,000 | ---D | C] -- C:\Users\Danian\Documents\AltheaValvePulseTest
[2013/01/29 13:40:51 | 000,000,000 | ---D | C] -- C:\Users\Danian\Documents\Hospira
[2013/01/25 17:58:10 | 000,000,000 | ---D | C] -- C:\Users\Danian\Documents\My Games
[2013/01/25 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\Danian\AppData\Local\Freelancer
[2013/01/25 17:52:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/17 16:35:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Danian\Desktop\OTL.exe
[2013/02/17 16:32:10 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/17 16:32:08 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/17 16:31:38 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/17 16:31:37 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/17 16:31:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/02/17 16:31:27 | 1876,783,104 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/17 10:35:59 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/02/17 10:12:44 | 005,033,715 | R--- | M] (Swearware) -- C:\Users\Danian\Desktop\ComboFix.exe
[2013/02/16 19:33:49 | 013,711,621 | ---- | M] () -- C:\Users\Danian\Desktop\mbar-1.01.0.1020.zip
[2013/02/15 15:39:38 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Danian\Desktop\dds.com
[2013/02/15 14:01:25 | 000,000,512 | ---- | M] () -- C:\Users\Danian\Desktop\MBR.dat
[2013/02/15 12:59:36 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Danian\Desktop\aswMBR.exe
[2013/02/15 12:00:09 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Danian\Desktop\TFC.exe
[2013/02/15 11:59:44 | 000,587,671 | ---- | M] () -- C:\Users\Danian\Desktop\AdwCleaner.exe
[2013/02/15 11:59:33 | 000,547,384 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Danian\Desktop\JRT.exe
[2013/02/14 08:36:34 | 000,000,949 | ---- | M] () -- C:\Users\Danian\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/02/14 08:36:29 | 000,693,436 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/14 08:36:29 | 000,139,828 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/02/13 08:20:41 | 000,001,811 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013/02/12 19:10:21 | 000,485,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/02/12 18:59:17 | 000,094,112 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/02/12 18:59:14 | 000,861,088 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npdeployJava1.dll
[2013/02/12 18:59:14 | 000,262,560 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/02/12 18:59:14 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/02/12 18:59:14 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/02/12 18:59:13 | 000,782,240 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/02/05 14:24:05 | 000,002,300 | ---- | M] () -- C:\Users\Danian\Desktop\GoToMeeting Quick Connect.lnk
[2013/01/26 23:01:49 | 000,000,165 | ---- | M] () -- C:\Windows\p7vrvisx.INI
[2013/01/25 17:56:36 | 000,001,101 | ---- | M] () -- C:\Users\Danian\Desktop\Freelancer.exe - Shortcut.lnk
[2013/01/23 10:24:23 | 000,005,648 | ---- | M] () -- C:\Windows\DS500.INI
 
========== Files Created - No Company Name ==========
 
[2013/02/17 10:16:14 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/02/17 10:16:14 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/02/17 10:16:14 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/02/17 10:16:14 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/02/17 10:16:14 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/02/16 19:31:41 | 013,711,621 | ---- | C] () -- C:\Users\Danian\Desktop\mbar-1.01.0.1020.zip
[2013/02/15 14:01:25 | 000,000,512 | ---- | C] () -- C:\Users\Danian\Desktop\MBR.dat
[2013/02/15 11:59:44 | 000,587,671 | ---- | C] () -- C:\Users\Danian\Desktop\AdwCleaner.exe
[2013/02/13 14:08:31 | 1876,783,104 | -HS- | C] () -- C:\hiberfil.sys
[2013/02/13 08:21:03 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/13 08:20:58 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/13 08:20:41 | 000,001,811 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013/02/05 14:24:05 | 000,002,300 | ---- | C] () -- C:\Users\Danian\Desktop\GoToMeeting Quick Connect.lnk
[2013/01/25 17:56:36 | 000,001,101 | ---- | C] () -- C:\Users\Danian\Desktop\Freelancer.exe - Shortcut.lnk
[2013/01/06 10:25:42 | 000,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
[2012/08/02 13:55:31 | 000,000,162 | ---- | C] () -- C:\Windows\Filetran.ini
[2012/06/19 11:48:52 | 000,000,059 | ---- | C] () -- C:\Windows\TWXBgTrend.INI
[2012/06/19 11:48:52 | 000,000,039 | ---- | C] () -- C:\Windows\SymbolLibrary.INI
[2011/12/06 21:11:30 | 000,036,688 | ---- | C] () -- C:\Windows\System32\s7200L2.dll
[2011/11/23 09:15:45 | 000,000,049 | ---- | C] () -- C:\Windows\Iconics.ini
[2011/11/21 09:33:03 | 000,000,189 | ---- | C] () -- C:\Windows\Twx32.INI
[2011/11/21 08:54:41 | 000,000,197 | ---- | C] () -- C:\Windows\System32\REGINFO.DAT
[2011/06/14 17:20:36 | 000,405,504 | ---- | C] () -- C:\Windows\System32\sn_regbase.dll
[2011/04/14 13:42:10 | 000,000,059 | ---- | C] () -- C:\Windows\TWXBGT~1.INI
[2011/04/14 12:16:50 | 000,000,054 | ---- | C] () -- C:\Windows\DBConfigWizard.INI
[2011/04/14 12:03:37 | 000,000,004 | ---- | C] () -- C:\Windows\vx86036.dat
[2011/04/14 12:01:00 | 000,000,094 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/14 12:00:22 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/14 12:00:22 | 000,020,742 | ---- | C] () -- C:\Windows\System32\Ckldrv.sys
[2011/04/14 12:00:22 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/14 12:00:22 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/04/06 18:34:00 | 000,627,724 | ---- | C] () -- C:\Windows\System32\drivers\fw_5711n.bin
[2010/02/24 08:17:45 | 000,014,848 | ---- | C] () -- C:\Users\Danian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/08 19:21:16 | 000,000,680 | ---- | C] () -- C:\Users\Danian\AppData\Local\d3d9caps.dat
[2009/03/24 12:20:26 | 000,000,094 | ---- | C] () -- C:\Users\Danian\AppData\Local\fusioncache.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
<  %SYSTEMDRIVE%\*.* >
[2009/10/29 12:18:30 | 003,720,176 | ---- | M] () -- C:\1
[2010/09/24 08:17:01 | 000,000,260 | RHS- | M] () -- C:\386SWAP.PAR
[2009/08/03 07:48:17 | 000,004,252 | ---- | M] () -- C:\aaw7boot.log
[2013/02/15 12:02:08 | 000,001,605 | ---- | M] () -- C:\AdwCleaner[R1].txt
[2013/02/15 15:23:16 | 000,000,778 | ---- | M] () -- C:\AdwCleaner[R2].txt
[2013/02/16 16:01:18 | 000,000,837 | ---- | M] () -- C:\AdwCleaner[R3].txt
[2013/02/17 12:08:04 | 000,000,896 | ---- | M] () -- C:\AdwCleaner[R4].txt
[2013/02/15 12:54:03 | 000,001,494 | ---- | M] () -- C:\AdwCleaner[S1].txt
[2011/06/01 13:44:52 | 000,000,000 | ---- | M] () -- C:\AFU_PreSelectDOM.xml
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008/05/05 04:49:23 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2013/02/17 10:40:23 | 000,011,444 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 07:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 07:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2010/09/24 08:17:01 | 000,000,320 | RHS- | M] () -- C:\EVRSI.SYS
[2007/03/08 19:41:10 | 197,644,920 | ---- | M] () -- C:\E_Designer_7_30.zip
[2012/01/12 12:19:46 | 000,004,858 | ---- | M] () -- C:\GenLog.dat
[2007/11/07 07:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2013/02/17 16:31:27 | 1876,783,104 | -HS- | M] () -- C:\hiberfil.sys
[2007/11/07 07:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 07:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 07:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 07:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 07:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 07:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 07:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 07:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2009/03/24 15:17:17 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/11/21 14:08:32 | 000,000,686 | ---- | M] () -- C:\lic2_6495_FF4D_9DBD_0B97_A5.glic
[2011/11/21 13:02:36 | 000,000,749 | ---- | M] () -- C:\lic_6495_FF4D_9DBD_0B97_A5.glic
[2013/02/17 10:43:38 | 000,011,444 | ---- | M] () -- C:\log.txt
[2009/03/24 15:17:17 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2013/02/17 16:31:23 | 2190,577,664 | -HS- | M] () -- C:\pagefile.sys
[2010/10/08 07:28:37 | 000,003,687 | ---- | M] () -- C:\RASETUP.LOG
[2010/10/05 11:51:22 | 000,003,503 | ---- | M] () -- C:\RASETUP1.LOG
[2010/10/05 11:52:30 | 000,002,329 | ---- | M] () -- C:\RASETUP2.LOG
[2010/10/05 12:22:16 | 000,005,977 | ---- | M] () -- C:\RASETUP3.LOG
[2010/10/07 13:02:41 | 000,010,456 | ---- | M] () -- C:\RASETUP4.LOG
[2011/04/14 14:11:07 | 000,065,536 | ---- | M] () -- C:\TwxLogData.mdb
 
<  %systemroot%\*. /mp /s >
 
<  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
<  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-02-13 01:02:27
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:DDE29E40

< End of report >



#8 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 17 February 2013 - 05:01 PM

Here is Extras.Txt:

OTL Extras logfile created on: 2/17/2013 4:37:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Danian\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 0.51 Gb Available Physical Memory | 29.38% Memory free
3.74 Gb Paging File | 2.21 Gb Available in Paging File | 59.16% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.69 Gb Total Space | 59.25 Gb Free Space | 41.82% Space Free | Partition Type: NTFS
 
