Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows.Tool.Disabled [Solved]

Started by jpleau , Jan 24 2010 10:09 AM

  • This topic is locked This topic is locked

#1
jpleau
Posted 24 January 2010 - 10:09 AM

jpleau

    Member

  • Member
  • PipPip
  • 15 posts
Computer starting acting very sluggish Thursday. I ran malwarebytes and Trend AV scans. Malwarebytes keeps finding Windows.tool.disabled and indicates that it will delete after a reboot. I have followed all instructions at the Malware and Spyware Cleaning Guide, and have copied the text files below. TIA for any assistance. Best Regards, Jill



Malwarebytes' Anti-Malware 1.44
Database version: 3608
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/22/2010 4:58:34 PM
mbam-log-2010-01-22 (16-58-34).txt

Scan type: Quick Scan
Objects scanned: 158606
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-22 18:47:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\SBurke\LOCALS~1\Temp\uwtyrkog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA7DEB6D0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 89F04638
Device \Driver\atapi \Device\Ide\IdePort1 89F04638
Device \Driver\atapi \Device\Ide\IdePort2 89F04638
Device \Driver\atapi \Device\Ide\IdePort3 89F04638
Device \Driver\atapi \Device\Ide\IdePort4 89F04638
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-14 89F04638
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 89F04638

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\svrltmgr.dll (*** hidden *** ) @ C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [1544] 0x10000000
Library C:\WINDOWS\system32\svrltmgr.dll (*** hidden *** ) @ C:\WINDOWS\system32\taskmgr.exe [1688] 0x10000000
Library C:\WINDOWS\system32\sgvrfy32.exe (*** hidden *** ) @ C:\WINDOWS\system32\sgvrfy32.exe [2840] 0x00400000
Library C:\WINDOWS\system32\vdorctrl.dll (*** hidden *** ) @ C:\WINDOWS\system32\sgvrfy32.exe [2840] 0x10000000
Library C:\WINDOWS\system32\cmproxfr.dll (*** hidden *** ) @ C:\WINDOWS\system32\sgvrfy32.exe [2840] 0x00E80000
Library C:\WINDOWS\system32\svrltmgr.dll (*** hidden *** ) @ O:\Sales\SBurke\Downloads\Geeks\gmer.exe [3288] 0x10000000
Library C:\WINDOWS\system32\vdorctrl.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3508] 0x10000000
Library C:\WINDOWS\system32\svrltmgr.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3508] 0x024E0000
Library C:\WINDOWS\system32\svrltmgr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3580] 0x10000000
Library C:\WINDOWS\system32\svrltwp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3580] 0x02700000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


OTL Extras logfile created on: 1/23/2010 8:03:28 AM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = O:\Sales\SBurke\Downloads\Geeks
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.41 Gb Total Space | 32.33 Gb Free Space | 43.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive N: | 273.40 Gb Total Space | 165.71 Gb Free Space | 60.61% Space Free | Partition Type: NTFS
Drive O: | 543.88 Gb Total Space | 169.24 Gb Free Space | 31.12% Space Free | Partition Type: NTFS

Computer Name: SBURKE1733
Current User Name: sburke
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"2468:TCP" = 2468:TCP:*:Enabled:System Event Dispatcher
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65124:TCP" = 65124:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"1832:TCP" = 1832:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"2468:TCP" = 2468:TCP:*:Enabled:System Event Dispatcher
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"1832:TCP" = 1832:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"\\dbserver\epicor\prgs91d\bin\prowin32.exe" = \\dbserver\epicor\prgs91d\bin\prowin32.exe:*:Enabled:prowin32
"C:\WINDOWS\TIREMOTE\wuser32.exe" = C:\WINDOWS\TIREMOTE\wuser32.exe:*:Enabled:Track-It! Remote Control -- (Intuit Track-It!)
"C:\WINDOWS\TIREMOTE\TIRemoteService.exe" = C:\WINDOWS\TIREMOTE\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager -- (Numara Software, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{0AC7DF16-E500-40C0-91C5-563616063037}" = DWGeditor
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{1ECD6EC8-7BB2-4CD5-A384-BAA371BC4D21}" = Volo View Express
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{53183B25-FBDC-4B95-856A-DCDD69DFEE18}" = Intel® PRO Alerting Agent
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.4
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{867DA348-D324-4764-AA7B-FF491E83DD1F}" = Xerox Corporation Wide Format Scan Service
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}" = Adobe Flash Player 9 ActiveX
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
"{913B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}" = Dell ETS Factory Installation
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E69411C0-8D66-4F9C-B6D6-9ED2FB89D0E4}" = eDrawings 2008
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Access 2000 Bible" = Access 2000 Bible
"ActiveTouchMeetingClient" = WebEx
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"ERUNT_is1" = ERUNT 1.1j
"Gadwin PrintScreen" = Gadwin PrintScreen
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Lotus NotesSQL 2.06 driver" = Lotus NotesSQL 2.06 driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Manufacturing by Epicor" = Manufacturing by Epicor
"Manufacturing Systems client " = Manufacturing Systems client
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"PROGRESS 9.1D Shared Network Installation" = PROGRESS 9.1D Shared Network Installation
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"SmartDraw 6" = SmartDraw 6

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/13/2010 7:52:23 AM | Computer Name = SBURKE1733 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 1/13/2010 7:53:17 AM | Computer Name = SBURKE1733 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/13/2010 10:12:59 AM | Computer Name = SBURKE1733 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winproj.exe, version 11.3.2009.1108, stamp 4968495f,
faulting module x5500pcl.dll, version 1.0.0.18, stamp 40ec7add, debug? 0, fault
address 0x00002302.

Error - 1/18/2010 4:37:50 PM | Computer Name = SBURKE1733 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winproj.exe, version 11.3.2009.1108, stamp 4968495f,
faulting module x5500pcl.dll, version 1.0.0.18, stamp 40ec7add, debug? 0, fault
address 0x00002302.

Error - 1/19/2010 1:40:58 PM | Computer Name = SBURKE1733 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/21/2010 4:46:27 PM | Computer Name = SBURKE1733 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 1/21/2010 4:47:15 PM | Computer Name = SBURKE1733 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/21/2010 5:19:19 PM | Computer Name = SBURKE1733 | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

Error - 1/21/2010 5:20:40 PM | Computer Name = SBURKE1733 | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 1/22/2010 11:21:40 AM | Computer Name = SBURKE1733 | Source = MsiInstaller | ID = 11306
Description = Product: Crystal Reports 10 -- Error 1306. Another application has
exclusive access to the file 'C:\program files\common files\crystal decisions\2.5\bin\crexcel_en.xla'.
Please shut down all other applications, then click Retry.

[ System Events ]
Error - 1/22/2010 5:34:38 PM | Computer Name = SBURKE1733 | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 1/22/2010 7:56:10 PM | Computer Name = SBURKE1733 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
iaStor

Error - 1/23/2010 8:52:24 AM | Computer Name = SBURKE1733 | Source = TermServDevices | ID = 1111
Description = Driver HP LaserJet 2300 Series PCL 5e required for printer West_HPLJ2300
is unknown. Contact the administrator to install the driver before you log in again.

Error - 1/23/2010 8:52:24 AM | Computer Name = SBURKE1733 | Source = TermServDevices | ID = 1111
Description = Driver HP Officejet Pro K550 Series required for printer HP Officejet
Pro K550 Series is unknown. Contact the administrator to install the driver before
you log in again.

Error - 1/23/2010 8:52:24 AM | Computer Name = SBURKE1733 | Source = TermServDevices | ID = 1111
Description = Driver HP Photosmart C3100 series required for printer HP Photosmart
C3100 series is unknown. Contact the administrator to install the driver before
you log in again.

Error - 1/23/2010 8:52:47 AM | Computer Name = SBURKE1733 | Source = TermServDevices | ID = 1111
Description = Driver PDFCreator required for printer PDFCreator is unknown. Contact
the administrator to install the driver before you log in again.

Error - 1/23/2010 8:53:46 AM | Computer Name = SBURKE1733 | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000004, parameter2 0000001c, parameter3
00000001, parameter4 80502386.

Error - 1/23/2010 8:54:13 AM | Computer Name = SBURKE1733 | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer \\printserver\Sales
Color,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error
5.

Error - 1/23/2010 8:54:19 AM | Computer Name = SBURKE1733 | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer \\printserver\Finance,LocalOnly
driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error 5.

Error - 1/23/2010 8:54:19 AM | Computer Name = SBURKE1733 | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer \\printserver\Copy Room,LocalOnly
driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error 5.