Computer Name: DAMIAN-LAPTOP | User Name: Danian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2480003400-1380318090-1198948173-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{037EFA39-3142-4BA5-A9FC-C57A7275FF73}" = rport=445 | protocol=6 | dir=out | app=system |
"{0CC5EEED-F21A-4F1E-881B-C5AC1A0026EB}" = rport=10244 | protocol=6 | dir=out | app=system |
"{0DB0CCDE-0F3B-4F39-B7B8-7709ECE4B273}" = lport=319 | protocol=17 | dir=out | name=lxiallow |
"{0EE16F8A-1A7B-4FA6-9816-FF49EF2CF701}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1523BC69-8A87-462D-87F7-55456CADE1A1}" = lport=5044 | protocol=6 | dir=out | name=lxiallow |
"{18A7DED4-D6D5-4238-AD9E-7BBF96E3EC82}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{20726CDD-4017-468A-AC83-A0BCB8295438}" = rport=10244 | protocol=6 | dir=out | app=system |
"{2B060A47-A585-4FF2-90B5-727D28A5BAD7}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2E9FB63F-C0C7-4BAE-99A2-B747A7478DA1}" = lport=5044 | protocol=6 | dir=in | name=lxiallow |
"{33248AAE-29B1-4874-A5E4-825CEB111499}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3D381132-0CD8-4C2D-B343-5EF302F146C5}" = lport=139 | protocol=6 | dir=in | app=system |
"{3F1835C9-B3D6-4A92-A6A1-1EBBEC0385DF}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{53A72EA7-F7C9-4251-AA55-CD7BFCD3ECE1}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{5744B4DA-7391-41DF-A654-1088D8056CDB}" = lport=320 | protocol=17 | dir=out | name=lxiallow |
"{5F8CB7B9-F0DC-49D6-85A7-6FC82F9E7708}" = lport=4410 | protocol=6 | dir=in | name=automation license management |
"{6137251A-1EB0-4A68-ACA4-CC8F4E7F5BB2}" = lport=10244 | protocol=6 | dir=in | app=system |
"{620B28C1-70B3-44B7-A7F8-6AB2C6128B7E}" = lport=10244 | protocol=6 | dir=in | app=system |
"{68C24B44-2A45-4408-A9D1-F10E8AE47955}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6FF5EEE9-886D-4460-85D0-D7C64C9F0164}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{7900A499-60C1-4B88-BE63-98980D4F3BC3}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{82952D8A-977A-438A-A39E-7BBBDE71CF0B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{83243B90-1CB6-4126-827F-A4190CA949E6}" = lport=135 | protocol=6 | dir=in | name=dcom |
"{89AF27B7-26E5-4793-9D00-B0E539FBCA74}" = lport=445 | protocol=6 | dir=in | app=system |
"{94CE28A0-80A7-486C-8742-E3FE3532C1D2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{9B5035C9-128A-4470-85FF-B3EF59FD107F}" = lport=111 | protocol=17 | dir=in | name=sunrpcallow |
"{A2575E73-79BE-4B94-8B04-30F56F582520}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{A3311230-D690-4EEF-8DC5-EA4B375196F5}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{A38DA2CC-A7DD-4D68-BD76-BF5F4CD6FD89}" = lport=5044 | protocol=17 | dir=in | name=lxiallow |
"{A5E1329F-D27E-418A-8B55-4035124F66E4}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{A718BE65-42D2-44B5-BC5B-0A3C1C8256A7}" = lport=137 | protocol=17 | dir=in | app=system |
"{AE4B593F-81EA-4FFE-B556-D633A5FFA5B8}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AEBEB27D-26C7-4DAB-9668-83795689E6F2}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{B5C39B4C-9675-48A5-AC0B-664C9A44514A}" = rport=138 | protocol=17 | dir=out | app=system |
"{B6DEC936-FA62-4CA2-A787-290244239441}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{B8265727-4144-4965-A708-291FF46E0547}" = rport=139 | protocol=6 | dir=out | app=system |
"{BB00816C-8D78-4549-9E82-D16313BE67AF}" = lport=4410 | protocol=6 | dir=in | name=automation license management |
"{BB5EE102-46DC-47E2-8B26-F2B4F6E3C5E2}" = rport=137 | protocol=17 | dir=out | app=system |
"{BD6D05E6-F0BD-4F30-8BE8-84C54BA9C9A4}" = lport=320 | protocol=17 | dir=in | name=lxiallow |
"{BF2635BD-F775-4E9D-89AA-F0FECA69C27A}" = lport=319 | protocol=17 | dir=in | name=lxiallow |
"{C771CF59-6604-48B8-987D-D36FD41DB8A6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CA5115D7-7BBC-45EE-92ED-A332E392A0BB}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{CCA21780-8360-4B59-A702-640F900C95F6}" = lport=3390 | protocol=6 | dir=in | app=system |
"{D0AA8CA7-0492-4E80-BD1A-95BFF99FE9F2}" = lport=111 | protocol=6 | dir=in | name=sunrpcallow |
"{D685CB0C-1A5B-4702-BFE2-D2AA92499808}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D9EA2077-4182-4D8B-8EED-7D6E9837A4CE}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{DF701245-CDC1-485F-9145-86CE5E1C4957}" = lport=5044 | protocol=17 | dir=out | name=lxiallow |
"{DFDA647F-DAD9-4E20-8AEE-AAE46153D224}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E3FB710B-897F-4294-9588-ED520D2D8248}" = lport=138 | protocol=17 | dir=in | app=system |
"{EBAB4602-D9C6-4C4F-AD23-678425F23EB9}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F090CBE8-0022-4907-AD4E-F9BEEAEACA8E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FABFFD85-3B08-43E0-A5FA-4AE91D67A5CA}" = lport=3390 | protocol=6 | dir=in | app=system |
"{FE09E842-C23C-4349-8872-67D4C8F862B7}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{FE732DAC-6A30-4E36-A0F9-855D9C4DB13A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01BC2F01-4622-428B-9A88-A1B1881C8BED}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\setupex.exe |
"{01EDB30D-4487-49E8-827B-60057D489782}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\genregmon.exe |
"{022E48CB-FD07-49E9-AF15-904E74468E76}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\awxlog32.exe |
"{046C274D-1978-4022-97EF-4AAD22387E48}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{04BBDB16-EF43-4C28-8476-9888207D5D53}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\monitorworx.exe |
"{05675C2D-75C9-43B4-A2F4-6CC100E0359E}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\appsetuputility.exe |
"{09564665-63DE-4F13-A2DF-CE1416133FBD}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\bacnetsimulator.exe |
"{0C31CC82-3B27-461B-A01C-BE337C2D398B}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icoremotedbagent.exe |
"{13850290-557B-425A-8A92-0EA798816B4F}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\security.exe |
"{1426A120-8754-42DC-AEBE-D883BA7BC06D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1476D3D7-4FBA-4ADD-B0C2-050B5C915D88}" = protocol=6 | dir=in | app=c:\program files\siemens\step7\s7bin\s7tgtopx.exe |
"{159CF615-B562-4615-A588-F294BB7DE029}" = protocol=17 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v17\bin\rs5000.exe |
"{16B451D5-9A30-4DF3-8757-63126A900D68}" = protocol=1 | dir=in | name=@firewallapi.dll,-26140 |
"{1788803D-E720-4EBA-B3C7-75C55AF97C84}" = protocol=6 | dir=in | app=c:\program files\common files\siemens\sqlany\dbsrv9.exe |
"{17B874F3-C517-46A0-B428-49DEAF6A97CE}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\lasconfig.exe |
"{18634B62-C21F-4658-A6B3-8026E847F9A7}" = protocol=17 | dir=in | app=c:\program files\stardock games\sins of a solar empire\sins of a solar empire.exe |
"{1C235689-CAAD-40F6-B1DD-4C455E185190}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\securekeycnfg.exe |
"{1DBDE089-C0AE-47C5-8121-4A82274B914B}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{1DCE83D2-5F61-46BA-A360-4F1111CDA354}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\genbrokerconf.exe |
"{1F15C9E8-BCF9-46BC-BFF6-615355FFFF61}" = protocol=17 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v18\bin\rs5000.exe |
"{205F1CC1-2740-4591-8E90-AB66200FDCEB}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\dbopcserverruntime.exe |
"{20905428-10B5-4CC5-AEB1-3E7A20142F65}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\stopgenesis.exe |
"{209813C6-8C71-470C-AA76-DC281984C2B0}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{2602E4AF-C5FD-40DA-9BEE-89DD52A75984}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\awxlog32.exe |
"{26C2C56F-493E-489A-85D6-261A79AE67D5}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icofirewallutility.exe |
"{284AB677-0F25-4223-84F3-D27C96D04A54}" = protocol=6 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v18\bin\rs5000.exe |
"{2879B6D4-2502-4A2B-B445-C9255998F9BC}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icodatarelayserver.exe |
"{2A39198C-6FD4-4E1E-9F68-5A4239157FE2}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\genregistrarserver.exe |
"{2D37D832-8C8F-4CEB-B331-1C4AC2E9A1FA}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\bacnetruntime.exe |
"{30CC5261-93AA-43A5-B7A1-150CC211FE38}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main.exe |
"{31D112A5-E89E-4B26-AF7C-BD65DD0305BC}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icodatarelayserver.exe |
"{32BAAA5A-F9C4-4E38-8FAA-8D272C560821}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{33A44CA1-3B2D-479B-8C06-88F5730D27CC}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\dbopcserverconfigurator.exe |
"{34B76FF5-AB79-4544-92B4-10C356B937EF}" = protocol=6 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v16\bin\rs5000.exe |
"{35656F11-4D31-47EF-AA8F-400F5517A80E}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\simopc.exe |
"{387E392C-D9BC-41E0-975E-AD7F2451684E}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icofirewallutility.exe |
"{396D19AA-54A0-41BC-AE66-484CB3C39B45}" = protocol=6 | dir=in | app=c:\program files\rockwell software\rslinx\rslinx.exe |
"{3A4821C7-9090-42F2-9139-31A6CDB3A312}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\rawdataproviderhost.exe |
"{3AA69892-4A77-4993-ADE2-5B82B64D810A}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{3BF0559E-5060-4427-B53C-7DDD3B48DF50}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{41646A14-AA41-4730-9180-19A8A3E383CF}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\genbroker.exe |