< End of report >


OTL logfile created on: 1/23/2010 8:03:10 AM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = O:\Sales\SBurke\Downloads\Geeks
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.41 Gb Total Space | 32.33 Gb Free Space | 43.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive N: | 273.40 Gb Total Space | 165.71 Gb Free Space | 60.61% Space Free | Partition Type: NTFS
Drive O: | 543.88 Gb Total Space | 169.24 Gb Free Space | 31.12% Space Free | Partition Type: NTFS

Computer Name: SBURKE1733
Current User Name: sburke
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\System32\sgvrfy32.exe
PRC - [2010/01/23 07:57:45 | 00,547,328 | ---- | M] (OldTimer Tools) -- O:\Sales\SBurke\Downloads\Geeks\OTL.exe
PRC - [2010/01/21 11:59:51 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/18 08:05:43 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/06/29 20:58:54 | 00,435,584 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
PRC - [2009/06/02 15:54:44 | 00,935,208 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2009/05/22 16:14:52 | 01,325,128 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2009/05/22 16:12:44 | 01,262,888 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2009/03/10 20:06:38 | 00,497,008 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
PRC - [2009/03/10 20:05:06 | 00,685,320 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
PRC - [2008/04/13 19:12:43 | 00,220,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr
PRC - [2008/04/13 19:12:32 | 00,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/20 03:42:23 | 00,495,616 | ---- | M] (Gadwin Systems, Inc) -- C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
PRC - [2007/01/23 02:58:04 | 00,133,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
PRC - [2006/09/11 03:40:32 | 00,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2005/04/27 13:59:24 | 00,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe


========== Modules (SafeList) ==========

MOD - File not found -- C:\WINDOWS\System32\svrltmgr.dll
MOD - [2010/01/23 07:57:45 | 00,547,328 | ---- | M] (OldTimer Tools) -- O:\Sales\SBurke\Downloads\Geeks\OTL.exe
MOD - [2008/04/13 19:12:10 | 00,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008/04/13 19:12:09 | 00,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll
MOD - [2008/04/13 19:12:02 | 00,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2008/04/13 19:12:02 | 00,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
MOD - [2008/04/13 19:12:02 | 00,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2008/04/13 19:12:01 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 19:12:01 | 00,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll
MOD - [2008/04/13 19:11:52 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2008/04/13 19:11:51 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (System Event Dispatcher)
SRV - [2010/01/21 11:59:51 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/22 16:14:52 | 01,325,128 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (tmlisten)
SRV - [2009/05/22 16:12:44 | 01,262,888 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe -- (ntrtscan)
SRV - [2009/03/10 20:06:38 | 00,497,008 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe -- (TmPfw)
SRV - [2009/03/10 20:05:06 | 00,685,320 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- (TmProxy)
SRV - [2008/06/02 11:02:37 | 00,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2007/07/11 08:33:28 | 00,069,632 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/01/23 02:58:04 | 00,133,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2006/07/27 16:16:54 | 00,579,072 | ---- | M] (Numara Software, Inc.) [Disabled | Stopped] -- C:\WINDOWS\TIREMOTE\TIRemoteService.exe -- (TIRmtSvc)
SRV - [2006/07/27 16:05:18 | 00,311,374 | ---- | M] (Intuit Track-It!) [Disabled | Stopped] -- C:\WINDOWS\TIREMOTE\wuser32.exe -- (TIRmtCtl)
SRV - [2005/04/27 13:59:24 | 00,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2004/08/11 16:11:27 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2004/02/10 09:40:14 | 00,077,824 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE -- (HP Port Resolver)
SRV - [2004/02/10 09:40:10 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE -- (HP Status Server)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080525
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080525

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080525
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/04 04:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\SBurke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1212089889000 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} http://sbs2003/viewe...tivexviewer.cab (Crystal Report Viewer Control)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://epicortraini...bex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.16.2 192.168.16.45
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Mid-StateMachine.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: Ipxadgif - {CE03C942-6B65-40D4-BD24-475C44720870} - C:\WINDOWS\System32\vdorctrl.dll File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/SBurke/LOCALS~1/Temp/msoclip1/01/clip_image002.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 16:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 16:02:12 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

File not found -- C:\WINDOWS\System32\wzodlg32.dll
File not found -- C:\WINDOWS\System32\vdorctrl.dll
File not found -- C:\WINDOWS\System32\svrltwp.dll
File not found -- C:\WINDOWS\System32\svrltmgr.dll
File not found -- C:\WINDOWS\System32\sgvrfy32.exe
File not found -- C:\WINDOWS\System32\cmproxfr.dll
[2010/01/22 16:42:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/22 16:39:58 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/22 08:09:07 | 00,000,000 | ---D | C] -- O:\Sales\SBurke\Misc backup 012209
[2010/01/21 15:31:48 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\SBurke\Recent
[2010/01/21 13:10:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/21 13:10:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/21 12:06:19 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/01/21 10:44:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/07/22 02:00:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/06/02 11:12:19 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[2004/08/11 16:06:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

File not found -- C:\WINDOWS\System32\wzodlg32.dll
File not found -- C:\WINDOWS\System32\vdorctrl.dll
File not found -- C:\WINDOWS\System32\svrltwp.dll
File not found -- C:\WINDOWS\System32\svrltmgr.dll
File not found -- C:\WINDOWS\System32\sgvrfy32.exe
File not found -- C:\WINDOWS\System32\cmproxfr.dll
[2010/01/23 07:52:26 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/23 07:22:05 | 00,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-143763752-3781861490-4224076503-1269UA.job
[2010/01/23 05:14:52 | 00,015,107 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2010/01/23 03:22:00 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-143763752-3781861490-4224076503-1269Core.job
[2010/01/22 18:55:04 | 00,000,031 | ---- | M] () -- C:\tmuninst.ini
[2010/01/22 18:54:26 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/22 18:54:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/22 16:40:51 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\NTREGOPT.lnk
[2010/01/22 16:40:51 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\ERUNT.lnk
[2010/01/22 16:18:59 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\SBurke\NTUSER.DAT
[2010/01/22 16:18:34 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\SBurke\ntuser.ini
[2010/01/22 10:28:32 | 00,198,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/22 10:21:45 | 00,007,161 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Services
[2010/01/22 10:16:24 | 00,004,354 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/22 10:16:23 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/01/22 08:41:49 | 00,863,418 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\DWG D-HC-13210-C03 Rev 2.pdf
[2010/01/21 16:12:52 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/21 16:12:52 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/21 16:12:52 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2010/01/21 15:44:23 | 00,000,836 | ---- | M] () -- O:\Sales\SBurke\cc_20100121_153928.reg
[2010/01/21 15:37:07 | 00,003,862 | ---- | M] () -- O:\Sales\SBurke\cc_20100121_153212.reg
[2010/01/20 16:57:26 | 00,294,912 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSJ Inner Support Ring_1_20_10.mpp
[2010/01/20 10:07:09 | 00,262,144 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_20_10 rings_qty 64_PSJ.mpp
[2010/01/19 18:35:08 | 00,160,256 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_19_09rings_qty64.mpp
[2010/01/19 15:12:32 | 00,161,280 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_18_09rings.mpp
[2010/01/19 12:53:52 | 04,700,584 | -H-- | M] () -- C:\Documents and Settings\SBurke\Local Settings\Application Data\IconCache.db
[2010/01/18 12:48:12 | 00,000,310 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\Quote report.url
[2010/01/18 11:06:31 | 00,278,528 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_18_09bar.mpp
[2010/01/18 10:17:38 | 00,161,280 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_13_09rings.mpp
[2010/01/18 10:17:37 | 00,209,920 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_13_09.mpp
[2010/01/15 13:55:48 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\13-10 Body rework charges_MSM_1_15_10_NOV.xls
[2010/01/15 13:34:12 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\13-10 Body welding charges_MSM_1_15_10_SB.xls
[2010/01/13 07:37:06 | 00,174,592 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings_1_13_10.mpp
[2010/01/12 21:09:21 | 00,048,640 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\Attachment A - Cameron Mid-State Machine Shop RFQ 12022009_ref8774.xls
[2010/01/12 12:42:33 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSJ SUB.xls
[2010/01/11 18:22:31 | 00,000,185 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\Customer Supplied Material Not Received.url
[2010/01/11 18:22:21 | 00,048,128 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\PSJ open orders_1_11_10.xls
[2010/01/11 17:32:12 | 00,000,292 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\Open orders.url
[2010/01/11 13:59:12 | 00,017,408 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\Mid-State additional charges as of 12_08_09_PSJ Stators_DEC needs (6).xls
[2010/01/11 11:50:33 | 00,082,463 | ---- | M] () -- C:\Documents and Settings\SBurke\Desktop\test.xps