"{427EC4A3-622F-48BB-A75A-4F2F76377592}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\awx32svr.exe |
"{45B876D5-CC44-4934-8326-21C27317E1B5}" = protocol=6 | dir=in | app=c:\program files\stardock games\sins of a solar empire\sins of a solar empire.exe |
"{47F1655C-4269-466E-839D-7B31DE470DCC}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{4826EFCB-3886-4729-AB68-2E73CD58EDB0}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\monitorworxviewer.exe |
"{48F39C66-4BC8-45ED-8748-234641D97329}" = protocol=6 | dir=in | app=c:\windows\system32\s7otbxsx.exe |
"{49D455E8-C5D3-4A4F-83A9-CF5A93F952D4}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{4A92943E-726A-420C-A275-507D6123A65E}" = dir=in | app=c:\program files\common files\siemens\sws\almsrv\almsrvx.exe |
"{4E077DA9-D578-4716-8804-7FC4A004B334}" = protocol=17 | dir=in | app=c:\windows\system32\genagent.exe |
"{4F14403E-C9F0-4F32-9CD4-836AC67A5022}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\gentray.exe |
"{4FFD4389-A70B-4609-AE64-2C8DF2DE5120}" = dir=in | app=c:\program files\agilent\io libraries suite\bin\siclland.exe |
"{575CAD77-E96A-47F4-8E04-7D736644AA49}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\snmptrapserver.exe |
"{58596F3B-BD9A-435E-A540-D1EA64728A80}" = protocol=6 | dir=in | app=c:\windows\system32\genagent.exe |
"{5A6AAE0A-952E-40A7-A608-1BC4E3DFE542}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\lasengine.exe |
"{5AB52473-98B6-492B-9B0A-B2E39CBB85EA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{5CE3F4CA-4DEC-4728-A1D6-88CA6D3775A7}" = dir=in | app=c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\traceserver.exe |
"{5D78EF4C-7064-4BBD-A6E3-D8DC4285642B}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\facilityworxruntime.exe |
"{5EF2DBC9-4381-438F-B3DA-C621C82BC810}" = protocol=17 | dir=in | app=c:\program files\rockwell software\rslinx\rslinx.exe |
"{5FF0E5ED-A60B-42E8-8EE0-1646A2A74667}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\gasconfig.exe |
"{5FFEC06F-A35B-4440-A194-517EEF10C254}" = protocol=58 | dir=in | name=@firewallapi.dll,-26142 |
"{60CF418B-47DB-4F6D-BE4E-8F49737DE0ED}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icoconfigserver.exe |
"{63856F2F-78CA-4407-A17A-17BA450EBFBA}" = protocol=6 | dir=in | app=c:\program files\siemens\step7\s7inf\s7usiapx.exe |
"{64031230-41A7-4673-8D43-8EBBBEFA668A}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\soapwizard.exe |
"{65B52B3F-D912-47B9-9F24-91CFEBBEF9A2}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{6777E5E7-57D3-4397-A796-0667BC5C317C}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\login.exe |
"{6796ACD9-425B-4CCF-B54E-581612236F4A}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\bacnetruntime.exe |
"{6826F67A-9206-4E90-9BB8-744AFBD72455}" = dir=in | app=c:\program files\siemens\simatic wincc flexible\wincc flexible 2008 runtime\miniweb.exe |
"{68CE8291-9E6A-4DAC-89E1-55258F693617}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\cks.exe |
"{692E5EFE-8A57-4271-B6EA-8D92C7CE15DA}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\dataspy.exe |
"{72DE0D9A-A448-4BF0-9210-888FE504AD46}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\udmruntime.exe |
"{7365DC1B-8559-4F86-A9B0-2A5F910E2A8F}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\monitorworxviewer.exe |
"{74CCFCFA-53D0-411D-A141-6FE2BE12AA55}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{74EB2255-74DA-4FF2-8731-6CE84848CDBC}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\facilityworxruntime.exe |
"{753F3CBE-188B-47BC-A687-D6DE78B6DD61}" = protocol=6 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v17\bin\rs5000.exe |
"{7623DD69-6462-4672-BF0B-FD31EFFEFE58}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\soapwizard.exe |
"{7803E059-61D0-4F28-87C0-04B97BF73510}" = dir=in | app=c:\program files\siemens\simatic wincc flexible\wincc flexible 2008 runtime\hmiload.exe |
"{7B590EA2-ECB6-4DF9-8D63-8796A936E49A}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\genregistrarserver.exe |
"{7BFEC3FE-8386-415D-AE52-30AAF3F3C212}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwupdate.exe |
"{7E2BF7CB-B548-4B35-956B-B02011848F9A}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\snmptrapserver.exe |
"{80D8909E-C048-43E8-912B-89A050FE888D}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icoremotingserver.exe |
"{80E4A06C-8727-4208-9DC3-F86C8C1DADA1}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\securekeycnfg.exe |
"{81EAFBB7-C79C-4187-A366-B77281533736}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\awx32serverconfigurator.exe |
"{83D014A0-1F12-4AF4-B607-C5B9A8462E5B}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\scheduleworxruntime.exe |
"{8410D8F8-D123-4526-B456-2B183EC54CA1}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\dataspy.exe |
"{85FDB844-E1B9-4A34-8F73-23FD3735739C}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\lasconfig.exe |
"{91648F36-C926-46C7-9417-B46E47DCFA27}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\unibrowserds.exe |
"{946E8B66-7428-49F4-B106-875E96AE9AB2}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\gasclient.exe |
"{965DFBB0-898A-4DB8-B782-86592E8A4E48}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icosecuredesktop.exe |
"{968EA6F4-854B-4FC6-B736-CCAF2F1EEC19}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\utmruntime.exe |
"{98935C13-AA08-49A1-BEBF-82E30C69E8BE}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\simopc.exe |
"{98C0C6F3-D3C5-44CC-93E5-4EFE35484645}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\snmpconfigurator.exe |
"{9BFCA504-4C2B-4145-95C6-0A4660659C5F}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\genbroker.exe |
"{9E7BB3B3-577B-4EF4-8437-5CFDF9F68190}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\scheduleworxruntime.exe |
"{9FC11818-1300-4CEA-A70D-4D4A8B551469}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\gasclient.exe |
"{A073F267-D8CE-482D-8351-6E17604B24CF}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\dbopcserverconfigurator.exe |
"{A3C71BED-1300-4838-AD14-76A366197A58}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\genstatistics.exe |
"{A4E0C583-2391-4279-A350-90597F8BF593}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\genregmon.exe |
"{A5CAE787-27B2-45B4-AB61-6058ACD7D0EA}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\awx32serverconfigurator.exe |
"{A64A2C69-189C-4C65-B6A2-EECFBAC0EB49}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main_amdxp.exe |
"{A6EC735C-F348-462A-91FE-110778F3B107}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\udmconfig.exe |
"{A792368B-0B41-4EB3-8832-F3845E262FE2}" = dir=in | app=c:\program files\siemens\simatic wincc flexible\wincc flexible 2008 runtime\smartserver.exe |
"{AB10FF6B-98CF-49BC-8304-970B5B56B24D}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\stopgenesis.exe |
"{ABBE4933-40B5-4F42-A4CC-ED8F05BA8B24}" = protocol=17 | dir=in | app=c:\program files\siemens\step7\s7bin\s7tgtopx.exe |
"{ADA2CFC2-2075-44D9-80B3-6BB80AE504BA}" = dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{AFA1A27E-4A0C-4713-A780-B684F8430029}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\snmpruntime.exe |
"{B001EB9E-2E67-4469-ACAB-2477554BF032}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B1333C89-A106-42E6-835C-E5AC60B7C797}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwupdate.exe |
"{B1C31D1B-8EBB-4CCE-BAD7-BFD5EB8311EF}" = protocol=17 | dir=in | app=c:\program files\rockwell software\rslogix 5000\enu\v16\bin\rs5000.exe |
"{B251D2BF-B460-45A1-91D9-35198F6EB423}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2server.exe |
"{B42F0961-4F63-4A02-9B9D-EE94CA69F79A}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{B69A9F5A-78DD-42E4-88E5-CE20C87883DB}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main_amdxp.exe |
"{B7F19C43-B2C3-428D-B37A-5D8C14D19CDB}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\genstatistics.exe |
"{BA52E5BB-50EA-4D71-8D69-F9BB4AC41787}" = protocol=6 | dir=in | app=c:\windows\system32\opcenum.exe |
"{BBCC2480-90B9-45ED-AFC6-CAD11E57C1F2}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\genbrokerconf.exe |
"{BCFCC20A-0D28-4C0E-A986-7238970368D3}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\awxlogcfg.exe |
"{BE426413-FAC3-4361-ADF2-7A67C670BC00}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\scheduleworxconfigurator.exe |
"{BE615527-2265-41E0-8AA3-3960D028D8F6}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\udmruntime.exe |
"{C38E51D9-1390-41CB-A2BC-663C619E773D}" = protocol=17 | dir=in | app=c:\windows\system32\s7otbxsx.exe |
"{C3B57546-A627-49F3-9877-B1E18569B8A3}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\scheduleworxconfigurator.exe |
"{C5C9A862-51AF-40D7-A372-6F9C3D9CFC2C}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\unibrowser.exe |
"{C6967690-B384-48C9-9E6B-DD3A99598E04}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\monitorworx.exe |
"{C991786A-B146-40BA-854E-7361EFDD4EEE}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{C9C5BC65-A055-4158-B027-2A98FBCF22DE}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\cks.exe |
"{CA71D60A-D971-4208-8D46-C9BC84C2AA4B}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\gentray.exe |
"{CB2626E5-0E95-4D5A-BBFD-73E448686ECB}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\gasengine.exe |
"{CD1BADC5-CB16-4E8E-9711-D1CDF4294460}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2server.exe |