========== Files Created - No Company Name ==========

[2010/01/22 16:40:51 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\NTREGOPT.lnk
[2010/01/22 16:40:51 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\ERUNT.lnk
[2010/01/22 08:41:49 | 00,863,418 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\DWG D-HC-13210-C03 Rev 2.pdf
[2010/01/21 15:41:32 | 00,000,836 | ---- | C] () -- O:\Sales\SBurke\cc_20100121_153928.reg
[2010/01/21 15:32:35 | 00,003,862 | ---- | C] () -- O:\Sales\SBurke\cc_20100121_153212.reg
[2010/01/20 16:14:02 | 00,294,912 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSJ Inner Support Ring_1_20_10.mpp
[2010/01/20 09:46:05 | 00,262,144 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_20_10 rings_qty 64_PSJ.mpp
[2010/01/19 18:35:08 | 00,160,256 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_19_09rings_qty64.mpp
[2010/01/18 10:18:02 | 00,278,528 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_18_09bar.mpp
[2010/01/18 10:17:48 | 00,161,280 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_18_09rings.mpp
[2010/01/18 10:17:37 | 00,209,920 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_13_09.mpp
[2010/01/18 10:17:37 | 00,161,280 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings 1_13_09rings.mpp
[2010/01/15 13:52:15 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\13-10 Body rework charges_MSM_1_15_10_NOV.xls
[2010/01/15 13:28:36 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\13-10 Body welding charges_MSM_1_15_10_SB.xls
[2010/01/13 07:19:26 | 00,174,592 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSM Hook Rings_1_13_10.mpp
[2010/01/13 03:17:11 | 00,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/12 21:08:05 | 00,048,640 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\Attachment A - Cameron Mid-State Machine Shop RFQ 12022009_ref8774.xls
[2010/01/12 12:42:33 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSJ SUB.xls
[2010/01/11 17:33:07 | 00,048,128 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\PSJ open orders_1_11_10.xls
[2010/01/11 13:59:12 | 00,017,408 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\Mid-State additional charges as of 12_08_09_PSJ Stators_DEC needs (6).xls
[2010/01/11 11:50:23 | 00,082,463 | ---- | C] () -- C:\Documents and Settings\SBurke\Desktop\test.xps
[2009/10/13 14:58:27 | 00,005,735 | ---- | C] () -- C:\WINDOWS\cfgspyrt.ini
[2009/10/13 14:58:25 | 00,006,619 | ---- | C] () -- C:\WINDOWS\cfgrt.ini
[2009/03/09 17:43:40 | 00,005,832 | ---- | C] () -- C:\WINDOWS\cfgspyps.ini
[2009/03/09 17:43:39 | 00,006,684 | ---- | C] () -- C:\WINDOWS\cfgps.ini
[2009/01/27 09:24:22 | 00,000,225 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2009/01/23 16:33:16 | 00,000,078 | ---- | C] () -- C:\WINDOWS\FXEZQJV.INI
[2008/07/21 11:31:23 | 00,123,392 | ---- | C] () -- C:\WINDOWS\System32\nmcpusym.dll
[2008/06/24 16:00:17 | 00,006,559 | ---- | C] () -- C:\Documents and Settings\SBurke\Application Data\PrimoPDFSet.xml
[2008/06/24 16:00:16 | 00,000,224 | ---- | C] () -- C:\Documents and Settings\SBurke\Application Data\APUSet.xml
[2008/06/24 15:59:15 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/06/02 15:54:59 | 00,003,865 | ---- | C] () -- C:\WINDOWS\cfgrt_ex.ini
[2008/06/02 12:24:04 | 00,015,107 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2008/06/02 11:12:19 | 00,039,936 | ---- | C] () -- C:\WINDOWS\System32\dwlGina2.dll
[2008/06/02 11:12:17 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[2008/06/02 11:07:14 | 00,309,248 | ---- | C] () -- C:\WINDOWS\System32\erramchk.dll
[2008/06/02 11:02:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2008/06/02 10:59:18 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2008/06/02 10:42:32 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/02 10:42:31 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/06/02 10:42:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2008/05/30 08:26:57 | 00,000,151 | ---- | C] () -- C:\WINDOWS\System32\IC32.INI
[2008/05/25 15:36:22 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/25 15:34:27 | 00,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/25 15:16:13 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2008/05/25 15:15:15 | 00,001,119 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/02/28 04:03:32 | 00,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
[2007/01/23 02:45:40 | 00,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll
[2004/08/11 16:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 16:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2000/10/20 12:25:36 | 00,079,360 | ---- | C] () -- C:\WINDOWS\System32\acdbres.dll
[1999/01/22 13:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/06/30 07:15:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/07/10 11:42:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Epicor
[2008/12/17 13:24:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/06/02 12:26:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\DassaultSystemes
[2008/06/17 13:36:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\DWGeditor
[2008/06/17 14:01:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\Fuji Xerox
[2008/06/02 12:26:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\InterTrust
[2009/11/25 10:54:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\SmartDraw
[2009/09/04 12:16:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SBurke\Application Data\webex

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2001/05/24 11:59:30 | 00,127,472 | ---- | M] () -- C:\UNWISE.EXE


< MD5 for: AGP440.SYS >
[2004/08/04 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/30 11:20:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/05/30 11:20:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\System32\drivers\agp440.sys
[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 04:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/30 11:20:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/05/30 11:20:39 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2006/08/28 01:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\i386\atapi.sys
[2006/08/27 20:02:10 | 00,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\System32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/12/03 20:11:04 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\drivers\storage\R173412\IaStor.sys
[2007/12/03 20:11:04 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\i386\iaStor.sys
[2007/12/03 20:11:04 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\WINDOWS\System32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
File not found Unable to obtain MD5 -- C:\WINDOWS\System32\cmproxfr.dll
[2010/01/05 05:00:20 | 00,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/01/05 05:00:21 | 00,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/01/05 05:00:24 | 00,192,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
File not found Unable to obtain MD5 -- C:\WINDOWS\System32\svrltmgr.dll
File not found Unable to obtain MD5 -- C:\WINDOWS\System32\svrltwp.dll
File not found Unable to obtain MD5 -- C:\WINDOWS\System32\vdorctrl.dll
File not found Unable to obtain MD5 -- C:\WINDOWS\System32\wzodlg32.dll

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >
  • 0

Advertisements

#2
Essexboy
Posted 24 January 2010 - 10:47 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK this is a new variant -

Lets use GMER to kill a running process and remove the file:
  • Open the gmer folder and double click gmer.exe to run the program
  • On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
  • Click on the > > > tab to open the menus

Posted Image

  • Click on the Processes tab

Posted Image

  • Scroll down until you find the following process (Note: This may be highlighted in red)

    C:\WINDOWS\System32\svrltmgr.dll

  • Click on the file path to Highlight it, then right click and choose Kill process , then agree to the confirmation

    Posted Image

Now that we have killed the process, lets remove the file:
  • Click on the Files tab

Posted Image


  • On the left hand side, Navigate to C:\WINDOWS\System32
  • Now on the right hand side, locate the file svrltmgr.dll

  • Click on the file to Highlight it, then click the Delete button on the right hand side.

    Posted Image

  • Click Yes to the confirmation
  • Click OK to exit the program

Then repeat the process for the following 5 files


C:\WINDOWS\System32\svrltwp.dll
C:\WINDOWS\System32\vdorctrl.dll
C:\WINDOWS\System32\wzodlg32.dll
C:\WINDOWS\System32\cmproxfr.dll
C:\WINDOWS\System32\svrltmgr.dll


Having done all that

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
jpleau
Posted 25 January 2010 - 10:19 AM

jpleau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks, this took a bit to accomplish. Below is the log file. -- Jill

ComboFix 10-01-24.05 - sburke 01/25/2010 10:45:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1672 [GMT -5:00]
Running from: c:\documents and settings\SBurke\Desktop\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {9E49EEDB-B079-4B43-A88A-97086F9ABC2D}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9E49EEDB-B079-4B43-A88A-97086F9ABC2D}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSTEM_EVENT_DISPATCHER
-------\Service_System Event Dispatcher