"{D26FF8B6-4B18-4545-A012-7C46BBD6DA89}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\snmpconfigurator.exe |
"{D67E987A-A1F5-47F0-84B9-E8692504478A}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main.exe |
"{D6E89FD4-32E7-4C6B-A3D8-19367842B95D}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\unibrowserds.exe |
"{D961244E-B757-4350-9F82-DA81086688F9}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{D9722C59-5CF2-4B69-B4CC-018B15455D0C}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\security.exe |
"{DA32767E-C6EB-4AC2-9644-797C226A2366}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icosecuredesktop.exe |
"{DA909A5B-641F-4FDE-94A8-034BD90856DC}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\udmconfig.exe |
"{DB809872-9649-4651-B748-34DCCEE307C1}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\gasengine.exe |
"{DDAA1922-626C-4EA8-AEEB-EF2D8C2C3CEC}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\awx32svr.exe |
"{DDE904A6-5DDC-4376-9870-95CD43608C4B}" = protocol=17 | dir=in | app=c:\program files\siemens\step7\s7inf\s7usiapx.exe |
"{DE5CDDC3-7397-4569-8DD1-AB32CC041578}" = dir=in | app=c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\hmies.exe |
"{DF58D25F-7528-454D-A0B2-F16AB0F83C86}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\gasconfig.exe |
"{DFA389D3-593B-4EB6-8617-0443B94A260C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E0DFD540-37FF-4A21-A708-5A8BE9F47870}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\unibrowser.exe |
"{E3B48C94-9C69-43E4-AA0B-9630B671BDD2}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\login.exe |
"{EE0BE189-7620-4B9F-A1B1-01EC4EDC90AB}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\lasengine.exe |
"{EE5CD486-20EB-4EF6-A86C-3A3870EE6898}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\awxlogcfg.exe |
"{EF60E8A3-99C1-4919-BCF0-B65C71F325B1}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\icoremotedbagent.exe |
"{F2F44D7D-9AEA-4B56-B64E-9379A2E59EE2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F30AE80A-2D75-4E19-A176-25FB1A9EB5C6}" = protocol=17 | dir=in | app=c:\windows\system32\opcenum.exe |
"{F3E479D6-44BF-418C-8783-348422A4028F}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\bacnetsimulator.exe |
"{F4429AAF-1040-4369-BB1E-5BB6F67C4353}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icoremotingserver.exe |
"{F4CE40F8-9B58-4F8E-B87F-694330020DE7}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\icoconfigserver.exe |
"{F535332F-FC04-446F-BC7D-DF41D9B1EFD9}" = protocol=17 | dir=in | app=c:\program files\common files\siemens\sqlany\dbsrv9.exe |
"{F5CD29F4-D584-4D26-85FD-5D0CDFE22494}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\snmpruntime.exe |
"{FB2F66CA-DD5A-49D9-8AAB-5DA3D65F3919}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\rawdataproviderhost.exe |
"{FB390271-D52F-4683-B6AC-48DE06063E03}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\utmruntime.exe |
"{FEA95698-2618-4451-B87F-66C69A3FCB4F}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\appsetuputility.exe |
"{FEC26C8C-F141-4020-AA26-18D64A260E2A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{FF940F17-E9D7-4D6D-AE2D-BFB5DCBE60F1}" = protocol=17 | dir=in | app=c:\program files\common files\iconics\setupex.exe |
"{FFCADAA9-E412-4CCD-968A-2A6CF8E4681F}" = protocol=6 | dir=in | app=c:\program files\common files\iconics\dbopcserverruntime.exe |
"TCP Query User{02FD3F06-B523-4A8D-A81B-AB369A4A0288}C:\program files\starcraft\starcraft.exe" = protocol=6 | dir=in | app=c:\program files\starcraft\starcraft.exe |
"TCP Query User{28B9B36C-5EE7-4729-A140-B90650B3E071}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{34EBC002-D8D5-4064-AECF-F6560FE1E787}C:\program files\e-designer\e-designer 7\panels\opsim.exe" = protocol=6 | dir=in | app=c:\program files\e-designer\e-designer 7\panels\opsim.exe |
"TCP Query User{628EF60F-F4F6-45A8-9DD4-5F1DA4FDF2B6}C:\users\danian\documents\e1101 firmware\spv1.50_ceb174_iml.exe" = protocol=6 | dir=in | app=c:\users\danian\documents\e1101 firmware\spv1.50_ceb174_iml.exe |
"TCP Query User{9436CD1C-AA6D-4988-A272-4A0918D5E952}C:\program files\rockwell software\bootp-dhcp server\bootpserver.exe" = protocol=6 | dir=in | app=c:\program files\rockwell software\bootp-dhcp server\bootpserver.exe |
"TCP Query User{DE496D21-7BFA-4190-8E61-65A9BC89C086}C:\users\danian\appdata\local\discovery freelancer 4.86.0\exe\freelancer.exe" = protocol=6 | dir=in | app=c:\users\danian\appdata\local\discovery freelancer 4.86.0\exe\freelancer.exe |
"TCP Query User{EFB90107-10E0-45B6-BEA4-60F0F20FC6E6}C:\program files\common files\siemens\sqlany\dbsrv9.exe" = protocol=6 | dir=in | app=c:\program files\common files\siemens\sqlany\dbsrv9.exe |
"UDP Query User{3A947711-66EB-49EE-92B4-18A21D9F057C}C:\program files\e-designer\e-designer 7\panels\opsim.exe" = protocol=17 | dir=in | app=c:\program files\e-designer\e-designer 7\panels\opsim.exe |
"UDP Query User{45EC4B9E-AC93-47BF-AFAD-DFD085D4B965}C:\program files\common files\siemens\sqlany\dbsrv9.exe" = protocol=17 | dir=in | app=c:\program files\common files\siemens\sqlany\dbsrv9.exe |
"UDP Query User{78C33BFD-2609-4B9D-8D35-6C095EF839F1}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{8A035FFD-C098-43D9-9A73-BB05D3563B36}C:\users\danian\appdata\local\discovery freelancer 4.86.0\exe\freelancer.exe" = protocol=17 | dir=in | app=c:\users\danian\appdata\local\discovery freelancer 4.86.0\exe\freelancer.exe |
"UDP Query User{8CC3ABFB-51A3-4229-9B0C-E626F018B63C}C:\program files\starcraft\starcraft.exe" = protocol=17 | dir=in | app=c:\program files\starcraft\starcraft.exe |
"UDP Query User{A1B66340-F764-4F0A-8AD9-76488F6EBCB4}C:\program files\rockwell software\bootp-dhcp server\bootpserver.exe" = protocol=17 | dir=in | app=c:\program files\rockwell software\bootp-dhcp server\bootpserver.exe |
"UDP Query User{AB389E07-EF16-4152-91AC-31419C34E54B}C:\users\danian\documents\e1101 firmware\spv1.50_ceb174_iml.exe" = protocol=17 | dir=in | app=c:\users\danian\documents\e1101 firmware\spv1.50_ceb174_iml.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0060103A-624B-4C9D-9EDF-0AB4778517E6}" = Rockwell Automation Stratix 8000 Module Profiles
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{02041637-7BBA-490C-924A-C0CA06C736C1}" = Rockwell Automation DIO DeviceNet Safety Module Profile
"{034052A5-AB27-417C-A626-C282777ED9C4}" = Rockwell Automation 1738 ControlNet Adapter Module Profile
"{04107B50-CCF1-11D3-931C-00108301D203}" = Faux Agilent IO Libraries
"{0463FF29-62B7-48E4-9B11-D8617C398973}" = Rockwell Automation Drives PowerFlex 7 Module Profiles
"{07C9627A-CA0B-2AA2-062E-204359DF7BA1}" = Catalyst Control Center Core Implementation
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{0EFB2016-41D2-5F30-8F60-25250F6DABDD}" = CCC Help Thai
"{10000018-D5FD-11DA-A128-000C29473C90}" = RSLogix 5000 Start Page Media v18.00.00
"{10E0724C-11ED-45C8-AD4D-2D6FC6B304BF}_is1" = Vega Strike version .5.1
"{10F59C8B-04CD-45FB-89F5-BF58454A5C0F}" = Parker Isysnet Discrete Module Profiles 3
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{12424E92-42BD-46B6-927E-2B1B495D7705}" = RSLogix 5000 Module Profile Setup Utility
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{16115E10-502B-4EA0-BD39-4DA329AD89E2}" = BELKIN F5U109
"{179D679D-047F-491D-8783-D4BE596D2242}" = Visual Basic for Applications ® Core
"{18418F5A-52EB-4CC4-88D7-72F5C484F0AC}" = Rockwell Automation 1738 Discrete Module Profiles 3
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19AB666A-5C21-48B2-9C35-F3BE04362A12}" = Rockwell Automation Drives SCANport Module Profiles
"{1BF926B1-129B-41FD-B8A4-BD734CBCF886}" = RSLogix 5000 Module Profile Core System Updates
"{1C11105F-BC83-4A4D-90C0-DD147A47F731}" = Rockwell Automation 1734 Specialty Module Profiles
"{1DB8FED6-2994-4DD6-9034-19C23A1269D3}" = Rockwell Automation 1734 Analog Module Profiles 2
"{1DB9CD41-5475-4303-9ECD-35A88F3F5E7D}" = Rockwell Automation 1734 Ethernet Adapter Module Profile
"{1DDB612C-FF8B-4AA5-84D5-55E66812B6AF}" = Rockwell Automation 1769 Controller Module Profiles
"{1E57A11B-AB65-C6D1-F999-B3B37AB2298E}" = Catalyst Control Center Localization Japanese
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F9890BC-7430-4569-ADC2-DF3CF48A48F8}" = RSLogix 5000 Setup Installer
"{20010018-D5FD-11DA-A128-000C29473C90}" = RSLogix 5000 Online Books v18.00.00
"{21F18031-FD38-43AB-B32C-C547AFCC3909}" = RSLogix 5000 Module Profile Core
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83217013FF}" = Java 7 Update 13
"{27265B80-303E-EFFF-6052-B11F91B634C3}" = Catalyst Control Center Localization Italian
"{2838043E-63EF-44A4-B3A8-17B8129BD5BD}" = WinCC flexible Graphics
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{2920435D-CE92-5024-1694-DFD43A5FF074}" = Catalyst Control Center Localization Greek
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (WINCCFLEXEXPRESS)
"{2B040F78-8D1E-439F-8A00-7DE8F256F38E}" = Rockwell Automation 1738 Specialty Module Profiles
"{2CD6D3D2-1EFC-F0B4-1761-FD4FA7F8750F}" = CCC Help Finnish
"{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}" = ESET NOD32 Antivirus
"{30010017-EC33-11D6-A408-F6139379CBFB}" = RSLogix 5000 v17.00.00 (CPR 9 SR 1)
"{30010118-EC33-11D6-A408-F6139379CBFB}" = RSLogix 5000 v18.01.00 (CPR 9 SR 2)
"{30010316-EC33-11D6-A408-F6139379CBFB}" = RSLogix 5000 v16.03.00 (CPR 9)
"{34540622-805E-4CC7-98CF-65A43E99CF4D}" = RSLinx Classic 2.54.00 CPR 9 SR 1
"{35343FF7-939B-401A-87B3-FF90A5123D88}" = Microsoft XML Parser and SDK
"{358004B9-3A16-87FF-4487-4D6F0C70E52F}" = Catalyst Control Center Localization Russian
"{36B246D3-9DFC-43CB-852B-F2D4E4F40C0A}" = Rockwell Automation 1734 Discrete Module Profiles
"{37B567B5-9835-415A-B27B-1FCB55AF2A33}" = DriveExplorer
"{38A3E884-313A-7AE0-11BC-482DE0C8766A}" = CCC Help Czech
"{38D27C2E-27AD-46D7-BDFF-A30E88D28299}" = S4U Connector for SAP OLE DB Provider
"{3971E809-B631-4521-BAC2-24A05D2AD557}" = Rockwell Automation 48MS Vision Sensor Module Profiles
"{3BB12DBC-0A8E-ECE2-F179-D06B99B8CD02}" = Catalyst Control Center Localization Czech
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C3A921C-1DF0-4631-A084-062BDD3199C5}" = Rockwell Automation 1738 Discrete Module Profiles 4
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3C4A2704-A689-4B75-A813-6A3E49E2D4B7}" = Parker Isysnet Discrete Module Profiles
"{3E0E28DC-DA90-1BA2-FA36-AA3C2E4FB74A}" = Catalyst Control Center Graphics Previews Vista
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{4034A2EA-962E-495D-A48A-61EE0EEE977D}" = Parker Isysnet ControlNet Adapter Module Profile
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{42A3BFD6-6330-4183-A9A4-83F37B72269B}" = Rockwell Automation DIO DeviceNet Safety Module Profiles
"{4634B79A-3562-4AC0-B6A2-DF9E2D285EBC}" = ClearKeeper
"{467D0EAC-444A-4A14-948E-449C00D6F699}" = RSLogix 5000 System Updates
"{467FEC6E-A0D3-4585-A2A3-234807E64BFC}" = Drive Monitor Readme V5.4 + SP1 + HF1 
"{46F117BD-54CC-40F6-B3FB-6F613520261A}" = RSLogix5000 Data Preserved Download Tool
"{4859C171-B826-4B74-ABCE-501B4C725EA2}" = WinCC flexible
"{4866D596-CE65-4F7D-B98C-A28F8E9E13E5}" = Rockwell Automation 1756 CNet Comms Module Profiles
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{4BBDAB71-0634-4E2A-8E50-8860FB6BA220}" = FactoryTalk Activation Client 3.02 (CPR 9 SR 2)
"{4C90501F-864B-5AC4-867D-6AC35BE50721}" = ccc-utility
"{4F36D56B-9936-4F89-8635-7B06BA177947}" = SIMATIC S7 FM 350-1/450-1 Counter V6.0 + SP1 
"{4F36D56B-9936-4F89-8635-7B06BA177947}S7FCOUNT" = SIMATIC S7 FM 350-1/450-1 Counter V6.0 + SP1 
"{4FA8F969-674F-4940-856C-2BB4E709DA7F}" = Rockwell Automation 1769 ASCII Module Profiles
"{53EF8AD2-C827-4AF4-A752-4214901D5F02}" = Rockwell Automation 1734 ASCII Module Profiles
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{55398A75-13E0-570F-BD16-2EE5D9E5523D}" = Catalyst Control Center Localization Norwegian
"{56E4C35F-C104-4D37-81F5-D12E0E3ACC89}" = ControlFLASH
"{5783F2D7-8028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2010
"{57CC0444-C35D-49BA-A054-7719C19EF21D}" = Rockwell Automation Kinetix CIP Motion Drive Module Profiles
"{588DC473-0F95-42C4-BBF0-92CCE9FD6D27}" = Siemens Automation License Manager
"{588DC473-0F95-42C4-BBF0-92CCE9FD6D27}LicenseManager" = Siemens Automation License Manager V5.1 + SP1 + Upd3 
"{5C892BBD-214D-4E5C-BAB6-B230231ACF91}" = Rockwell Automation 1756 Remote I/O Interface Module Profile
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F131988-3326-AD64-1817-D76A2FE3C2D3}" = CCC Help Chinese Traditional
"{5FBF37CD-B7F9-564C-BDFC-73D970CF7AF2}" = CCC Help Italian
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61C63422-E5E2-8576-2B82-0E01F5AD2538}" = CCC Help English
"{61F90A4F-AD49-7FFB-F027-5B2CB64F0A70}" = Catalyst Control Center Graphics Light
"{629044C7-745A-64B8-467F-2F93ED50008B}" = CCC Help Chinese Standard
"{65BF23C0-4EF9-27CC-7B6F-190F4008A569}" = Catalyst Control Center Localization Polish
"{65D602E4-DCDE-0743-6A0A-F1A203449F47}" = CCC Help German
"{66D6B52B-FD73-4CF0-8225-9921E6340FA5}" = Spectrum Controls 1769 Analog Module Profiles
"{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"{69E5255D-9D43-4CFF-8984-843ABD7753B7}" = Catalyst Control Center - Branding
"{6B4874CA-13CF-2477-B697-B448201B56B6}" = CCC Help Norwegian
"{6C03909E-5D1A-4D7C-BF1D-B89876F44B56}" = IVI Shared Component
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6EB0B23B-AA51-6F4E-C94C-C1015ED61EEC}" = CCC Help Japanese
"{6F059EF3-4B0C-4566-8061-2FB4FF079D77}" = Agilent IO Libraries Suite 15.5
"{70495081-1DC8-AD4B-C197-12138B8FBC9E}" = CCC Help Danish
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71B929E2-3556-93DB-DEC0-FD56D3EFB473}" = Catalyst Control Center Localization Chinese Traditional
"{71C47830-182D-79FA-0790-0366E6E2C2EB}" = Catalyst Control Center Localization Spanish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77CAD946-C573-6647-B222-B6870C072932}" = CCC Help Korean
"{7BCFC80E-8D88-4B7C-AF62-A629521B3274}" = BootP-DHCP Server
"{7C8B2D49-2269-4068-B568-2A5C9357CDB4}" = Parker Isysnet ASCII Module Profile
"{7E83516C-931B-870F-5CDF-01FDF9A4AEF0}" = Catalyst Control Center Localization Turkish
"{7F2120EB-3337-45DC-B5C3-D4DED4F0A0BA}" = SIMATIC  STEP 7 V5.4 + SP4 Professional 2006 SR5 
"{7F2120EB-3337-45DC-B5C3-D4DED4F0A0BA}STEP7" = SIMATIC  STEP 7 V5.4 + SP4 Professional 2006 SR5 
"{7F90B2BA-5401-4482-A064-621DAC8D79E9}" = Rockwell Automation Drives PowerFlex 4 Module Profiles
"{7FB3F90F-E754-4374-9ABC-EF8F94DA35E2}" = DeviceNet Node Commissioning Tool
"{80BFD376-A650-4CAA-A8DF-0989D2D2A3C9}" = Logix5000 PLM Sync Utility
"{8548BB1A-6F46-4A8B-A63F-3618200258DB}" = DirectSOFT 5 - Programming
"{86728841-C151-B8E4-43C6-DD289DE570B6}" = Catalyst Control Center Localization Swedish
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86DBA852-5D5E-1856-D828-620E792EDC0D}" = Catalyst Control Center Localization Chinese Standard
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{88BA2601-8A62-7AB7-DB8A-7AA2840B7C87}" = Catalyst Control Center Localization Thai
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A8C5496-0460-489E-8CB9-8F62E09F033D}" = Tag Data Monitor Tool
"{8B480305-804B-4961-8878-03D263A8C4F2}" = Rockwell Automation 1756 ENet Comms Module Profiles
"{8B587895-7716-1B99-5D85-3CA4AAF8A0F4}" = Catalyst Control Center Localization Dutch
"{8E98B242-C14B-45F9-BCDA-F95E3B54B340}" = Rockwell Automation 1756 Ethernet Bridge Module Profile
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{915A9B58-8C01-49B7-BAE3-14C5C73126DC}" = Rockwell Automation 1738 Analog Module Profiles
"{9244F321-0BBD-9D4A-C1FB-6437E3D0550D}" = Catalyst Control Center Localization German
"{93525AA8-C465-4CAE-9504-5A52933B4768}" = Rockwell Automation DIO DeviceNet Safety Module Profile
"{93F1F0A3-43D2-482F-BD01-AB0CB71AC2A2}" = Rockwell Automation 1769 Analog Module Profiles
"{93F3EBDD-4007-C233-7320-977AC0941054}" = CCC Help Turkish
"{94163213-06D7-4986-B8DF-B5353165894A}" = Rockwell Automation Generic Safety Module Profiles
"{9422CAE7-119E-47EB-AA1B-440BF7DB980B}" = Rockwell Automation 1756 HART Module Profiles
"{94AB6CE0-DB26-7048-2A5B-4647EA1FC693}" = ccc-core-static
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96327C3C-96BE-4C7A-A6F7-A71635E5949A}" = Microsoft SQL Server 2005 Backward compatibility
"{96F139DE-C33E-4FCC-A72B-684BF899F679}" = SIMATIC S7-SCL V5.3 + SP5 Professional 2006 SR5 
"{96F139DE-C33E-4FCC-A72B-684BF899F679}SCL" = SIMATIC S7-SCL V5.3 + SP5 Professional 2006 SR5 
"{98EF973A-8DB6-4878-9D2A-F8D04EB03EEB}" = Rockwell Automation 1732 Discrete Module Profiles
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9AE0E408-37BC-4B89-B768-252DE878CE7A}" = Logix CPU Security Tool
"{9B1D3BE5-4853-4D07-B23D-ECED8558CFB5}" = Parker Isysnet Analog Module Profiles
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A0C1F8BE-B6A5-4902-B0A1-8C930F7B914F}" = Rockwell Automation EtherNet/IP Tap Family Module Profiles
"{A103C127-2168-4493-8D01-4BF180BED12C}" = CCC Help Portuguese
"{A13D16C5-38A9-4D96-9647-59FCCAB12A85}" = Visual Basic for Applications ® Core - English
"{A2240B54-674B-4DD9-ACBE-C6CBF4DB5AF9}" = Rockwell Automation 1769 Discrete Module Profiles
"{A490C195-2668-4E7F-8243-35A89346A0B4}" = ICONICS OPC UA Server FrameWorX
"{A7AB25FD-7861-475A-8D0F-18915789DB65}" = Rockwell Automation 5XRF RFID Reader Module Profiles
"{A7F27ADB-3C56-0F2B-6B4B-0B8E02A49186}" = ATI Catalyst Install Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9612AC1-EC90-4A8C-BE56-802AFC22422E}" = VISA Shared Components
"{AB8E12B5-0B0E-47F9-83A7-89F40B39DBF1}" = Rockwell Automation 1756 ENet Comms Module Profiles
"{AC2EE52D-05CD-8140-5D29-5AA29590971E}" = CCC Help French
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
"{AD9F5DB5-ACE0-4538-A272-88B10A6C93C8}" = OPC Core Components Redistributable (x86) 101.2
"{AE0CDAAE-B0FD-485B-BF8D-6CC1B77CE851}" = Rockwell Automation 1440 XM Dynamic Measurement Module Profile
"{AE1160D4-D6CA-4DB0-B11E-A53E52F8B94A}" = Rockwell Automation 1732 Discrete Module Profiles 2
"{AE533A06-4655-41E8-88BB-48293AAF1FA0}" = SIMATIC Prosave
"{AE533A06-4655-41E8-88BB-48293AAF1FA0}Prosave" = SIMATIC Prosave V9.0 incl. SP3 
"{AEDC13E1-E594-473C-B421-FE224FF64BFD}" = Rockwell Automation 2097 Kinetix Module Profiles
"{AF12BFE9-C3D7-4035-B585-7EBCC7BF19EE}" = Rockwell Automation 1738 Analog Module Profiles 2
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B02A78AE-EA3B-8261-AEBC-8221E22DCC1E}" = CCC Help Polish
"{B04ECE52-84DE-458B-B2DB-B8211A7BE483}" = Faux Agilent VisaCom
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B100A292-14C5-4E41-AE27-0229BFBFDA9F}" = RSLogix 5000 DeviceNet Tag Generator
"{B1D67B62-35A8-A9A1-AA74-F6A495C8271A}" = Catalyst Control Center Localization Danish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3C2952E-B9E6-4C3E-A1B3-8087654A15F4}" = SIMATIC S7-PLCSIM V5.4 + SP2 Professional 2006 SR5 
"{B3C2952E-B9E6-4C3E-A1B3-8087654A15F4}PLCSim" = SIMATIC S7-PLCSIM V5.4 + SP2 Professional 2006 SR5 
"{B5124D47-D009-465C-8C2C-3F0633ACCB15}" = Rockwell Automation DIO DeviceNet Safety Module Profiles
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{B74FA19C-EECC-479A-AD52-1968D6AD15C4}" = Rockwell Automation 1769 Specialty Module Profiles
"{B7FEEEC2-76AD-493E-9ACA-CD3B155778BA}" = E-Designer 7
"{B8910EEE-B3A9-489D-BA66-529179498F39}" = Rockwell Automation 1738 ASCII Module Profiles
"{BA076DAD-B2E9-4DE6-8DC3-A12C0E569EAC}" = SIMATIC WinCC flexible Runtime
"{BA076DAD-B2E9-4DE6-8DC3-A12C0E569EAC}HmiRTm" = SIMATIC WinCC flexible Runtime 2008 SP3 
"{BC2EA92A-A5A9-A137-5204-F150EDB05DB3}" = CCC Help Hungarian
"{BC713970-8C3C-852B-4139-636F21114B7F}" = CCC Help Dutch
"{BC74DB9A-50F1-4FDB-B7D7-24759D68C0CA}" = Rockwell Automation Drives PowerFlex 7 2 Module Profiles
"{BD3D5476-8B2C-4499-8EFC-B9A296BCC56F}" = Rockwell Automation 1756 Ethernet Bridge Module Profile
"{BE7574FB-1993-454C-AB8E-BAF29FE347A8}" = Rockwell Automation 1791DS Discrete Module Profiles
"{BFEBED38-FC3B-4D88-A444-F674357646B8}" = Agilent 34970A BenchLink Data Logger 3
"{C1F4CE2D-064B-45E2-AF3A-344B61E5D818}" = Rockwell Automation 1738 Ethernet Adapter,2-Port,Module Profile
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C4A8DE34-BFF8-4665-824D-531067B70AA3}" = Rockwell Automation 1769 Discrete Module Profiles
"{C4CF38A1-29FD-439E-B734-08E3CE46FA22}" = Logix5000 Clock Update Tool
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{C55A34AC-DA14-44B4-B233-678130228184}" = Rockwell Automation DIO EtherNet Safety Module Profiles
"{C5F1A9C4-C041-2E95-5D7E-EF56CED2B522}" = Skins
"{C8399033-D74E-44B9-9941-5A4E326DE896}" = RSLogix 5000 Compare
"{C9793FB8-B58D-4499-AB47-480CD09E0EE9}" = Rockwell Automation 1769 Analog Module Profiles
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CCAFF79B-2512-49C3-97A0-3C6A1E92B2CC}" = Rockwell Automation 1738 Discrete Module Profiles
"{CCC01ADD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC Device Drivers
"{CCC02ADD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC LanguageSupportTool
"{CCC02FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC HMI Symbol Library
"{CCC07ADD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC Version View
"{CCC15FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC HMI ProSave
"{CCC16FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC WinCC flexible OCX
"{CCC22FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC HMI License Manager Panel Plugin
"{CCC59FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC WinCC flexible Tag Simulator
"{CCC60FDD-3A54-11D6-92A8-00A0245B3AC6}" = SIMATIC WinCC flexible Simulator
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1
"{D0F378B8-DBD4-48F9-A8AC-1BCC7B960451}" = Rockwell Automation 1769 Embedded Module Profiles
"{D10CE499-0639-4C63-92E5-56DBFC36808F}" = Rockwell Automation 1734 Analog Module Profiles
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D5D0B6B7-F7FF-45ED-8677-87F9C1DA658F}" = Rockwell Automation 1734 Discrete Module Profile, DeviceLogix
"{D7CC05AF-067D-0D1A-1E4D-9DCBCDCC2D41}" = Catalyst Control Center Graphics Full New
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DEF238EA-803C-4E70-AC4A-5BDFAFB84D48}" = Agilent LXI Mdns Responder
"{E0FC3A5D-CF52-ABA7-92EF-D9794F372121}" = Catalyst Control Center Graphics Full Existing
"{E16B30EC-A310-45C5-AC18-E21CD7AFE95D}" = Rockwell Automation 1738 Discrete Module Profiles 2
"{E23D2739-47B9-4E25-94CD-262962160782}" = Rockwell Automation Drives PowerFlex 7 3 Module Profiles
"{E2A91BF5-FE48-46CF-A1BE-F639D21D06C2}" = SIMATIC S7-GRAPH V5.3 + SP6 Professional 2006 SR5 
"{E2A91BF5-FE48-46CF-A1BE-F639D21D06C2}S7GRAPH" = SIMATIC S7-GRAPH V5.3 + SP6 Professional 2006 SR5 
"{E477C386-788C-48A4-8150-38990356032E}" = Logix5000 Task Monitor
"{E4A7270C-AA11-4014-8065-1FA500517896}" = Parker Isysnet Ethernet Adapter Module Profile
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E6499EDB-7ABB-482E-925F-0529C8E4BF17}" = Rockwell Automation 1738 Discrete Module Profile, DeviceLogix
"{E67FFFD5-54F5-11D5-BC27-0060083AFB19}" = HMI Tools
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E8146358-2CC2-4A4E-9EA7-8AD2D5642031}" = Parker Isysnet Discrete Module Profiles 2
"{E8B1C02C-3941-4052-A16C-F89B34E5488E}" = ICONICS Software Licensing
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = GameStop App
"{EA7D1919-A6BF-979A-E3A2-F753E23D45FA}" = Catalyst Control Center Localization Hungarian
"{EC01B2D8-5274-46B0-80CE-A13E0987FF07}" = Rockwell Automation 1738 Ethernet Adapter Module Profile
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{ECCA8FE7-767A-4C8A-9DAA-BAB60F877C41}" = Sins of a Solar Empire
"{ED2BC5D9-20EE-FBB6-8483-240F19EFCAA5}" = CCC Help Swedish
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EF1382D6-AE68-4AFD-B255-8CAACD786D7C}" = Rockwell Automation 1734 Discrete Module Profiles 4
"{F0345A2F-1D78-0AEA-7CBB-CEF48622EB44}" = Catalyst Control Center Localization Portuguese
"{F0646787-1A2F-34E9-A61D-9DAD69F606F8}" = CCC Help Spanish
"{F10C1288-EE89-49D4-B281-71ABB08AF153}" = Rockwell Automation 1734 Discrete Module Profiles 2
"{F114066A-DFCB-443E-A6FB-82922F6CC88A}" = Tag Upload Download Tool
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1A02F9C-B331-47B6-8EDB-29CDB443EB37}" = PKZIP Server for Windows 12.00.0014
"{F22AB15D-1B3E-4187-B622-6FBC559892E5}" = Rockwell Automation 1783 Ethernet Managed Switch Module Profile
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4939C2B-FE26-4FC5-A052-85AD53DEBE90}" = Rockwell Automation 1734 ControlNet Adapter Module Profile
"{F50E4D66-5280-FDF8-7F55-2E47FCF23E7D}" = Catalyst Control Center Localization Korean
"{F67E6AE5-F87B-025F-2D6B-26491304393F}" = CCC Help Russian
"{F9BC805D-84E0-4F4B-AA36-3FD0430D436E}" = Rockwell Automation 1734 Ethernet Adapter,2-Port,Module Profile
"{F9DAAC4B-5E3F-1D39-9D4B-6998664EF402}" = Catalyst Control Center Localization Finnish
"{F9F66B99-C1B3-ACEA-1F80-404CC4DD96BF}" = Catalyst Control Center Localization French
"{FA493449-3E34-4E05-8CA7-26A42E9F180E}" = CCC Help Greek
"{FA540765-21B9-483A-A257-3938A992B8AD}" = ICONICS OPC Server Suite 5
"{FCD0CE8F-A091-4BBE-93C8-40FE157E1196}" = Rockwell Automation 1769 Boolean Module Profiles
"{FD2924A8-C0B8-425E-A202-CE2DDCAB4935}" = Rockwell Automation DIO DeviceNet Safety Module Profiles
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CamStudio" = CamStudio
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DriveES DriveMonitor" = DriveMonitor V5.4 + SP1 + HF1
"DriveES Micromaster" = Drives: MICRO-/MIDI-/COMBIMASTER V5.3 + HF1
"DriveES SIMOREG" = Drives: SIMOREG V5.4 + SP1
"DriveES SIMOVERT" = Drives: SIMOVERT V5.4 + SP1 + HF1
"DriveES SIPLINK" = Drives: SIPLINK V5.4
"DriveES_SIMADYND" = Drives: SIMADYN D V5.3
"DWG TrueView 2010" = DWG TrueView 2010
"eBuddy 1.8 (45c)" = eBuddy 1.8 (45c)
"eCatcher Pro_is1" = eCatcher 3.0.3.7450
"eVCOM_is1" = eVCOM 1.3.1.34
"EZTouch" = EZTouch Programming Software
"EZware-5000" = EZware-5000 v2.11
"EZWare-500v2.73" = EZware-500 v2.73
"Freelancer 1.0" = Freelancer
"Freelancer Global Server Workaround_is1" = Freelancer Global Server Workaround 1.0
"GameStop App" = GameStop App
"InstallShield_{2838043E-63EF-44A4-B3A8-17B8129BD5BD}" = WinCC flexible Graphics
"InstallShield_{4859C171-B826-4B74-ABCE-501B4C725EA2}" = SIMATIC WinCC flexible 2008 SP3
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"InstallShield_{6F059EF3-4B0C-4566-8061-2FB4FF079D77}" = Agilent IO Libraries Suite 15.5
"InstallShield_{E8B1C02C-3941-4052-A16C-F89B34E5488E}" = ICONICS Software Licensing
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"IviSharedComponent" = IVI Shared Components
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Meridian 59" = Meridian 59
"Meridian 59: The Internet Quest Continues" = Meridian 59: The Internet Quest Continues
"Micromaster4xx" = Drives: MICROMASTER 4xx V5.4 + SP2
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"OpenAL" = OpenAL
"Picasa2" = Picasa 2
"PID Calculation Program" = PID Calculation Program
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Privateer" = Privateer
"Remote Access Viewer_is1" = Remote Access Viewer 1.0.0
"Serwpl" = RadioShack USB to Serial Cable
"Sins of a Solar Empire" = Sins of a Solar Empire
"ST6UNST #1" = Instrument Setup
"Starcraft" = Starcraft
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Talk2mVpnService_is1" = Talk2mVpnService 3.0.2.7450
"TeamViewer 5" = TeamViewer 5
"The Ur-Quan Masters" = The Ur-Quan Masters 0.7.0
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VersaPoint" = VersaPoint
"VISASharedComponents" = VISA Shared Components
"VLC media player" = VLC media player 1.0.5
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WildTangent toshiba Master Uninstall" = TOSHIBA Games
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"EA SPORTS Gameface Browser Plugin" = EA SPORTS Gameface Browser Plugin 1.3.1.0
"GoToMeeting" = GoToMeeting 5.4.0.1082
"UnityWebPlayer" = Unity Web Player
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 2/15/2013 1:19:58 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/15/2013 1:56:24 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/15/2013 3:50:43 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/15/2013 7:55:03 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/16/2013 1:30:26 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/16/2013 2:49:36 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/16/2013 5:00:20 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/17/2013 11:08:58 AM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
Error - 2/17/2013 5:32:15 PM | Computer Name = Damian-Laptop | Source = WinMgmt | ID = 10
Description =
 
[ System Events ]
Error - 2/15/2013 7:55:18 PM | Computer Name = Damian-Laptop | Source = netbt | ID = 4321
Description = The name "HOME           :1d" could not be registered on the interface
 with IP address 192.168.1.96.  The computer with the IP address 192.168.1.15 did
not allow the name to be claimed by  this computer.
 
Error - 2/16/2013 1:30:26 PM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7026
Description =
 
Error - 2/16/2013 2:49:37 PM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7026
Description =
 
Error - 2/16/2013 5:00:20 PM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7026
Description =
 
Error - 2/17/2013 12:38:07 AM | Computer Name = Damian-Laptop | Source = DCOM | ID = 10010
Description =
 
Error - 2/17/2013 11:08:58 AM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7026
Description =
 
Error - 2/17/2013 11:20:32 AM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7030
Description =
 
Error - 2/17/2013 11:29:52 AM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7030
Description =
 
Error - 2/17/2013 11:36:04 AM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7030
Description =
 
Error - 2/17/2013 5:32:15 PM | Computer Name = Damian-Laptop | Source = Service Control Manager | ID = 7026
Description =
 
[ WinCCLog Events ]
Error - 2/14/2012 3:28:30 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      2/14/2012 2:28:30 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: Cannot access a disposed
object.  Object name: 'Appearance'.  Exception Type: System.ObjectDisposedException HelpLink:
 NULL Source: System.Windows.Forms TargetSite: Void CreateHandle()  StackTrace Information
-------------------------------------------

   at System.Windows.Forms.Control.CreateHandle()     at System.Windows.Forms.Control.get_Handle()

   at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.WndProc(Message&
 m)     at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)  
  at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)     at System.Windows.Forms.NativeWindow.Callback(IntPtr
 hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
 
Error - 2/14/2012 3:28:31 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      2/14/2012 2:28:31 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: Cannot access a disposed
object.  Object name: 'Appearance'.  Exception Type: System.ObjectDisposedException HelpLink:
 NULL Source: System.Windows.Forms TargetSite: Void CreateHandle()  StackTrace Information
-------------------------------------------

   at System.Windows.Forms.Control.CreateHandle()     at System.Windows.Forms.Control.get_Handle()

   at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.WndProc(Message&
 m)     at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)  
  at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)     at System.Windows.Forms.NativeWindow.Callback(IntPtr
 hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
 
Error - 2/14/2012 3:28:31 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      2/14/2012 2:28:31 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: Cannot access a disposed
object.  Object name: 'Appearance'.  Exception Type: System.ObjectDisposedException HelpLink:
 NULL Source: System.Windows.Forms TargetSite: Void CreateHandle()  StackTrace Information
-------------------------------------------

   at System.Windows.Forms.Control.CreateHandle()     at System.Windows.Forms.Control.get_Handle()

   at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.RecursiveInvalidate(Control
 startcontrol, Point pointScreen)     at Siemens.Simatic.Hmi.Utah.Framework.Resources.FrameControl.WndProc(Message&
 m)     at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)  
  at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)     at System.Windows.Forms.NativeWindow.Callback(IntPtr
 hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
 
Error - 2/15/2012 2:39:32 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description =
 
Error - 2/16/2012 4:33:38 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      2/16/2012 3:33:38 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: No connection could be made
 because the target machine actively refused it 127.0.0.1:8085  Exception Type: System.Net.Sockets.SocketException
HelpLink:
 NULL Source: mscorlib TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
 System.Runtime.Remoting.Messaging.IMessage)  StackTrace Information -------------------------------------------

Server
 stack trace:      at System.Net.Sockets.Socket.Connect(IPAddress[] addresses, Int32
 port)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket(AddressFamily
 family)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket()

   at System.Runtime.Remoting.Channels.RemoteConnection.GetSocket()     at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String
 machinePortAndSid, Boolean openNew)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders&
 responseHeaders, Stream& responseStream)     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage
 msg)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
 reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
 msgData, Int32 type)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.TraceServerDispatcher.Ping()

   at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.Tracer.Connect(Int32 pid)
 
Error - 2/27/2012 5:29:55 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      2/27/2012 4:29:54 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: No connection could be made
 because the target machine actively refused it 127.0.0.1:8085  Exception Type: System.Net.Sockets.SocketException
HelpLink:
 NULL Source: mscorlib TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
 System.Runtime.Remoting.Messaging.IMessage)  StackTrace Information -------------------------------------------

Server
 stack trace:      at System.Net.Sockets.Socket.Connect(IPAddress[] addresses, Int32
 port)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket(AddressFamily
 family)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket()

   at System.Runtime.Remoting.Channels.RemoteConnection.GetSocket()     at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String
 machinePortAndSid, Boolean openNew)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders&
 responseHeaders, Stream& responseStream)     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage
 msg)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
 reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
 msgData, Int32 type)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.TraceServerDispatcher.Ping()

   at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.Tracer.Connect(Int32 pid)
 
Error - 3/12/2012 2:27:25 PM | Computer Name = Damian-Laptop | Source = Synchronizer.ImageManager | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      3/12/2012 2:27:25 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- No connection  for PLC "\Step7\CB2110012_R3t\B12\CPU
 317-2PN/DP" found!
 
Error - 3/12/2012 2:27:25 PM | Computer Name = Damian-Laptop | Source = Startup | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      3/12/2012 2:27:25 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- The symbol is disabled for WinCC flexible
 or it exceeds the 64 Kb limit for a source!
 
Error - 5/30/2012 3:39:33 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      5/30/2012 3:39:33 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: No connection could be made
 because the target machine actively refused it 127.0.0.1:8085  Exception Type: System.Net.Sockets.SocketException
HelpLink:
 NULL Source: mscorlib TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
 System.Runtime.Remoting.Messaging.IMessage)  StackTrace Information -------------------------------------------

Server
 stack trace:      at System.Net.Sockets.Socket.Connect(IPAddress[] addresses, Int32
 port)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket(AddressFamily
 family)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket()

   at System.Runtime.Remoting.Channels.RemoteConnection.GetSocket()     at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String
 machinePortAndSid, Boolean openNew)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders&
 responseHeaders, Stream& responseStream)     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage
 msg)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
 reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
 msgData, Int32 type)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.TraceServerDispatcher.UnregisterTraceClient(Int32
 pid)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.Tracer.Disconnect(Int32 pid)

 
Error - 8/1/2012 4:18:00 PM | Computer Name = Damian-Laptop | Source = SystemDiagnosis.DiagnosisClasses | ID = 0
Description = General Information ------------------------------- Machine Name:  
 Damian-Laptop Time Stamp:      8/1/2012 4:17:59 PM Windows Identity:DAMIAN-LAPTOP\Danian

Exception
 Information ---------------------------------- Message: No connection could be made
 because the target machine actively refused it 127.0.0.1:8085  Exception Type: System.Net.Sockets.SocketException
HelpLink:
 NULL Source: mscorlib TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
 System.Runtime.Remoting.Messaging.IMessage)  StackTrace Information -------------------------------------------

Server
 stack trace:      at System.Net.Sockets.Socket.Connect(IPAddress[] addresses, Int32
 port)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket(AddressFamily
 family)     at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket()

   at System.Runtime.Remoting.Channels.RemoteConnection.GetSocket()     at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String
 machinePortAndSid, Boolean openNew)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream)     at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage
 msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders&
 responseHeaders, Stream& responseStream)     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage
 msg)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
 reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
 msgData, Int32 type)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.TraceServerDispatcher.Trace(String
 message)     at Siemens.Simatic.Hmi.Utah.SystemDiagnosis.Tracer.Trace(String message)

 
 
< End of report >



#9 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 18 February 2013 - 03:10 AM

Hello Damiac,

 

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - HKCU\..Trusted Domains: celeros2003sbs ([]file in Local intranet)

    @Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:DDE29E40


    :Commands
    [EmptyTemp]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 

=====

 

Time to look at those 3 files. I assume you know their location?

 

Please download to your Desktop SystemLook by jpshortstuff from here.
Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:
 

gnserv.dat

hlktmp

spserv.dat

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt.

 


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#10 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 18 February 2013 - 10:41 AM

Here is the OTL log.  It ran for a couple seconds, then asked to reboot the machine. Much quicker than the first scan.

 

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\celeros2003sbs\ deleted successfully.
ADS C:\ProgramData\TEMP:DDE29E40 deleted successfully.
File ptyTemp] not found.
 
OTL by OldTimer - Version 3.2.69.0 log created on 02182013_103639

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

 

Systemlook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 10:42 on 18/02/2013 by Danian
Administrator - Elevation successful

========== filefind ==========

Searching for "gnserv.dat"
C:\Windows\Temp\gnserv.dat --ah--- 1024 bytes [19:08 13/02/2013] [15:38 18/02/2013] 0F343B0931126A20F133D67C2B018A3B

Searching for "hlktmp"
C:\Windows\Temp\hlktmp --a---- 8405015 bytes [19:08 13/02/2013] [15:38 18/02/2013] (Unable to calculate MD5)

Searching for "spserv.dat"
C:\Windows\Temp\spserv.dat --ah--- 1024 bytes [19:08 13/02/2013] [15:38 18/02/2013] 0F343B0931126A20F133D67C2B018A3B

-= EOF =-


Edited by Damiac, 18 February 2013 - 10:48 AM.


#11 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 18 February 2013 - 03:26 PM

Hey Damiac,

 

Please go to http://www.virustotal.com, click on Choose File, and upload the following file for analysis: You will only be able to have one file scanned at a time.

C:\Windows\Temp\gnserv.dat

C:\Windows\Temp\hlktmp

C:\Windows\Temp\spserv.dat

Then click Scan It!. Allow the file to be scanned, and then please copy/paste the results here for me to see.
Note: If a message appears saying the file has already been analysed, please resend the file.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#12 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 18 February 2013 - 03:50 PM

Ok

 

Here is gnserv.dat

SHA256: 5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA1: 60cacbf3d72e1e7834203da608037b1bf83b40e8

MD5: 0f343b0931126a20f133d67c2b018a3b File size: 1.0 KB ( 1024 bytes )

File name: gnserv.dat

File type: unknown

Detection ratio: 0 / 45

Analysis date: 2013-02-18 20:41:39 UTC ( 1 minute ago )

 

 

Here is spserv.dat:

SHA256: 5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA1: 60cacbf3d72e1e7834203da608037b1bf83b40e8

MD5: 0f343b0931126a20f133d67c2b018a3b

File size: 1.0 KB ( 1024 bytes )

File name: spserv.dat

File type: unknown

Detection ratio: 0 / 45

Analysis date: 2013-02-18 20:44:06 UTC ( 1 minute ago )

 

It will not let me upload hlktmp

 

It says that it's open in another program.  I also cannot copy the file, I get the same message. "This action cannot be completeted because the file is open in another program. Close the file and try again."

 

I will try rebooting in safe mode, copying the file, then scanning that copy.

 

EDIT:

Ok, that worked, here are the results of the scan of HLKTMP

SHA256: e0a7553c8b28759a0fbe37bef2a2cb3056d07f2aa34d4c556cf3213af289d33a

SHA1: 09ce06dea54d675250006b514f2e4cb379dd5f43

MD5: b9d1aa29c12f5bc65940e00201cc4c17

File size: 8.0 MB ( 8405015 bytes )

File name: hlktmp

File type: DOS EXE

Detection ratio: 1 / 45

Analysis date: 2013-02-18 21:01:11 UTC ( 0 minutes ago )

 

The one red entry for HLKTMP was from eSafe, which listed it as a Win32.Trojan

 

Hopefully that means something to you.

 

Thanks for all your help


Edited by Damiac, 18 February 2013 - 04:22 PM.


#13 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 19 February 2013 - 04:10 AM

Hello Damiac,

Please download GMER from one of the following locations and save it to your Desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      gmer_zip.gif
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.
  • -- If you encounter any problems, try running GMER in Safe Mode.
    -- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
    .

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#14 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 19 February 2013 - 08:45 AM

Good morning Dark Knight,

 

I tried running gmer, after a few minutes of scanning it crashed, so I had to run in safe mode.

 

I noticed less items showed up in the log in safe mode.  Most notably, there were a few entries about a file named hardlock.sys when outside of safe mode, that didn't show up in safe mode. But I wasn't able to get a log outside of safe mode, due to the program crashing.

 

I didn't get any rootkit warnings, or any notifications about gmer.sys.

 

Here is the log:

GMER 2.1.18952 - http://www.gmer.net
Rootkit scan 2013-02-19 08:37:30
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1652GSX rev.LV010M 149.05GB
Running: k77gmo53.exe; Driver: C:\Users\Danian\AppData\Local\Temp\pgliikob.sys


---- Kernel code sections - GMER 2.1 ----

.text           C:\Windows\system32\DRIVERS\tos_sps32.sys  section is writeable [0x87B5E000, 0x4036D, 0xE8000020]
.dsrt           C:\Windows\system32\DRIVERS\tos_sps32.sys  unknown last section [0x87BA7000, 0x510, 0x40000040]

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0    Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1    Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 2.1 ----

 

Thanks again for your help


Edited by Damiac, 19 February 2013 - 08:46 AM.


#15 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:02:50 PM

Posted 19 February 2013 - 03:03 PM

Hello Damiac,

Please run a scan with the Trend Micro RootkitBuster.
  • Download Trend Micro Rootkit Buster from here.
  • Unzip it to your Desktop.
  • Open the extracted folder and double-click RootkitBuster.exe.
  • Press Scan.
  • When finished you'll be asked Do you want to view log file.
  • Press Yes and copy and paste the contents of the log in your next reply.
    Note: If any infections are found, please choose Delete Selected Items.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users