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-22 21:39 . 2010-01-22 21:42 -------- d-----w- c:\program files\ERUNT
2010-01-21 21:10 . 2010-01-21 21:10 -------- d-----w- c:\documents and settings\administrator.MSM\Application Data\Malwarebytes
2010-01-21 20:51 . 2010-01-21 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-21 17:06 . 2010-01-21 21:15 -------- d-----w- c:\program files\Microsoft
2010-01-21 17:00 . 2010-01-21 16:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-13 08:17 . 2010-01-13 08:17 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-13 05:11 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 16:59 . 2008-05-25 20:30 -------- d-----w- c:\program files\Java
2010-01-21 16:57 . 2010-01-21 16:57 152576 ----a-w- c:\documents and settings\SBurke\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-21 16:37 . 2010-01-21 16:37 79488 ----a-w- c:\documents and settings\SBurke\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-21 15:44 . 2008-05-30 17:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 14:46 . 2009-11-09 13:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 14:27 . 2008-06-24 11:07 -------- d-----w- c:\documents and settings\SBurke\Application Data\AdobeUM
2010-01-07 21:07 . 2009-11-09 13:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-09 13:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-11 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 21:00 17408 ------w- c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2004-08-11 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 13:43 . 2009-11-09 13:43 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 495616]
"Google Update"="c:\documents and settings\SBurke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2009-06-02 935208]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-26 19:16 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 15:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-24 23:12 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-21 16:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"2468:TCP"= 2468:TCP:System Event Dispatcher
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1832:TCP"= 1832:TCP:Services

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [3/24/2008 10:20 AM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [3/24/2008 10:20 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [3/24/2008 10:20 AM 335376]
S4 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [7/24/2008 4:08 PM 311374]
S4 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [7/24/2008 4:08 PM 579072]
S4 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [12/15/2008 8:43 PM 497008]
S4 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [12/15/2008 8:43 PM 685320]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-143763752-3781861490-4224076503-1269Core.job
- c:\documents and settings\SBurke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-02 21:13]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-143763752-3781861490-4224076503-1269UA.job
- c:\documents and settings\SBurke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-02 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
.
- - - - ORPHANS REMOVED - - - -

SSODL-Ipxadgif-{CE03C942-6B65-40D4-BD24-475C44720870} - c:\windows\system32\vdorctrl.dll
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
MSConfigStartUp-PMX Daemon - ICO.EXE
AddRemove-PROGRESS 9.1D Shared Network Installation - c:\program files\Progress Software Corporation\PROGRESS 9.1D Shared Network Installation\PSCshared.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-01-25 10:59:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 15:59

Pre-Run: 34,547,040,256 bytes free
Post-Run: 35,360,538,624 bytes free

- - End Of File - - 886559CDA683CF74D63FDA17B336A610
  • 0

#4
Essexboy
Posted 25 January 2010 - 02:12 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks a lot better now - so what are your current problems ?

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  • 0

#5
jpleau
Posted 25 January 2010 - 03:10 PM

jpleau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Malwarebytes says its good. The PC is still very slow. Would it help if I went through the ComboFix again? Thanks -- Jill
  • 0

#6
Essexboy
Posted 25 January 2010 - 03:17 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No it would not do anything this time- but what I shall do is remove my tools and give you a spring clean. Let me know how it is behaving after this

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.


XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#7
jpleau
Posted 25 January 2010 - 05:37 PM

jpleau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I will try the spring cleaning. Things seem pretty good now. Thanks again for your help, it's much appreciated. --Jill
  • 0

#8
Essexboy
Posted 26 January 2010 - 12:17 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are you happy with the speed or do you want to tweek it a bit ?
  • 0

#9
jpleau
Posted 26 January 2010 - 12:26 PM

jpleau

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Well, it is not back to normal. What could be the issue?
  • 0

#10
Essexboy
Posted 26 January 2010 - 12:45 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You could reduce the number of items running at start

To try and ease the startup try this

Download Startup Control Panel here
Instal and you will find a startup icon in the control panel - run this
  • In the HKLM tab, you may disable (be careful --> "disable") all the entries except your security software
  • In the HKCU tab, you may disable all entries.
  • In the StartUp tab, you may disable all entries.
Note : if you notice that some programs no longer run, you can enable them again by running Startup Control Panel, selecting the entry and choosing Run Now.
If you are in doubt with something, don't hesitate to ask :)
  • 0

#11
Essexboy
Posted 30 January 2010 - 08:41 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP