Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need help removing TROJ_CHEPVIL.CK

Started by Aristazi , Feb 13 2012 02:45 PM

Please log in to reply

#1
Aristazi

Posted 13 February 2012 - 02:45 PM

Member

Member
266 posts

Hi, I'm looking for some help with a TrendMicro reported TROJ_CHEPVIL.CK.

My company runs Trend Micro Worry-Free Business Security 7.0 Service Pack 1. An employee from a different office (not running TrendMicro) hooked up his computer in our office today and within a couple hours I got a report from TM that a virus was found on his computer. TM was already installed on his computer because until about 8 months ago, he was part of this office, he relocated to the other office, but now he's relocated back here again. It looks to me like TM did not install updates while he was at the other office, since they're released from our server here, but when he reconnected it updated ran the scan and reported what it found back to our server which then gave me the report.

Here's the report from TrendMicro:
Viruses/Malware name: TROJ_CHEPVIL.CK
File name: Ticket-064-2011.zip (Ticket-064-2011.exe)
Path: C:\Documents and Settings\[Employee]\Local Settings\Temp\
Scan Type: Scheduled Scan
Action Taken: Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.

I spoke to the employee about his computer and he said that it sometimes gets slow, but mostly when he's running a lot of things on it or after some time. He normally shuts his computer off at night and on in the morning to help with the slowness. He said that occasionally he'll get a stop script notice or error. He has a custom-built computer (brand labeled Nobilis), Pentium D/2.80GHz, 1 GB RAM, running Windows XP Service Pack 3.

ClamWin Free antivirus was installed and running on his computer, I've removed it now so that it won't interfere with TrendMicro. After rebooting he noticed some "new icons" on his desktop that he did not put there, I've attached a screenshot. We've deleted the icons.

I'm a new student to GeekU so I'm looking at this from a learning perspective

Can I just delete the file reported in the TrendMicro report, or should I be searching for deeper spread infection on this computer? Below is the OTL Quick Scan Report (For security of the employee I've removed it from the report replacing it with "[Employee]")

OTL logfile created on: 2/13/2012 1:52:00 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\[Employee]\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 614.54 Mb Available Physical Memory | 64.12% Memory free
2.26 Gb Paging File | 1.82 Gb Available in Paging File | 80.76% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.39 Gb Total Space | 15.89 Gb Free Space | 47.59% Space Free | Partition Type: NTFS

Computer Name: [EMPLOYEE]-XP | User Name: [Employee] | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/13 13:46:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\[Employee]\Desktop\OTL.exe
PRC - [2011/11/25 06:27:48 | 001,081,024 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
PRC - [2011/11/16 12:54:26 | 000,689,680 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2011/10/23 01:15:52 | 000,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
PRC - [2011/10/17 07:41:42 | 000,133,424 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/09/27 01:32:18 | 000,196,512 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
PRC - [2011/08/16 01:26:46 | 000,142,952 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
PRC - [2011/07/07 19:31:08 | 000,259,848 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\BingApp.exe
PRC - [2011/07/07 19:31:06 | 000,391,944 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\BingBar.exe
PRC - [2011/06/15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/04/28 09:48:42 | 000,438,272 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2010/10/29 15:12:22 | 001,652,736 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2008/06/10 03:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 03:27:03 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/09 12:04:32 | 001,892,430 | ---- | M] (Toshiba America) -- C:\Program Files\Toshiba\Net Phone\netphone.exe
PRC - [2008/04/09 11:59:30 | 000,073,728 | ---- | M] (Computer Telephony Solutions) -- C:\Program Files\Toshiba\Net Phone\CTSppDialerEXE.exe
PRC - [2008/04/09 11:08:26 | 000,454,656 | ---- | M] (Toshiba America) -- C:\Program Files\Toshiba\Net Phone\npmsgpop.exe
PRC - [2007/07/16 12:07:52 | 000,094,208 | ---- | M] (Computer Telephony Solutions) -- C:\Program Files\Toshiba\Net Phone\CallHistoryExe.exe
PRC - [1999/09/30 20:31:38 | 000,869,376 | ---- | M] (Fred's Software) -- C:\Program Files\PrintKey2000\Printkey2000.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/16 12:37:40 | 000,126,976 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\libTmHttpClient.dll
MOD - [2011/11/16 12:37:26 | 000,233,472 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\libTmHttpServer.dll
MOD - [2011/10/05 08:15:22 | 000,174,624 | ---- | M] () -- C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll
MOD - [2011/01/04 03:53:52 | 000,442,368 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\sqlite3.dll
MOD - [2011/01/04 03:53:52 | 000,057,344 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll
MOD - [2011/01/04 03:53:52 | 000,049,152 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll
MOD - [2011/01/04 03:53:26 | 001,081,344 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\libprotobuf.dll
MOD - [2011/01/03 13:53:54 | 000,057,344 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\boost_date_time-vc80-mt-1_36.dll
MOD - [2011/01/03 13:53:54 | 000,049,152 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\boost_thread-vc80-mt-1_36.dll
MOD - [2009/05/26 20:06:28 | 000,913,408 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2005/04/05 09:57:16 | 000,061,440 | ---- | M] () -- C:\WINDOWS\system32\CTSMail.dll
MOD - [2005/02/08 17:23:10 | 000,979,005 | ---- | M] () -- C:\Program Files\ClamWin\bin\python23.dll
MOD - [2004/11/20 03:27:54 | 000,106,496 | ---- | M] () -- C:\Program Files\ClamWin\lib\shell.pyd
MOD - [2004/11/20 03:27:54 | 000,086,016 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32gui.pyd
MOD - [2004/11/20 03:27:54 | 000,077,824 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32file.pyd
MOD - [2004/11/20 03:27:54 | 000,069,632 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32api.pyd
MOD - [2004/11/20 03:27:54 | 000,065,536 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32security.pyd
MOD - [2004/11/20 03:27:54 | 000,036,864 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32process.pyd
MOD - [2004/11/20 03:27:54 | 000,024,576 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32pipe.pyd
MOD - [2004/11/20 03:27:54 | 000,024,576 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32event.pyd
MOD - [2004/10/11 20:22:18 | 000,315,392 | ---- | M] () -- C:\Program Files\ClamWin\lib\pythoncom23.dll
MOD - [2004/10/11 20:21:26 | 000,094,208 | ---- | M] () -- C:\Program Files\ClamWin\lib\pywintypes23.dll
MOD - [2004/05/25 21:20:30 | 000,036,864 | ---- | M] () -- C:\Program Files\ClamWin\lib\_winreg.pyd
MOD - [2004/05/25 21:19:32 | 000,045,117 | ---- | M] () -- C:\Program Files\ClamWin\lib\datetime.pyd
MOD - [2004/05/25 21:18:42 | 000,495,616 | ---- | M] () -- C:\Program Files\ClamWin\lib\_ssl.pyd
MOD - [2004/05/25 21:18:28 | 000,057,401 | ---- | M] () -- C:\Program Files\ClamWin\lib\_sre.pyd
MOD - [2004/05/25 21:18:20 | 000,049,212 | ---- | M] () -- C:\Program Files\ClamWin\lib\_socket.pyd
MOD - [2004/05/25 21:17:14 | 000,622,651 | ---- | M] () -- C:\Program Files\ClamWin\lib\_bsddb.pyd
MOD - [2004/01/15 14:45:22 | 000,061,440 | ---- | M] () -- C:\Program Files\ClamWin\lib\_ctypes.pyd
MOD - [2003/10/01 13:40:00 | 002,240,512 | ---- | M] () -- C:\Program Files\ClamWin\lib\wxc.pyd
MOD - [2003/10/01 11:43:02 | 003,239,936 | ---- | M] () -- C:\Program Files\ClamWin\lib\wxmsw24h.dll
MOD - [2003/08/10 09:14:40 | 000,061,440 | ---- | M] () -- C:\Program Files\ClamWin\lib\mxDateTime.pyd
MOD - [2001/10/28 15:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/11/16 12:54:26 | 000,689,680 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (TmListen)
SRV - [2011/09/27 01:32:18 | 000,196,512 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2011/07/07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/06/15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011/04/28 09:48:42 | 000,438,272 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Running] -- -- (tmtdi)
DRV - File not found [Kernel | Unknown | Running] -- -- (TmPreFilter)
DRV - [2011/06/23 09:34:42 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2011/06/23 09:34:32 | 000,065,296 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2011/06/23 09:34:24 | 000,191,248 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/09/30 15:59:48 | 000,341,072 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2009/03/25 05:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/13 16:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2005/09/23 17:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2001/09/14 09:35:58 | 000,027,519 | ---- | M] (Linksys) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USB100M.SYS -- (USB-100)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ecamarketing.com/page/home
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {22C7F6C6-8D67-4534-92B5-529A0EC09405}:5.8.0.1092

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\[Employee]\Application Data\Facebook\npfbplugin_1_0_3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/13 08:48:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 12:45:23 | 000,000,000 | ---D | M]

[2009/10/01 15:08:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\[Employee]\Application Data\Mozilla\Extensions
[2010/08/04 12:13:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\[Employee]\Application Data\Mozilla\Firefox\Profiles\ehbc7jkl.default\extensions
[2011/10/12 12:32:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/13 08:47:59 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/03/30 12:44:28 | 000,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2010/03/30 12:44:29 | 000,126,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2009/12/17 11:00:27 | 000,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2010/03/30 12:45:07 | 000,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2010/03/30 12:44:23 | 000,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2011/09/28 18:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/11 08:04:14 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/05/13 12:49:15 | 000,306,096 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10539 more lines...
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\[Employee]\Start Menu\Programs\Startup\connect eca.bat ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Net Phone.lnk = C:\Program Files\Toshiba\Net Phone\netphone.exe (Toshiba America)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe (Fred's Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {119CE688-A7E9-1941-8E10-F42990BBA4C4} https://fiserv.assur.../ASRrptview.cab (FISERV FIPSCO Report Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1242241285578 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://avivausa.web...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.130.255.3 209.63.0.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{332A02B6-663C-4684-95EB-36AE244E7546}: DhcpNameServer = 67.152.160.87 209.98.204.98
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CDB7B9E5-9B98-4843-9CB9-7E4D38293F03}: DhcpNameServer = 204.130.255.3 209.63.0.6
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1242\6.6.1089\TmIEPlg.dll File not found
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Client Server Security Agent\UIFrameWork\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/ADAM~1.HOR/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/13 11:25:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##bravoserver#office2007\Shell - "" = AutoRun
O33 - MountPoints2\##bravoserver#office2007\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##bravoserver#office2007\Shell\AutoRun\command - "" = Z:\SETUP.EXE
O33 - MountPoints2\##bravoserver#office2007\Shell\configure\command - "" = Z:\SETUP.EXE
O33 - MountPoints2\##bravoserver#office2007\Shell\install\command - "" = Z:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/13 13:51:44 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\[Employee]\Desktop\OTL.exe
[2012/02/13 09:10:37 | 000,341,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TM_CFW.sys
[2012/02/13 09:02:38 | 000,191,248 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/02/13 09:02:38 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2012/02/13 09:02:38 | 000,065,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2012/02/13 09:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro Worry-Free Business Security Agent
[2012/02/13 08:57:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/02/10 12:42:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\[Employee]\My Documents\Downloads
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/13 13:46:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\[Employee]\Desktop\OTL.exe
[2012/02/13 08:57:39 | 000,435,688 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/13 08:57:39 | 000,068,584 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/13 08:41:46 | 000,018,804 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2012/02/13 08:35:20 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/13 08:32:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/10 21:52:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/10 14:17:00 | 000,000,218 | ---- | M] () -- C:\WINDOWS\tasks\JkDefrag.job
[2012/02/10 13:36:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/10 09:34:23 | 000,357,202 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Genworth.pdf
[2012/02/10 08:00:27 | 000,255,166 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Marriott Bonus Gold.pdf
[2012/02/09 13:07:22 | 000,184,794 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\08-413-1 (05-09) Agent Guide_agent guide.pdf
[2012/02/09 13:06:18 | 000,163,433 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\AAA8378 (12-11) Final.pdf
[2012/02/09 13:05:52 | 000,006,376 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Description2012020913053469.pdf
[2012/02/09 12:28:54 | 000,042,485 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Zach 10 year certain.pdf
[2012/02/09 12:28:05 | 000,039,722 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Zach Life and 10.pdf
[2012/02/09 11:16:21 | 000,065,727 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Good Illustration.pdf
[2012/02/09 10:45:11 | 000,255,180 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Marriott 51yr old.pdf
[2012/02/09 10:34:02 | 000,973,290 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Sentinel_Contract.pdf
[2012/02/09 10:33:06 | 000,255,277 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Girjis.pdf
[2012/02/09 10:28:17 | 000,666,746 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\FL Annuity Brochure.pdf
[2012/02/09 10:26:45 | 000,348,200 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\FL Rate Sheet.pdf
[2012/02/09 10:26:35 | 000,891,483 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\FL Annuity app pack .pdf
[2012/02/09 10:26:21 | 000,242,323 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\FL Quick Sheet.pdf
[2012/02/09 10:09:48 | 001,282,774 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\LIBR Flip chart.pdf
[2012/02/09 10:08:42 | 001,896,181 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\PeopleService.pdf
[2012/02/09 10:02:58 | 000,043,009 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Zietlow Life and 10.pdf
[2012/02/08 14:59:02 | 001,291,480 | ---- | M] () -- C:\Documents and Settings\[Employee]\Desktop\FFEC Free Report.pdf
[2012/02/08 13:33:59 | 001,406,532 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Director Application and disclosure with rider.pdf
[2012/02/08 09:48:37 | 000,962,547 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\LIBR Sale Brochure TX.pdf
[2012/02/08 09:48:20 | 001,327,654 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Sales Brochure TX.pdf
[2012/02/08 09:47:57 | 001,281,488 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Retirement Gold TX.pdf
[2012/02/08 09:12:05 | 000,098,630 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Sider.PDF
[2012/02/07 15:55:28 | 000,044,170 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\eca_myga_comparison.pdf
[2012/02/07 13:45:17 | 000,348,200 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\IA Personal Choice Annuity RATE SHEET.pdf
[2012/02/07 13:45:00 | 000,276,668 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\IA_AnnuityQuickSheet.pdf
[2012/02/07 13:44:39 | 000,987,676 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\IA_AppPack.pdf
[2012/02/07 12:31:46 | 000,627,778 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Equitrust.pdf
[2012/02/07 12:27:29 | 000,013,285 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Replacement.pdf
[2012/02/07 12:27:19 | 000,037,780 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Transfer or 1035.pdf
[2012/02/07 12:26:57 | 000,111,089 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Buyers Guide.pdf
[2012/02/07 12:26:46 | 000,045,074 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Disclosure.pdf
[2012/02/07 12:26:36 | 000,037,682 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Suitability.pdf
[2012/02/07 12:26:13 | 000,044,936 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Eleo Application.pdf
[2012/02/07 11:29:14 | 000,043,430 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\20 year certain Cole.pdf
[2012/02/07 11:28:09 | 000,043,496 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\15 yr certain Cole.pdf
[2012/02/07 11:27:07 | 000,043,429 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\10 year certain Cole.pdf
[2012/02/07 09:51:53 | 000,097,393 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Zietlow.PDF
[2012/02/07 09:24:17 | 000,255,288 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Huntoon 150k 50yr old.pdf
[2012/02/07 08:01:38 | 000,595,869 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\ING_Life.pdf
[2012/02/06 09:24:07 | 000,094,826 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Karzen.PDF
[2012/02/03 11:55:37 | 000,065,707 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Chapin 100k joint.pdf
[2012/02/03 11:52:42 | 000,065,607 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\chapin 100k 10 year deferr.pdf
[2012/02/03 09:43:13 | 000,540,102 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\365i product profile.pdf
[2012/02/03 09:42:32 | 000,570,531 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Income Maximizer.pdf
[2012/02/03 09:40:33 | 000,570,531 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Income Rider Maximizer.pdf
[2012/02/03 09:39:29 | 000,066,900 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Additional Riders page 365i.pdf
[2012/02/03 09:33:53 | 000,775,229 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz 365i Brochure.pdf
[2012/02/03 08:51:23 | 000,049,692 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Partial Withdrawal.pdf
[2012/02/03 08:39:08 | 000,255,195 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Bonus Gold 20k Mariott.pdf
[2012/02/03 08:38:14 | 000,255,161 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Bonus Gold 9k Marriott.pdf
[2012/02/02 14:09:32 | 000,775,862 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty_Life_web_contract.pdf
[2012/02/02 14:07:53 | 000,372,078 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty brochure and spec sheet.pdf
[2012/02/02 13:51:13 | 000,352,266 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty app pack.pdf
[2012/02/02 12:34:27 | 000,004,879 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Leach income riders.pdf
[2012/02/02 12:26:31 | 000,856,032 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Leach Symetra deferr 4 years.pdf
[2012/02/02 12:14:40 | 000,092,865 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Secure American FL Leach.PDF
[2012/02/02 08:15:28 | 000,348,200 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Sentinel Personal Choice Annuity RATE SHEET.pdf
[2012/02/02 08:15:10 | 000,276,668 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\SSLANQS11-OT_AnnuityQuickSheet.pdf
[2012/02/02 08:14:32 | 000,670,340 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\IA Brochure.pdf
[2012/02/01 14:23:46 | 000,372,081 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Spec Sheet and Annuity Brochure.pdf
[2012/02/01 14:22:59 | 000,352,280 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Application Packet.pdf
[2012/02/01 13:44:44 | 000,019,265 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\North American Director.pdf
[2012/02/01 13:43:45 | 000,019,197 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\North American Flex III.pdf
[2012/02/01 13:42:45 | 000,019,193 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\North American Flex II.pdf
[2012/02/01 13:10:01 | 000,065,668 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Flex III Income.pdf
[2012/02/01 13:09:05 | 000,065,759 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Flex II Income.pdf
[2012/02/01 13:07:52 | 000,065,752 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Director Income.pdf
[2012/02/01 12:11:43 | 000,065,755 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Flex III Income.pdf
[2012/02/01 12:10:01 | 000,065,757 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Flex II Income.pdf
[2012/02/01 12:09:08 | 000,065,742 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Director Income.pdf
[2012/02/01 10:25:43 | 000,065,697 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Flex III Income.pdf
[2012/02/01 10:24:59 | 000,065,697 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Flex II Income.pdf
[2012/02/01 10:24:15 | 000,065,693 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Director Income Rider.pdf
[2012/02/01 09:48:57 | 000,020,198 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Director.pdf
[2012/02/01 09:24:30 | 000,255,166 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\57 Female 9k Bonus Gold.pdf
[2012/02/01 09:23:27 | 000,255,237 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\59 male Bonus Gold.pdf
[2012/02/01 08:17:12 | 000,042,773 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 5 63k.pdf
[2012/02/01 08:16:23 | 000,042,803 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 10 63k.pdf
[2012/02/01 08:15:23 | 000,042,802 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 10.pdf
[2012/02/01 08:14:32 | 000,042,773 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 5.pdf
[2012/01/30 15:59:55 | 000,027,244 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Aviva 300k.pdf
[2012/01/30 15:50:55 | 000,223,696 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\American Equity 300k.pdf
[2012/01/30 15:44:56 | 000,098,998 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 300k.PDF
[2012/01/30 12:27:25 | 000,288,317 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Pomerance Annuitize at 78.pdf
[2012/01/30 10:19:46 | 000,330,237 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\ECA_PRELIM_HIPAA.pdf
[2012/01/27 14:14:04 | 000,038,061 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 25k.pdf
[2012/01/27 14:13:26 | 000,036,645 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 50k annual.pdf
[2012/01/27 14:12:43 | 000,038,482 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 100k annual.pdf
[2012/01/27 14:10:47 | 000,038,721 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\F45 100k annual.pdf
[2012/01/27 14:08:37 | 000,038,080 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\F 25k annual.pdf
[2012/01/27 14:07:32 | 000,037,003 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Female 45 50k annual.pdf
[2012/01/27 14:03:36 | 000,039,135 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\45male 50k annual life only.pdf
[2012/01/27 13:59:13 | 000,038,865 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\18F 50k Annual Life only.pdf
[2012/01/27 13:30:13 | 000,098,484 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 75k.PDF
[2012/01/27 13:29:52 | 000,098,402 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 50k.PDF
[2012/01/27 11:10:42 | 000,429,703 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz Joine.pdf
[2012/01/27 11:08:53 | 000,429,505 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz.pdf
[2012/01/27 08:55:19 | 001,336,208 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\2012275502834654.pdf
[2012/01/27 08:12:08 | 000,041,009 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Principal Installment refund.pdf
[2012/01/27 08:09:13 | 000,100,853 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Cash refund american national.pdf
[2012/01/27 08:06:17 | 000,429,490 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz LIfe and 5 certain.pdf
[2012/01/27 07:59:39 | 000,429,458 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz Bruins.pdf
[2012/01/26 12:53:44 | 000,407,783 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Great_American_Contract.pdf
[2012/01/26 09:51:00 | 000,371,688 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance_Standard.pdf
[2012/01/26 09:50:11 | 000,312,753 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance Standard Eleos application.pdf
[2012/01/26 09:44:58 | 000,575,360 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance Standard Eleos.pdf
[2012/01/26 08:25:51 | 000,384,043 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Principal.pdf
[2012/01/25 16:06:06 | 000,118,878 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Spec sheet.pdf
[2012/01/25 16:04:48 | 000,237,427 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Brochure.pdf
[2012/01/25 16:03:48 | 001,115,679 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Anico Citadel application.pdf
[2012/01/25 15:49:14 | 001,060,168 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz_Preferred.pdf
[2012/01/25 15:48:38 | 000,445,612 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\American_National.pdf
[2012/01/25 15:22:40 | 000,193,475 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Brokerage Life Interest Rates_February2012.pdf
[2012/01/25 15:16:01 | 001,013,568 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Prosperity Elite Series.pdf
[2012/01/25 15:14:53 | 000,541,040 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\4% and 6%.pdf
[2012/01/25 15:13:10 | 000,563,766 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\7% rider.pdf
[2012/01/25 15:12:37 | 000,979,952 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\ADV1013.pdf
[2012/01/25 12:24:46 | 000,096,625 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\1307146.pdf
[2012/01/25 11:03:27 | 000,000,227 | ---- | M] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Agent_Guide.pdf.url
[2012/01/25 11:03:23 | 000,000,231 | ---- | M] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Client_Brochure.pdf.url
[2012/01/25 11:03:13 | 000,000,230 | ---- | M] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Flier_5367_0511.pdf.url
[2012/01/25 10:05:44 | 000,036,231 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life and 10.pdf
[2012/01/25 10:03:57 | 000,036,369 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life and 5.pdf
[2012/01/25 10:03:09 | 000,036,624 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life only.pdf
[2012/01/25 10:02:12 | 000,040,967 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\14523 Life and 5.pdf
[2012/01/25 10:00:44 | 000,039,705 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\14523 Life and 10.pdf
[2012/01/25 09:59:43 | 000,039,280 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\11435 Life and 10.pdf
[2012/01/25 09:58:51 | 000,039,671 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\11435 Life and 5.pdf
[2012/01/25 09:58:03 | 000,038,080 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\11435 life only.pdf
[2012/01/25 09:57:09 | 000,038,086 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\14523 life only.pdf
[2012/01/24 14:14:06 | 003,569,573 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\1122-SB-03.11.11.pdf
[2012/01/24 11:42:51 | 001,018,271 | ---- | M] () -- C:\Documents and Settings\[Employee]\Desktop\491000100 2012-01-13 082354 MasterDex 10 Plus App Kit.pdf
[2012/01/23 11:00:42 | 000,098,594 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Johnson Income Sustainer Plus 37k.PDF
[2012/01/23 11:00:11 | 000,098,760 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Johnson Income Sustainer Plus 74k.PDF
[2012/01/23 10:51:53 | 000,098,900 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins Income Sustainer Plus.PDF
[2012/01/23 10:51:27 | 000,095,149 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins Income Sustainer.PDF
[2012/01/23 10:50:53 | 000,082,503 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins No riders.PDF
[2012/01/20 11:21:24 | 001,108,956 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Genworth Application.pdf
[2012/01/20 11:15:52 | 000,928,726 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\LSW.pdf
[2012/01/20 08:51:43 | 000,040,150 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\guide.pdf
[2012/01/19 16:42:35 | 000,008,817 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\Life and 10 year certain.pdf
[2012/01/19 16:40:46 | 000,008,253 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\10 year certain.pdf
[2012/01/19 15:26:22 | 000,710,124 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\FandG.pdf
[2012/01/19 14:30:36 | 000,501,964 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\B1080310NWSafeReturnBrochure1111.pdf
[2012/01/19 14:30:01 | 000,175,033 | ---- | M] () -- C:\Documents and Settings\[Employee]\My Documents\B6033111NW IncomeSustainer Plus Brochure.pdf
[2012/01/19 08:37:44 | 000,060,304 | ---- | M] () -- C:\Documents and Settings\[Employee]\g2mdlhlpx.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/10 09:34:23 | 000,357,202 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Genworth.pdf
[2012/02/10 08:00:23 | 000,255,166 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Marriott Bonus Gold.pdf
[2012/02/09 13:07:21 | 000,184,794 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\08-413-1 (05-09) Agent Guide_agent guide.pdf
[2012/02/09 13:06:16 | 000,163,433 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\AAA8378 (12-11) Final.pdf
[2012/02/09 13:05:51 | 000,006,376 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Description2012020913053469.pdf
[2012/02/09 12:28:54 | 000,042,485 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Zach 10 year certain.pdf
[2012/02/09 12:28:05 | 000,039,722 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Zach Life and 10.pdf
[2012/02/09 11:16:21 | 000,065,727 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Good Illustration.pdf
[2012/02/09 10:45:10 | 000,255,180 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Marriott 51yr old.pdf
[2012/02/09 10:34:02 | 000,973,290 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Sentinel_Contract.pdf
[2012/02/09 10:33:05 | 000,255,277 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Girjis.pdf
[2012/02/09 10:28:15 | 000,666,746 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\FL Annuity Brochure.pdf
[2012/02/09 10:26:45 | 000,348,200 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\FL Rate Sheet.pdf
[2012/02/09 10:26:32 | 000,891,483 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\FL Annuity app pack .pdf
[2012/02/09 10:26:21 | 000,242,323 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\FL Quick Sheet.pdf
[2012/02/09 10:09:48 | 001,282,774 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\LIBR Flip chart.pdf
[2012/02/09 10:08:36 | 001,896,181 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\PeopleService.pdf
[2012/02/09 10:02:58 | 000,043,009 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Zietlow Life and 10.pdf
[2012/02/08 14:59:02 | 001,291,480 | ---- | C] () -- C:\Documents and Settings\[Employee]\Desktop\FFEC Free Report.pdf
[2012/02/08 13:33:59 | 001,406,532 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Director Application and disclosure with rider.pdf
[2012/02/08 09:48:34 | 000,962,547 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\LIBR Sale Brochure TX.pdf
[2012/02/08 09:48:16 | 001,327,654 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Sales Brochure TX.pdf
[2012/02/08 09:47:52 | 001,281,488 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Retirement Gold TX.pdf
[2012/02/08 09:12:04 | 000,098,630 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Sider.PDF
[2012/02/07 13:45:16 | 000,348,200 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\IA Personal Choice Annuity RATE SHEET.pdf
[2012/02/07 13:45:00 | 000,276,668 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\IA_AnnuityQuickSheet.pdf
[2012/02/07 13:44:35 | 000,987,676 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\IA_AppPack.pdf
[2012/02/07 12:31:46 | 000,627,778 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Equitrust.pdf
[2012/02/07 12:27:29 | 000,013,285 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Replacement.pdf
[2012/02/07 12:27:19 | 000,037,780 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Transfer or 1035.pdf
[2012/02/07 12:26:57 | 000,111,089 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Buyers Guide.pdf
[2012/02/07 12:26:46 | 000,045,074 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Disclosure.pdf
[2012/02/07 12:26:36 | 000,037,682 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Suitability.pdf
[2012/02/07 12:26:12 | 000,044,936 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Eleo Application.pdf
[2012/02/07 11:29:14 | 000,043,430 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\20 year certain Cole.pdf
[2012/02/07 11:28:09 | 000,043,496 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\15 yr certain Cole.pdf
[2012/02/07 11:27:07 | 000,043,429 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\10 year certain Cole.pdf
[2012/02/07 09:51:52 | 000,097,393 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Zietlow.PDF
[2012/02/07 09:24:16 | 000,255,288 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Huntoon 150k 50yr old.pdf
[2012/02/07 08:01:38 | 000,595,869 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\ING_Life.pdf
[2012/02/06 09:01:31 | 000,094,826 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Karzen.PDF
[2012/02/03 11:55:37 | 000,065,707 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Chapin 100k joint.pdf
[2012/02/03 11:52:40 | 000,065,607 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\chapin 100k 10 year deferr.pdf
[2012/02/03 09:43:13 | 000,540,102 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\365i product profile.pdf
[2012/02/03 09:42:32 | 000,570,531 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Income Maximizer.pdf
[2012/02/03 09:40:33 | 000,570,531 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Income Rider Maximizer.pdf
[2012/02/03 09:39:29 | 000,066,900 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Additional Riders page 365i.pdf
[2012/02/03 09:33:50 | 000,775,229 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz 365i Brochure.pdf
[2012/02/03 08:51:23 | 000,049,692 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Partial Withdrawal.pdf
[2012/02/03 08:39:08 | 000,255,195 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Bonus Gold 20k Mariott.pdf
[2012/02/03 08:38:07 | 000,255,161 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Bonus Gold 9k Marriott.pdf
[2012/02/02 14:09:32 | 000,775,862 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty_Life_web_contract.pdf
[2012/02/02 14:07:53 | 000,372,078 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty brochure and spec sheet.pdf
[2012/02/02 13:51:13 | 000,352,266 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Liberty app pack.pdf
[2012/02/02 12:34:27 | 000,004,879 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Leach income riders.pdf
[2012/02/02 12:26:31 | 000,856,032 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Leach Symetra deferr 4 years.pdf
[2012/02/02 12:14:39 | 000,092,865 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Secure American FL Leach.PDF
[2012/02/02 08:15:27 | 000,348,200 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Sentinel Personal Choice Annuity RATE SHEET.pdf
[2012/02/02 08:15:09 | 000,276,668 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\SSLANQS11-OT_AnnuityQuickSheet.pdf
[2012/02/02 08:14:31 | 000,670,340 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\IA Brochure.pdf
[2012/02/01 14:23:46 | 000,372,081 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Spec Sheet and Annuity Brochure.pdf
[2012/02/01 14:22:59 | 000,352,280 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Application Packet.pdf
[2012/02/01 13:44:44 | 000,019,265 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\North American Director.pdf
[2012/02/01 13:43:45 | 000,019,197 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\North American Flex III.pdf
[2012/02/01 13:42:45 | 000,019,193 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\North American Flex II.pdf
[2012/02/01 13:10:01 | 000,065,668 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Flex III Income.pdf
[2012/02/01 13:09:04 | 000,065,759 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Flex II Income.pdf
[2012/02/01 13:07:52 | 000,065,752 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Kevin Director Income.pdf
[2012/02/01 12:11:43 | 000,065,755 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Flex III Income.pdf
[2012/02/01 12:10:01 | 000,065,757 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Flex II Income.pdf
[2012/02/01 12:09:08 | 000,065,742 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Marie Director Income.pdf
[2012/02/01 10:25:43 | 000,065,697 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Flex III Income.pdf
[2012/02/01 10:24:59 | 000,065,697 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Flex II Income.pdf
[2012/02/01 10:24:15 | 000,065,693 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Director Income Rider.pdf
[2012/02/01 09:48:57 | 000,020,198 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Heikenberry Director.pdf
[2012/02/01 09:24:30 | 000,255,166 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\57 Female 9k Bonus Gold.pdf
[2012/02/01 09:23:26 | 000,255,237 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\59 male Bonus Gold.pdf
[2012/02/01 08:17:12 | 000,042,773 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 5 63k.pdf
[2012/02/01 08:16:23 | 000,042,803 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 10 63k.pdf
[2012/02/01 08:15:23 | 000,042,802 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 10.pdf
[2012/02/01 08:14:32 | 000,042,773 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Tangney Life and 5.pdf
[2012/01/30 15:59:55 | 000,027,244 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Aviva 300k.pdf
[2012/01/30 15:50:54 | 000,223,696 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\American Equity 300k.pdf
[2012/01/30 15:44:55 | 000,098,998 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 300k.PDF
[2012/01/30 12:27:25 | 000,288,317 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Pomerance Annuitize at 78.pdf
[2012/01/30 10:19:44 | 000,330,237 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\ECA_PRELIM_HIPAA.pdf
[2012/01/27 14:14:04 | 000,038,061 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 25k.pdf
[2012/01/27 14:13:26 | 000,036,645 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 50k annual.pdf
[2012/01/27 14:12:43 | 000,038,482 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Male 41 100k annual.pdf
[2012/01/27 14:10:47 | 000,038,721 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\F45 100k annual.pdf
[2012/01/27 14:08:37 | 000,038,080 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\F 25k annual.pdf
[2012/01/27 14:07:32 | 000,037,003 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Female 45 50k annual.pdf
[2012/01/27 14:03:36 | 000,039,135 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\45male 50k annual life only.pdf
[2012/01/27 13:59:12 | 000,038,865 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\18F 50k Annual Life only.pdf
[2012/01/27 13:30:13 | 000,098,484 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 75k.PDF
[2012/01/27 13:29:51 | 000,098,402 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Great American 50k.PDF
[2012/01/27 11:10:42 | 000,429,703 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz Joine.pdf
[2012/01/27 11:08:53 | 000,429,505 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz.pdf
[2012/01/27 08:55:19 | 001,336,208 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\2012275502834654.pdf
[2012/01/27 08:12:08 | 000,041,009 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Principal Installment refund.pdf
[2012/01/27 08:09:13 | 000,100,853 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Cash refund american national.pdf
[2012/01/27 08:06:17 | 000,429,490 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz LIfe and 5 certain.pdf
[2012/01/27 07:59:39 | 000,429,458 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz Bruins.pdf
[2012/01/26 12:53:44 | 000,407,783 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Great_American_Contract.pdf
[2012/01/26 09:51:00 | 000,371,688 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance_Standard.pdf
[2012/01/26 09:50:11 | 000,312,753 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance Standard Eleos application.pdf
[2012/01/26 09:44:56 | 000,575,360 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Reliance Standard Eleos.pdf
[2012/01/26 08:25:51 | 000,384,043 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Principal.pdf
[2012/01/25 16:06:06 | 000,118,878 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Spec sheet.pdf
[2012/01/25 16:04:48 | 000,237,427 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Brochure.pdf
[2012/01/25 16:03:48 | 001,115,679 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Anico Citadel application.pdf
[2012/01/25 15:49:14 | 001,060,168 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Allianz_Preferred.pdf
[2012/01/25 15:48:38 | 000,445,612 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\American_National.pdf
[2012/01/25 15:22:40 | 000,193,475 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Brokerage Life Interest Rates_February2012.pdf
[2012/01/25 15:16:01 | 001,013,568 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Prosperity Elite Series.pdf
[2012/01/25 15:14:53 | 000,541,040 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\4% and 6%.pdf
[2012/01/25 15:13:10 | 000,563,766 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\7% rider.pdf
[2012/01/25 15:12:37 | 000,979,952 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\ADV1013.pdf
[2012/01/25 12:24:46 | 000,096,625 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\1307146.pdf
[2012/01/25 11:03:27 | 000,000,227 | ---- | C] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Agent_Guide.pdf.url
[2012/01/25 11:03:23 | 000,000,231 | ---- | C] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Client_Brochure.pdf.url
[2012/01/25 11:03:13 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\[Employee]\Desktop\MultiVantage5_Flier_5367_0511.pdf.url
[2012/01/25 10:05:44 | 000,036,231 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life and 10.pdf
[2012/01/25 10:03:57 | 000,036,369 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life and 5.pdf
[2012/01/25 10:03:09 | 000,036,624 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\9800 Life only.pdf
[2012/01/25 10:02:12 | 000,040,967 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\14523 Life and 5.pdf
[2012/01/25 10:00:44 | 000,039,705 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\14523 Life and 10.pdf
[2012/01/25 09:59:43 | 000,039,280 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\11435 Life and 10.pdf
[2012/01/25 09:58:51 | 000,039,671 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\11435 Life and 5.pdf
[2012/01/25 09:58:03 | 000,038,080 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\11435 life only.pdf
[2012/01/25 09:56:02 | 000,038,086 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\14523 life only.pdf
[2012/01/24 14:14:05 | 003,569,573 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\1122-SB-03.11.11.pdf
[2012/01/24 11:42:50 | 001,018,271 | ---- | C] () -- C:\Documents and Settings\[Employee]\Desktop\491000100 2012-01-13 082354 MasterDex 10 Plus App Kit.pdf
[2012/01/23 11:00:41 | 000,098,594 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Johnson Income Sustainer Plus 37k.PDF
[2012/01/23 11:00:10 | 000,098,760 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Johnson Income Sustainer Plus 74k.PDF
[2012/01/23 10:51:52 | 000,098,900 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins Income Sustainer Plus.PDF
[2012/01/23 10:51:26 | 000,095,149 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins Income Sustainer.PDF
[2012/01/23 10:50:52 | 000,082,503 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Perkins No riders.PDF
[2012/01/20 12:26:10 | 000,044,170 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\eca_myga_comparison.pdf
[2012/01/20 11:21:24 | 001,108,956 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Genworth Application.pdf
[2012/01/20 11:15:52 | 000,928,726 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\LSW.pdf
[2012/01/20 08:51:43 | 000,040,150 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\guide.pdf
[2012/01/19 16:42:35 | 000,008,817 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\Life and 10 year certain.pdf
[2012/01/19 16:40:46 | 000,008,253 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\10 year certain.pdf
[2012/01/19 15:26:22 | 000,710,124 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\FandG.pdf
[2012/01/19 14:30:36 | 000,501,964 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\B1080310NWSafeReturnBrochure1111.pdf
[2012/01/19 14:30:01 | 000,175,033 | ---- | C] () -- C:\Documents and Settings\[Employee]\My Documents\B6033111NW IncomeSustainer Plus Brochure.pdf
[2011/12/23 09:41:49 | 000,000,048 | ---- | C] () -- C:\WINDOWS\ACare.ini
[2011/12/23 09:41:43 | 000,000,242 | ---- | C] () -- C:\WINDOWS\SLasstcare.ini
[2011/12/12 14:52:47 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/09/12 08:35:06 | 000,000,027 | ---- | C] () -- C:\WINDOWS\INSDESK.INI
[2011/09/12 08:29:50 | 000,000,072 | ---- | C] () -- C:\WINDOWS\L&EAPPS.INI
[2011/08/18 23:33:53 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2010/12/29 09:39:26 | 000,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2010/08/16 10:35:29 | 000,005,910 | ---- | C] () -- C:\WINDOWS\cfgspyrt.ini
[2010/08/16 10:35:27 | 000,006,794 | ---- | C] () -- C:\WINDOWS\cfgrt.ini
[2010/08/11 14:29:49 | 000,006,007 | ---- | C] () -- C:\WINDOWS\cfgspyps.ini
[2010/08/11 14:29:45 | 000,006,859 | ---- | C] () -- C:\WINDOWS\cfgps.ini
[2010/07/21 10:52:52 | 000,000,068 | ---- | C] () -- C:\WINDOWS\pmlfo.ini
[2010/01/26 12:50:23 | 000,000,046 | ---- | C] () -- C:\WINDOWS\aisbma.ini
[2010/01/04 09:36:38 | 000,000,101 | ---- | C] () -- C:\WINDOWS\applink.ini
[2010/01/04 09:36:38 | 000,000,097 | ---- | C] () -- C:\WINDOWS\Utdsysap.ini
[2010/01/04 09:36:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tmp.ini
[2009/12/17 10:56:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/12 15:49:11 | 000,937,984 | ---- | C] () -- C:\WINDOWS\System32\CTS_G729A.dll
[2009/10/12 15:49:10 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\CTSMail.dll
[2009/10/01 14:35:05 | 000,018,804 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2009/05/13 13:05:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/05/13 12:54:43 | 000,000,476 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/13 12:45:46 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/05/13 11:28:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/05/13 11:22:24 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/05/13 06:15:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/05/13 06:14:23 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/03 11:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/04/14 04:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,435,688 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,068,584 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2009/10/12 15:52:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\[Employee]\Application Data\CTS
[2011/05/24 07:08:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\[Employee]\Application Data\WeatherBug
[2012/01/25 14:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\[Employee]\Application Data\webex
[2011/10/20 14:27:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\[Employee]\Application Data\{46E346C1-4789-4221-9206-F4B0BC9AAABC}
[2011/12/12 14:50:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/10/06 13:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LJZsoft
[2012/01/23 13:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Origin
[2010/07/12 12:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Penn Mutual Life
[2012/02/10 14:17:00 | 000,000,218 | ---- | M] () -- C:\WINDOWS\Tasks\JkDefrag.job

========== Purity Check ==========

< End of report >

Thank you!
Aristazi

#2
RKinner

Posted 17 February 2012 - 02:44 PM

Malware Expert

Expert
24,426 posts

https://www.virustot...f90cd/analysis/

This is the fake NYC speeding ticket scam.

See:
http://www.spywarehe...et-email-virus/

for more details. (The site wants to get you to run their program. I'm just using it for the writeup.) The file you found is a zip that was attached to a SPAM email. You can delete it manually. (Don't know why Trend can't do it for you.) The question is did he unzip the file and run it?

The OTL file looks OK so he probably didn't run it but ask him.

If he did or is not sure then I would give it the full treatment:

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Ron

#3
Aristazi

Posted 21 February 2012 - 10:55 AM

Member

Topic Starter
Member
266 posts

Thank you Ron!
Yes, he couldn't remember whether he ran the file or not so I went ahead and ran through the scans as you suggested. The results look pretty good to me, but let me know if you see anything that needs to be dealt with. Here are the logs:

////////////////////
------COMBOFIX------
\\\\\\\\\\\\\\\\\\\\

ComboFix 12-02-21.02 - admin 02/21/2012 8:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.364 [GMT -6:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: Trend Micro Security Agent *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\[Employee]\g2mdlhlpx.exe
c:\documents and settings\[Employee]\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 14:43 . 2012-02-21 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2012-02-16 19:25 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 19:25 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 14:58 . 2012-02-16 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2012-02-16 14:54 . 2012-02-16 14:54 -------- d-----w- c:\windows\Logs
2012-02-16 14:53 . 2012-02-16 14:53 -------- d-----w- c:\program files\AMD APP
2012-02-16 14:52 . 2011-12-20 07:39 100368 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys
2012-02-16 14:52 . 2012-02-16 14:52 0 ----a-w- c:\windows\ativpsrm.bin
2012-02-16 14:50 . 2012-02-16 14:50 -------- d-----w- C:\AMD
2012-02-15 23:09 . 2001-08-17 19:47 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2012-02-15 23:09 . 2001-08-17 19:47 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2012-02-15 23:06 . 2012-02-16 14:52 -------- dc----w- c:\windows\system32\DRVSTORE
2012-02-15 23:06 . 2012-02-21 14:43 -------- d-----w- c:\program files\Hewlett-Packard
2012-02-15 23:06 . 2008-04-14 06:09 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2012-02-15 23:06 . 2008-04-14 06:09 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2012-02-15 23:06 . 2001-08-17 19:47 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2012-02-15 23:06 . 2001-08-17 19:47 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2012-02-15 22:40 . 2012-02-21 14:22 -------- d-----w- c:\documents and settings\admin
2012-02-14 15:07 . 2010-12-06 08:27 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2012-02-13 22:46 . 2012-02-13 22:45 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-13 22:46 . 2012-02-13 22:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-13 15:10 . 2010-09-30 21:59 341072 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2012-02-13 15:02 . 2011-06-23 15:34 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2012-02-13 15:02 . 2011-06-23 15:34 65296 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2012-02-13 15:02 . 2011-06-23 15:34 191248 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-13 22:45 . 2009-05-13 18:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 10:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2011-12-06 04:04 . 2011-12-06 04:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-06 04:03 . 2011-12-06 04:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-06 04:03 . 2011-12-06 04:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-12-06 04:02 . 2011-12-06 04:02 44032 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-25 21:57 . 2008-04-14 10:42 293376 ----a-w- c:\windows\system32\winsrv.dll
2001-09-29 00:00 . 2010-12-29 15:39 164864 ----a-w- c:\program files\UNWISE.EXE
2010-03-30 18:44 . 2009-12-17 17:00 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-03-30 18:44 . 2009-12-17 17:00 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-12-17 17:00 . 2009-12-17 17:00 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-03-30 18:45 . 2009-12-17 17:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-02-13 14:47 . 2011-10-12 18:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-22 . 5378E4A3DF2D44C71CCB5FE4D5FB8A0E . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-10-17 133424]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-06 98304]
.
c:\documents and settings\[Employee]\Start Menu\Programs\Startup\
connect eca.bat [2009-6-29 71]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Net Phone.lnk - c:\program files\Toshiba\Net Phone\netphone.exe [2009-10-12 1892430]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-5-13 869376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Toshiba\\Net Phone\\netphone.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/13/2012 9:02 AM 65296]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2/16/2012 8:52 AM 100368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/13/2012 9:10 AM 341072]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [2/13/2012 9:00 AM 196512]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\system32\drivers\USB100M.SYS [5/13/2009 12:00 PM 27519]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NET_DRIVER_HPZ12
*NewlyCreated* - PML_DRIVER_HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2012-02-17 c:\windows\Tasks\JkDefrag.job
- C:\JkDefrag.exe [2009-05-14 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = about:blank
TCP: DhcpNameServer = 204.130.255.3 209.63.0.6
DPF: {119CE688-A7E9-1941-8E10-F42990BBA4C4} - hxxps://fiserv.assurity.com/reports/control/ASRrptview.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PDFLIB - c:\progra~1\COSSTEMP\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-21 08:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-02-21 09:00:45
ComboFix-quarantined-files.txt 2012-02-21 15:00
.
Pre-Run: 13,785,702,400 bytes free
Post-Run: 14,586,650,624 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D67FF739110DB2A39ADC28D5167AF2BE

////////////////////
----TDSSKiller#1----
\\\\\\\\\\\\\\\\\\\\
09:20:23.0318 2604 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
09:20:23.0803 2604 ============================================================
09:20:23.0803 2604 Current date / time: 2012/02/21 09:20:23.0803
09:20:23.0803 2604 SystemInfo:
09:20:23.0803 2604
09:20:23.0803 2604 OS Version: 5.1.2600 ServicePack: 3.0
09:20:23.0803 2604 Product type: Workstation
09:20:23.0803 2604 ComputerName: [Computer name]
09:20:23.0803 2604 UserName: admin
09:20:23.0803 2604 Windows directory: C:\WINDOWS
09:20:23.0803 2604 System windows directory: C:\WINDOWS
09:20:23.0803 2604 Processor architecture: Intel x86
09:20:23.0803 2604 Number of processors: 2
09:20:23.0803 2604 Page size: 0x1000
09:20:23.0803 2604 Boot type: Normal boot
09:20:23.0803 2604 ============================================================
09:20:25.0396 2604 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:20:25.0396 2604 \Device\Harddisk0\DR0:
09:20:25.0396 2604 MBR used
09:20:25.0396 2604 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x42C8808
09:20:25.0443 2604 Initialize success
09:20:25.0443 2604 ============================================================
09:20:41.0959 1392 ============================================================
09:20:41.0959 1392 Scan started
09:20:41.0959 1392 Mode: Manual;
09:20:41.0959 1392 ============================================================
09:20:42.0162 1392 Abiosdsk - ok
09:20:42.0193 1392 abp480n5 - ok
09:20:42.0240 1392 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:20:42.0256 1392 ACPI - ok
09:20:42.0318 1392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:20:42.0318 1392 ACPIEC - ok
09:20:42.0350 1392 adpu160m - ok
09:20:42.0412 1392 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:20:42.0412 1392 aec - ok
09:20:42.0506 1392 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:20:42.0506 1392 AFD - ok
09:20:42.0537 1392 Aha154x - ok
09:20:42.0553 1392 aic78u2 - ok
09:20:42.0568 1392 aic78xx - ok
09:20:42.0600 1392 AliIde - ok
09:20:42.0631 1392 amsint - ok
09:20:42.0693 1392 asc - ok
09:20:42.0740 1392 asc3350p - ok
09:20:42.0787 1392 asc3550 - ok
09:20:42.0865 1392 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:20:42.0865 1392 AsyncMac - ok
09:20:42.0943 1392 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:20:42.0943 1392 atapi - ok
09:20:42.0959 1392 Atdisk - ok
09:20:43.0240 1392 ati2mtag (0997918a56a6e09ddf7bdfc0ebe8a99d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:20:43.0287 1392 ati2mtag - ok
09:20:43.0396 1392 AtiHDAudioService (bd9ca8136738040d3257363ed12be693) C:\WINDOWS\system32\drivers\AtihdXP3.sys
09:20:43.0396 1392 AtiHDAudioService - ok
09:20:43.0443 1392 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:20:43.0443 1392 Atmarpc - ok
09:20:43.0506 1392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:20:43.0506 1392 audstub - ok
09:20:43.0553 1392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:20:43.0553 1392 Beep - ok
09:20:43.0693 1392 catchme - ok
09:20:43.0771 1392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:20:43.0771 1392 cbidf2k - ok
09:20:43.0803 1392 cd20xrnt - ok
09:20:43.0834 1392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:20:43.0850 1392 Cdaudio - ok
09:20:43.0896 1392 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:20:43.0912 1392 Cdfs - ok
09:20:43.0928 1392 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:20:43.0928 1392 Cdrom - ok
09:20:43.0959 1392 Changer - ok
09:20:44.0006 1392 CmdIde - ok
09:20:44.0053 1392 Cpqarray - ok
09:20:44.0115 1392 dac2w2k - ok
09:20:44.0162 1392 dac960nt - ok
09:20:44.0225 1392 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:20:44.0225 1392 Disk - ok
09:20:44.0303 1392 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:20:44.0303 1392 dmboot - ok
09:20:44.0365 1392 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:20:44.0365 1392 dmio - ok
09:20:44.0412 1392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:20:44.0412 1392 dmload - ok
09:20:44.0475 1392 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:20:44.0475 1392 DMusic - ok
09:20:44.0553 1392 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
09:20:44.0553 1392 Dot4 - ok
09:20:44.0631 1392 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
09:20:44.0631 1392 Dot4Print - ok
09:20:44.0678 1392 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
09:20:44.0678 1392 dot4usb - ok
09:20:44.0709 1392 dpti2o - ok
09:20:44.0803 1392 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:20:44.0803 1392 drmkaud - ok
09:20:44.0896 1392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:20:44.0896 1392 Fastfat - ok
09:20:44.0943 1392 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:20:44.0943 1392 Fdc - ok
09:20:44.0975 1392 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:20:44.0975 1392 Fips - ok
09:20:45.0006 1392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:20:45.0006 1392 Flpydisk - ok
09:20:45.0037 1392 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:20:45.0053 1392 FltMgr - ok
09:20:45.0100 1392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:20:45.0100 1392 Fs_Rec - ok
09:20:45.0131 1392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:20:45.0131 1392 Ftdisk - ok
09:20:45.0225 1392 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:20:45.0225 1392 Gpc - ok
09:20:45.0271 1392 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:20:45.0287 1392 HDAudBus - ok
09:20:45.0350 1392 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:20:45.0350 1392 hidusb - ok
09:20:45.0381 1392 hpn - ok
09:20:45.0475 1392 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:20:45.0475 1392 HTTP - ok
09:20:45.0506 1392 i2omgmt - ok
09:20:45.0553 1392 i2omp - ok
09:20:45.0615 1392 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:20:45.0615 1392 i8042prt - ok
09:20:45.0678 1392 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:20:45.0678 1392 Imapi - ok
09:20:45.0693 1392 ini910u - ok
09:20:45.0881 1392 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
09:20:45.0912 1392 IntcAzAudAddService - ok
09:20:45.0959 1392 IntelIde - ok
09:20:46.0037 1392 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:20:46.0037 1392 intelppm - ok
09:20:46.0084 1392 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:20:46.0084 1392 Ip6Fw - ok
09:20:46.0146 1392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:20:46.0146 1392 IpFilterDriver - ok
09:20:46.0178 1392 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:20:46.0178 1392 IpInIp - ok
09:20:46.0225 1392 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:20:46.0225 1392 IpNat - ok
09:20:46.0240 1392 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:20:46.0240 1392 IPSec - ok
09:20:46.0287 1392 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:20:46.0287 1392 IRENUM - ok
09:20:46.0334 1392 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:20:46.0334 1392 isapnp - ok
09:20:46.0381 1392 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:20:46.0381 1392 Kbdclass - ok
09:20:46.0412 1392 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:20:46.0412 1392 kbdhid - ok
09:20:46.0459 1392 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:20:46.0459 1392 kmixer - ok
09:20:46.0553 1392 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:20:46.0553 1392 KSecDD - ok
09:20:46.0584 1392 lbrtfdc - ok
09:20:46.0662 1392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:20:46.0662 1392 mnmdd - ok
09:20:46.0709 1392 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:20:46.0709 1392 Modem - ok
09:20:46.0787 1392 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:20:46.0787 1392 Mouclass - ok
09:20:46.0850 1392 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:20:46.0850 1392 mouhid - ok
09:20:46.0896 1392 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:20:46.0896 1392 MountMgr - ok
09:20:46.0912 1392 mraid35x - ok
09:20:46.0928 1392 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:20:46.0928 1392 MRxDAV - ok
09:20:46.0990 1392 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:20:46.0990 1392 MRxSmb - ok
09:20:47.0021 1392 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:20:47.0021 1392 Msfs - ok
09:20:47.0084 1392 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:20:47.0084 1392 MSKSSRV - ok
09:20:47.0131 1392 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:20:47.0131 1392 MSPCLOCK - ok
09:20:47.0178 1392 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:20:47.0178 1392 MSPQM - ok
09:20:47.0240 1392 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:20:47.0240 1392 mssmbios - ok
09:20:47.0303 1392 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:20:47.0303 1392 Mup - ok
09:20:47.0350 1392 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:20:47.0350 1392 NDIS - ok
09:20:47.0412 1392 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:20:47.0412 1392 NdisTapi - ok
09:20:47.0443 1392 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:20:47.0443 1392 Ndisuio - ok
09:20:47.0475 1392 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:20:47.0475 1392 NdisWan - ok
09:20:47.0553 1392 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:20:47.0553 1392 NDProxy - ok
09:20:47.0615 1392 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:20:47.0615 1392 NetBIOS - ok
09:20:47.0662 1392 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:20:47.0662 1392 NetBT - ok
09:20:47.0740 1392 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:20:47.0740 1392 Npfs - ok
09:20:47.0803 1392 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:20:47.0803 1392 Ntfs - ok
09:20:47.0865 1392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:20:47.0865 1392 Null - ok
09:20:47.0912 1392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:20:47.0912 1392 NwlnkFlt - ok
09:20:47.0959 1392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:20:47.0959 1392 NwlnkFwd - ok
09:20:48.0037 1392 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:20:48.0037 1392 Parport - ok
09:20:48.0068 1392 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:20:48.0068 1392 PartMgr - ok
09:20:48.0115 1392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:20:48.0115 1392 ParVdm - ok
09:20:48.0146 1392 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:20:48.0146 1392 PCI - ok
09:20:48.0178 1392 PCIDump - ok
09:20:48.0225 1392 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:20:48.0225 1392 PCIIde - ok
09:20:48.0287 1392 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:20:48.0287 1392 Pcmcia - ok
09:20:48.0318 1392 PDCOMP - ok
09:20:48.0365 1392 PDFRAME - ok
09:20:48.0381 1392 PDRELI - ok
09:20:48.0443 1392 PDRFRAME - ok
09:20:48.0475 1392 perc2 - ok
09:20:48.0506 1392 perc2hib - ok
09:20:48.0584 1392 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:20:48.0584 1392 PptpMiniport - ok
09:20:48.0662 1392 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:20:48.0662 1392 PSched - ok
09:20:48.0709 1392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:20:48.0709 1392 Ptilink - ok
09:20:48.0740 1392 ql1080 - ok
09:20:48.0787 1392 Ql10wnt - ok
09:20:48.0803 1392 ql12160 - ok
09:20:48.0850 1392 ql1240 - ok
09:20:48.0881 1392 ql1280 - ok
09:20:48.0912 1392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:20:48.0912 1392 RasAcd - ok
09:20:48.0990 1392 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:20:48.0990 1392 Rasl2tp - ok
09:20:49.0021 1392 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:20:49.0021 1392 RasPppoe - ok
09:20:49.0053 1392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:20:49.0053 1392 Raspti - ok
09:20:49.0100 1392 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:20:49.0100 1392 Rdbss - ok
09:20:49.0115 1392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:20:49.0131 1392 RDPCDD - ok
09:20:49.0178 1392 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:20:49.0178 1392 rdpdr - ok
09:20:49.0240 1392 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:20:49.0256 1392 RDPWD - ok
09:20:49.0303 1392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:20:49.0303 1392 redbook - ok
09:20:49.0350 1392 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
09:20:49.0365 1392 RTL8023xp - ok
09:20:49.0412 1392 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
09:20:49.0412 1392 rtl8139 - ok
09:20:49.0475 1392 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:20:49.0490 1392 Secdrv - ok
09:20:49.0521 1392 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:20:49.0521 1392 serenum - ok
09:20:49.0553 1392 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:20:49.0553 1392 Serial - ok
09:20:49.0600 1392 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:20:49.0600 1392 Sfloppy - ok
09:20:49.0631 1392 Simbad - ok
09:20:49.0693 1392 Sparrow - ok
09:20:49.0771 1392 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:20:49.0771 1392 splitter - ok
09:20:49.0818 1392 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:20:49.0818 1392 sr - ok
09:20:49.0865 1392 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:20:49.0865 1392 Srv - ok
09:20:49.0943 1392 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:20:49.0943 1392 swenum - ok
09:20:49.0990 1392 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:20:49.0990 1392 swmidi - ok
09:20:50.0037 1392 symc810 - ok
09:20:50.0068 1392 symc8xx - ok
09:20:50.0084 1392 sym_hi - ok
09:20:50.0131 1392 sym_u3 - ok
09:20:50.0209 1392 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:20:50.0209 1392 sysaudio - ok
09:20:50.0287 1392 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:20:50.0303 1392 Tcpip - ok
09:20:50.0350 1392 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:20:50.0350 1392 TDPIPE - ok
09:20:50.0412 1392 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:20:50.0412 1392 TDTCP - ok
09:20:50.0475 1392 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:20:50.0475 1392 TermDD - ok
09:20:50.0521 1392 tmactmon (39cfb66854b304b0f41c9c39f51700fe) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
09:20:50.0537 1392 tmactmon - ok
09:20:50.0600 1392 tmcfw (0be90f3fc8ed04554fa3c391ab22f222) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
09:20:50.0600 1392 tmcfw - ok
09:20:50.0646 1392 tmcomm (b17a44b3f65bca352c67ec78f641d901) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
09:20:50.0646 1392 tmcomm - ok
09:20:50.0678 1392 tmevtmgr (88bdd265b0a455cde98fcd213d0595c5) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
09:20:50.0678 1392 tmevtmgr - ok
09:20:50.0740 1392 tmtdi (71b409ed6b46ee213fc22b2d440234b8) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
09:20:50.0756 1392 tmtdi - ok
09:20:50.0787 1392 TosIde - ok
09:20:50.0865 1392 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:20:50.0865 1392 Udfs - ok
09:20:50.0881 1392 ultra - ok
09:20:50.0959 1392 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:20:50.0975 1392 Update - ok
09:20:51.0021 1392 USB-100 (945ee78a075d7a29e61e512f67c91a72) C:\WINDOWS\system32\DRIVERS\USB100M.SYS
09:20:51.0021 1392 USB-100 - ok
09:20:51.0084 1392 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:20:51.0084 1392 usbccgp - ok
09:20:51.0162 1392 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:20:51.0162 1392 usbehci - ok
09:20:51.0193 1392 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:20:51.0193 1392 usbhub - ok
09:20:51.0209 1392 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:20:51.0225 1392 usbohci - ok
09:20:51.0287 1392 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:20:51.0287 1392 usbprint - ok
09:20:51.0350 1392 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:20:51.0350 1392 USBSTOR - ok
09:20:51.0396 1392 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:20:51.0396 1392 usbuhci - ok
09:20:51.0475 1392 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:20:51.0475 1392 VgaSave - ok
09:20:51.0490 1392 ViaIde - ok
09:20:51.0553 1392 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:20:51.0553 1392 VolSnap - ok
09:20:51.0584 1392 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:20:51.0584 1392 Wanarp - ok
09:20:51.0615 1392 WDICA - ok
09:20:51.0693 1392 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:20:51.0693 1392 wdmaud - ok
09:20:51.0787 1392 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:20:51.0803 1392 WS2IFSL - ok
09:20:51.0834 1392 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:20:51.0959 1392 \Device\Harddisk0\DR0 - ok
09:20:51.0975 1392 Boot (0x1200) (ffadc36745fde7780ce6fc60573ff338) \Device\Harddisk0\DR0\Partition0
09:20:51.0975 1392 \Device\Harddisk0\DR0\Partition0 - ok
09:20:51.0975 1392 ============================================================
09:20:51.0975 1392 Scan finished
09:20:51.0975 1392 ============================================================
09:20:51.0990 2424 Detected object count: 0
09:20:51.0990 2424 Actual detected object count: 0
09:21:14.0834 0736 Deinitialize success

////////////////////
----TDSSKiller#2---- (no TDSS items to delete)
\\\\\\\\\\\\\\\\\\\\
09:21:54.0771 1012 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
09:21:55.0271 1012 ============================================================
09:21:55.0271 1012 Current date / time: 2012/02/21 09:21:55.0271
09:21:55.0271 1012 SystemInfo:
09:21:55.0271 1012
09:21:55.0271 1012 OS Version: 5.1.2600 ServicePack: 3.0
09:21:55.0271 1012 Product type: Workstation
09:21:55.0271 1012 ComputerName: [Computer Name]
09:21:55.0271 1012 UserName: admin
09:21:55.0271 1012 Windows directory: C:\WINDOWS
09:21:55.0271 1012 System windows directory: C:\WINDOWS
09:21:55.0271 1012 Processor architecture: Intel x86
09:21:55.0271 1012 Number of processors: 2
09:21:55.0271 1012 Page size: 0x1000
09:21:55.0271 1012 Boot type: Normal boot
09:21:55.0271 1012 ============================================================
09:21:56.0803 1012 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:21:56.0803 1012 \Device\Harddisk0\DR0:
09:21:56.0803 1012 MBR used
09:21:56.0803 1012 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x42C8808
09:21:56.0865 1012 Initialize success
09:21:56.0865 1012 ============================================================
09:22:12.0600 2544 ============================================================
09:22:12.0600 2544 Scan started
09:22:12.0600 2544 Mode: Manual; SigCheck; TDLFS;
09:22:12.0600 2544 ============================================================
09:22:12.0818 2544 Abiosdsk - ok
09:22:12.0850 2544 abp480n5 - ok
09:22:12.0912 2544 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:22:13.0271 2544 ACPI - ok
09:22:13.0396 2544 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:22:13.0568 2544 ACPIEC - ok
09:22:13.0631 2544 adpu160m - ok
09:22:13.0693 2544 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:22:13.0834 2544 aec - ok
09:22:13.0928 2544 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:22:13.0975 2544 AFD - ok
09:22:14.0006 2544 Aha154x - ok
09:22:14.0037 2544 aic78u2 - ok
09:22:14.0084 2544 aic78xx - ok
09:22:14.0131 2544 AliIde - ok
09:22:14.0146 2544 amsint - ok
09:22:14.0193 2544 asc - ok
09:22:14.0225 2544 asc3350p - ok
09:22:14.0256 2544 asc3550 - ok
09:22:14.0334 2544 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:22:14.0475 2544 AsyncMac - ok
09:22:14.0568 2544 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:22:14.0725 2544 atapi - ok
09:22:14.0818 2544 Atdisk - ok
09:22:15.0053 2544 ati2mtag (0997918a56a6e09ddf7bdfc0ebe8a99d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:22:15.0303 2544 ati2mtag - ok
09:22:15.0428 2544 AtiHDAudioService (bd9ca8136738040d3257363ed12be693) C:\WINDOWS\system32\drivers\AtihdXP3.sys
09:22:15.0475 2544 AtiHDAudioService - ok
09:22:15.0553 2544 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:22:15.0709 2544 Atmarpc - ok
09:22:15.0834 2544 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:22:15.0990 2544 audstub - ok
09:22:16.0084 2544 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:22:16.0225 2544 Beep - ok
09:22:16.0350 2544 catchme - ok
09:22:16.0459 2544 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:22:16.0615 2544 cbidf2k - ok
09:22:16.0646 2544 cd20xrnt - ok
09:22:16.0678 2544 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:22:16.0834 2544 Cdaudio - ok
09:22:16.0959 2544 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:22:17.0115 2544 Cdfs - ok
09:22:17.0178 2544 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:22:17.0334 2544 Cdrom - ok
09:22:17.0412 2544 Changer - ok
09:22:17.0443 2544 CmdIde - ok
09:22:17.0475 2544 Cpqarray - ok
09:22:17.0490 2544 dac2w2k - ok
09:22:17.0506 2544 dac960nt - ok
09:22:17.0568 2544 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:22:17.0725 2544 Disk - ok
09:22:17.0834 2544 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:22:18.0006 2544 dmboot - ok
09:22:18.0115 2544 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:22:18.0271 2544 dmio - ok
09:22:18.0334 2544 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:22:18.0490 2544 dmload - ok
09:22:18.0600 2544 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:22:18.0756 2544 DMusic - ok
09:22:18.0834 2544 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
09:22:18.0990 2544 Dot4 - ok
09:22:19.0115 2544 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
09:22:19.0256 2544 Dot4Print - ok
09:22:19.0334 2544 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
09:22:19.0490 2544 dot4usb - ok
09:22:19.0568 2544 dpti2o - ok
09:22:19.0631 2544 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:22:19.0771 2544 drmkaud - ok
09:22:19.0896 2544 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:22:20.0053 2544 Fastfat - ok
09:22:20.0131 2544 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:22:20.0271 2544 Fdc - ok
09:22:20.0396 2544 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:22:20.0553 2544 Fips - ok
09:22:20.0678 2544 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:22:20.0834 2544 Flpydisk - ok
09:22:20.0896 2544 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:22:21.0053 2544 FltMgr - ok
09:22:21.0146 2544 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:22:21.0303 2544 Fs_Rec - ok
09:22:21.0428 2544 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:22:21.0584 2544 Ftdisk - ok
09:22:21.0693 2544 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:22:21.0850 2544 Gpc - ok
09:22:21.0975 2544 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:22:22.0146 2544 HDAudBus - ok
09:22:22.0287 2544 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:22:22.0428 2544 hidusb - ok
09:22:22.0521 2544 hpn - ok
09:22:22.0584 2544 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:22:22.0631 2544 HTTP - ok
09:22:22.0678 2544 i2omgmt - ok
09:22:22.0740 2544 i2omp - ok
09:22:22.0818 2544 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:22:22.0990 2544 i8042prt - ok
09:22:23.0068 2544 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:22:23.0225 2544 Imapi - ok
09:22:23.0271 2544 ini910u - ok
09:22:23.0443 2544 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
09:22:23.0600 2544 IntcAzAudAddService - ok
09:22:23.0662 2544 IntelIde - ok
09:22:23.0709 2544 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:22:23.0865 2544 intelppm - ok
09:22:23.0912 2544 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:22:24.0068 2544 Ip6Fw - ok
09:22:24.0193 2544 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:22:24.0334 2544 IpFilterDriver - ok
09:22:24.0428 2544 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:22:24.0584 2544 IpInIp - ok
09:22:24.0631 2544 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:22:24.0803 2544 IpNat - ok
09:22:24.0896 2544 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:22:25.0068 2544 IPSec - ok
09:22:25.0131 2544 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:22:25.0225 2544 IRENUM - ok
09:22:25.0365 2544 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:22:25.0521 2544 isapnp - ok
09:22:25.0615 2544 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:22:25.0787 2544 Kbdclass - ok
09:22:25.0850 2544 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:22:25.0990 2544 kbdhid - ok
09:22:26.0053 2544 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:22:26.0209 2544 kmixer - ok
09:22:26.0334 2544 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:22:26.0396 2544 KSecDD - ok
09:22:26.0412 2544 lbrtfdc - ok
09:22:26.0475 2544 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:22:26.0631 2544 mnmdd - ok
09:22:26.0725 2544 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:22:26.0881 2544 Modem - ok
09:22:26.0990 2544 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:22:27.0162 2544 Mouclass - ok
09:22:27.0240 2544 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:22:27.0396 2544 mouhid - ok
09:22:27.0506 2544 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:22:27.0662 2544 MountMgr - ok
09:22:27.0709 2544 mraid35x - ok
09:22:27.0740 2544 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:22:27.0896 2544 MRxDAV - ok
09:22:28.0037 2544 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:22:28.0100 2544 MRxSmb - ok
09:22:28.0146 2544 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:22:28.0303 2544 Msfs - ok
09:22:28.0381 2544 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:22:28.0521 2544 MSKSSRV - ok
09:22:28.0584 2544 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:22:28.0740 2544 MSPCLOCK - ok
09:22:28.0865 2544 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:22:29.0021 2544 MSPQM - ok
09:22:29.0115 2544 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:22:29.0271 2544 mssmbios - ok
09:22:29.0381 2544 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:22:29.0428 2544 Mup - ok
09:22:29.0475 2544 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:22:29.0631 2544 NDIS - ok
09:22:29.0756 2544 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:22:29.0787 2544 NdisTapi - ok
09:22:29.0896 2544 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:22:30.0068 2544 Ndisuio - ok
09:22:30.0115 2544 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:22:30.0287 2544 NdisWan - ok
09:22:30.0350 2544 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:22:30.0381 2544 NDProxy - ok
09:22:30.0459 2544 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:22:30.0615 2544 NetBIOS - ok
09:22:30.0662 2544 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:22:30.0818 2544 NetBT - ok
09:22:30.0975 2544 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:22:31.0131 2544 Npfs - ok
09:22:31.0271 2544 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:22:31.0443 2544 Ntfs - ok
09:22:31.0553 2544 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:22:31.0709 2544 Null - ok
09:22:31.0787 2544 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:22:31.0928 2544 NwlnkFlt - ok
09:22:32.0021 2544 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:22:32.0178 2544 NwlnkFwd - ok
09:22:32.0287 2544 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:22:32.0459 2544 Parport - ok
09:22:32.0506 2544 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:22:32.0662 2544 PartMgr - ok
09:22:32.0725 2544 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:22:32.0865 2544 ParVdm - ok
09:22:32.0990 2544 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:22:33.0162 2544 PCI - ok
09:22:33.0240 2544 PCIDump - ok
09:22:33.0287 2544 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:22:33.0443 2544 PCIIde - ok
09:22:33.0537 2544 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:22:33.0693 2544 Pcmcia - ok
09:22:33.0725 2544 PDCOMP - ok
09:22:33.0756 2544 PDFRAME - ok
09:22:33.0787 2544 PDRELI - ok
09:22:33.0803 2544 PDRFRAME - ok
09:22:33.0834 2544 perc2 - ok
09:22:33.0850 2544 perc2hib - ok
09:22:33.0943 2544 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:22:34.0100 2544 PptpMiniport - ok
09:22:34.0162 2544 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:22:34.0318 2544 PSched - ok
09:22:34.0443 2544 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:22:34.0600 2544 Ptilink - ok
09:22:34.0678 2544 ql1080 - ok
09:22:34.0693 2544 Ql10wnt - ok
09:22:34.0740 2544 ql12160 - ok
09:22:34.0756 2544 ql1240 - ok
09:22:34.0803 2544 ql1280 - ok
09:22:34.0850 2544 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:22:35.0021 2544 RasAcd - ok
09:22:35.0100 2544 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:22:35.0256 2544 Rasl2tp - ok
09:22:35.0381 2544 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:22:35.0553 2544 RasPppoe - ok
09:22:35.0646 2544 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:22:35.0803 2544 Raspti - ok
09:22:35.0928 2544 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:22:36.0100 2544 Rdbss - ok
09:22:36.0178 2544 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:22:36.0334 2544 RDPCDD - ok
09:22:36.0459 2544 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:22:36.0615 2544 rdpdr - ok
09:22:36.0740 2544 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:22:36.0771 2544 RDPWD - ok
09:22:36.0818 2544 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:22:36.0990 2544 redbook - ok
09:22:37.0131 2544 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
09:22:37.0209 2544 RTL8023xp - ok
09:22:37.0303 2544 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
09:22:37.0459 2544 rtl8139 - ok
09:22:37.0553 2544 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:22:37.0631 2544 Secdrv - ok
09:22:37.0709 2544 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:22:37.0881 2544 serenum - ok
09:22:37.0990 2544 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:22:38.0146 2544 Serial - ok
09:22:38.0209 2544 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:22:38.0381 2544 Sfloppy - ok
09:22:38.0475 2544 Simbad - ok
09:22:38.0506 2544 Sparrow - ok
09:22:38.0537 2544 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:22:38.0693 2544 splitter - ok
09:22:38.0787 2544 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:22:38.0881 2544 sr - ok
09:22:38.0975 2544 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:22:39.0021 2544 Srv - ok
09:22:39.0100 2544 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:22:39.0256 2544 swenum - ok
09:22:39.0334 2544 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:22:39.0475 2544 swmidi - ok
09:22:39.0584 2544 symc810 - ok
09:22:39.0615 2544 symc8xx - ok
09:22:39.0646 2544 sym_hi - ok
09:22:39.0662 2544 sym_u3 - ok
09:22:39.0725 2544 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:22:39.0881 2544 sysaudio - ok
09:22:39.0990 2544 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:22:40.0021 2544 Tcpip - ok
09:22:40.0084 2544 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:22:40.0240 2544 TDPIPE - ok
09:22:40.0303 2544 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:22:40.0443 2544 TDTCP - ok
09:22:40.0521 2544 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:22:40.0678 2544 TermDD - ok
09:22:40.0803 2544 tmactmon (39cfb66854b304b0f41c9c39f51700fe) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
09:22:40.0818 2544 tmactmon - ok
09:22:40.0865 2544 tmcfw (0be90f3fc8ed04554fa3c391ab22f222) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
09:22:40.0881 2544 tmcfw - ok
09:22:40.0912 2544 tmcomm (b17a44b3f65bca352c67ec78f641d901) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
09:22:40.0928 2544 tmcomm - ok
09:22:40.0959 2544 tmevtmgr (88bdd265b0a455cde98fcd213d0595c5) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
09:22:40.0975 2544 tmevtmgr - ok
09:22:41.0006 2544 tmtdi (71b409ed6b46ee213fc22b2d440234b8) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
09:22:41.0021 2544 tmtdi - ok
09:22:41.0037 2544 TosIde - ok
09:22:41.0115 2544 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:22:41.0271 2544 Udfs - ok
09:22:41.0303 2544 ultra - ok
09:22:41.0396 2544 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:22:41.0553 2544 Update - ok
09:22:41.0693 2544 USB-100 (945ee78a075d7a29e61e512f67c91a72) C:\WINDOWS\system32\DRIVERS\USB100M.SYS
09:22:41.0693 2544 USB-100 ( UnsignedFile.Multi.Generic ) - warning
09:22:41.0693 2544 USB-100 - detected UnsignedFile.Multi.Generic (1)
09:22:41.0756 2544 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:22:41.0912 2544 usbccgp - ok
09:22:42.0037 2544 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:22:42.0193 2544 usbehci - ok
09:22:42.0303 2544 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:22:42.0459 2544 usbhub - ok
09:22:42.0506 2544 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:22:42.0662 2544 usbohci - ok
09:22:42.0771 2544 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:22:42.0928 2544 usbprint - ok
09:22:42.0990 2544 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:22:43.0146 2544 USBSTOR - ok
09:22:43.0256 2544 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:22:43.0412 2544 usbuhci - ok
09:22:43.0490 2544 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:22:43.0646 2544 VgaSave - ok
09:22:43.0740 2544 ViaIde - ok
09:22:43.0787 2544 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:22:43.0943 2544 VolSnap - ok
09:22:44.0006 2544 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:22:44.0178 2544 Wanarp - ok
09:22:44.0256 2544 WDICA - ok
09:22:44.0318 2544 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:22:44.0475 2544 wdmaud - ok
09:22:44.0631 2544 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:22:44.0771 2544 WS2IFSL - ok
09:22:44.0818 2544 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:22:45.0115 2544 \Device\Harddisk0\DR0 - ok
09:22:45.0115 2544 Boot (0x1200) (ffadc36745fde7780ce6fc60573ff338) \Device\Harddisk0\DR0\Partition0
09:22:45.0115 2544 \Device\Harddisk0\DR0\Partition0 - ok
09:22:45.0115 2544 ============================================================
09:22:45.0115 2544 Scan finished
09:22:45.0115 2544 ============================================================
09:22:45.0240 3444 Detected object count: 1
09:22:45.0240 3444 Actual detected object count: 1
09:23:07.0428 3444 USB-100 ( UnsignedFile.Multi.Generic ) - skipped by user
09:23:07.0443 3444 USB-100 ( UnsignedFile.Multi.Generic ) - User select action: Skip

////////////////////
-------aswMBR------- (FIX button NOT enabled) *It asked me if I wanted to download Avast!, I clicked "No"
\\\\\\\\\\\\\\\\\\\\
aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-21 09:23:56
-----------------------------
09:23:56.959 OS Version: Windows 5.1.2600 Service Pack 3
09:23:56.959 Number of processors: 2 586 0x407
09:23:56.959 ComputerName: [Computer Name] UserName: admin
09:23:57.193 Initialize success
09:26:01.318 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
09:26:01.318 Disk 0 Vendor: ST380811AS 3.AAE Size: 76319MB BusType: 3
09:26:01.350 Disk 0 MBR read successfully
09:26:01.350 Disk 0 MBR scan
09:26:01.350 Disk 0 Windows XP default MBR code
09:26:01.350 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 34193 MB offset 63
09:26:01.365 Disk 0 Partition 2 00 83 Linux 42123 MB offset 70027335
09:26:01.365 Disk 0 scanning sectors +156296385
09:26:01.443 Disk 0 scanning C:\WINDOWS\system32\drivers
09:26:05.287 Service scanning
09:26:13.521 Modules scanning
09:26:19.334 Scan finished successfully
09:26:47.943 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
09:26:47.943 The log file has been saved successfully to "C:\aswMBR.txt"

////////////////////
----MalwareBytes---- (no threats detected)
\\\\\\\\\\\\\\\\\\\\
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.21.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
admin :: [Computer Name] [administrator]

2/21/2012 9:29:21 AM
mbam-log-2012-02-21 (09-29-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222341
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thank you so much again for your assistance!
Megan

#4
RKinner

Posted 21 February 2012 - 11:05 AM

Malware Expert

Expert
24,426 posts

Copy the text in the code box:

nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
consrv.dll
sfcfiles.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

#5
Aristazi

Posted 05 March 2012 - 01:44 PM

Member

Topic Starter
Member
266 posts

RKinner, so sorry for not responding sooner, I didn't see the reply notification. I can't access his computer just now but I will give this a try and respond ASAP. Thank you!

#6
RKinner

Posted 05 March 2012 - 03:04 PM

Malware Expert

Expert
24,426 posts

No problem but check your spam folder to see if you got a reply notification that went to spam. Also check you profile to make sure you have the correct email address.

#7
Aristazi

Posted 06 March 2012 - 09:24 AM

Member

Topic Starter
Member
266 posts

Here are the reports. Thanks so much!

OTL logfile created on: 3/6/2012 8:26:59 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = Z:\Megan Larkins\Anti-virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 197.08 Mb Available Physical Memory | 20.56% Memory free
2.26 Gb Paging File | 1.31 Gb Available in Paging File | 58.10% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.39 Gb Total Space | 12.15 Gb Free Space | 36.39% Space Free | Partition Type: NTFS
Drive Z: | 120.01 Gb Total Space | 22.58 Gb Free Space | 18.82% Space Free | Partition Type: NTFS

Computer Name: AHORSMAN-XP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/13 13:46:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- Z:\Megan Larkins\Anti-virus\OTL.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/11/25 06:27:48 | 001,081,024 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
PRC - [2011/11/16 12:54:26 | 000,689,680 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2011/10/17 07:41:42 | 000,133,424 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/09/27 01:32:18 | 000,196,512 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
PRC - [2011/08/16 01:26:46 | 000,142,952 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
PRC - [2011/04/28 09:48:42 | 000,438,272 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/09 12:04:32 | 001,892,430 | ---- | M] (Toshiba America) -- C:\Program Files\Toshiba\Net Phone\netphone.exe
PRC - [1999/09/30 20:31:38 | 000,869,376 | ---- | M] (Fred's Software) -- C:\Program Files\PrintKey2000\Printkey2000.exe

========== Modules (No Company Name) ==========

MOD - [2012/02/17 08:58:43 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/17 08:56:12 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll
MOD - [2012/02/17 08:51:27 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll
MOD - [2012/02/17 08:51:12 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/17 08:50:34 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/17 03:08:40 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/17 03:07:42 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2011/12/05 21:45:14 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2011/11/16 12:37:40 | 000,126,976 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\libTmHttpClient.dll
MOD - [2011/11/16 12:37:26 | 000,233,472 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\libTmHttpServer.dll
MOD - [2011/10/13 02:16:51 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
MOD - [2011/10/13 02:11:48 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/10/05 08:15:22 | 000,174,624 | ---- | M] () -- C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll
MOD - [2011/01/04 03:53:52 | 000,442,368 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\sqlite3.dll
MOD - [2011/01/04 03:53:52 | 000,057,344 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll
MOD - [2011/01/04 03:53:52 | 000,049,152 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll
MOD - [2011/01/04 03:53:26 | 001,081,344 | ---- | M] () -- C:\Program Files\Trend Micro\AMSP\libprotobuf.dll
MOD - [2011/01/03 13:53:54 | 000,057,344 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\boost_date_time-vc80-mt-1_36.dll
MOD - [2011/01/03 13:53:54 | 000,049,152 | ---- | M] () -- C:\Program Files\Trend Micro\Client Server Security Agent\boost_thread-vc80-mt-1_36.dll
MOD - [2010/03/16 12:22:12 | 000,014,848 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll
MOD - [2007/02/13 20:23:18 | 000,117,248 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzpi4wm.DLL
MOD - [2004/08/04 06:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
MOD - [2001/10/28 15:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/11/16 12:54:26 | 000,689,680 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (TmListen)
SRV - [2011/09/27 01:32:18 | 000,196,512 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2011/04/28 09:48:42 | 000,438,272 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

========== Driver Services (SafeList) ==========

DRV - [2011/12/20 01:39:28 | 000,100,368 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtihdXP3.sys -- (AtiHDAudioService)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/12/05 21:42:18 | 007,490,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2011/06/23 09:34:42 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2011/06/23 09:34:32 | 000,065,296 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2011/06/23 09:34:24 | 000,191,248 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/12/06 02:27:12 | 000,092,112 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/09/30 15:59:48 | 000,341,072 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2009/03/25 05:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/13 16:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2005/09/23 17:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2001/09/14 09:35:58 | 000,027,519 | ---- | M] (Linksys) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USB100M.SYS -- (USB-100)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/02/15 17:03:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/28 08:30:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/13 16:46:06 | 000,000,000 | ---D | M]

[2012/02/28 08:31:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/28 08:30:21 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/03/30 12:44:28 | 000,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2010/03/30 12:44:29 | 000,126,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2009/12/17 11:00:27 | 000,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2010/03/30 12:45:07 | 000,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2010/03/30 12:44:23 | 000,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2012/02/13 16:45:56 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/28 18:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/11 08:04:14 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/21 08:58:02 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1242\6.6.1089\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Net Phone.lnk = C:\Program Files\Toshiba\Net Phone\netphone.exe (Toshiba America)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe (Fred's Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {119CE688-A7E9-1941-8E10-F42990BBA4C4} https://fiserv.assur.../ASRrptview.cab (FISERV FIPSCO Report Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1242241285578 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://avivausa.web...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.130.255.3 209.63.0.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{332A02B6-663C-4684-95EB-36AE244E7546}: DhcpNameServer = 67.152.160.87 209.98.204.98
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CDB7B9E5-9B98-4843-9CB9-7E4D38293F03}: DhcpNameServer = 204.130.255.3 209.63.0.6
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1242\6.6.1089\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Client Server Security Agent\UIFrameWork\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/13 11:25:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5CA109D3-A084-47E8-A9CB-D497322E3F50} - MSN Toolbar 3.0 & Silverlight 2.0
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: >{b5f15cbd-370a-4244-8f42-14cba2eb4e2c} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/06 08:22:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2012/03/06 08:22:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2012/03/06 08:22:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IECompatCache
[2012/03/06 08:21:16 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2012/03/06 08:21:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ATI
[2012/03/06 08:21:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ATI
[2012/03/06 08:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
[2012/03/06 08:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\CTS
[2012/03/06 08:20:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2012/03/06 08:20:01 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2012/02/28 10:43:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2012/02/27 14:09:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/27 08:22:45 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2012/02/27 08:22:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2012/02/21 09:27:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/21 09:27:39 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/02/21 09:27:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/21 08:49:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/21 08:46:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/21 08:46:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/21 08:46:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/21 08:46:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/21 08:46:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/21 08:46:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/21 08:43:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/02/21 08:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2012/02/21 08:42:43 | 000,326,656 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmml107.dll
[2012/02/21 08:42:43 | 000,243,712 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmpm081.dll
[2012/02/21 08:42:43 | 000,223,232 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmtp107.dll
[2012/02/21 08:42:43 | 000,179,200 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmpw081.dll
[2012/02/21 08:42:43 | 000,074,752 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hppccompio.dll
[2012/02/21 08:42:43 | 000,049,252 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmnque.dll
[2012/02/21 08:42:43 | 000,049,250 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmnndps.dll
[2012/02/21 08:42:43 | 000,018,944 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hppmopjl.dll
[2012/02/21 08:42:42 | 000,275,968 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpmja107.dll
[2012/02/21 08:42:41 | 000,275,456 | ---- | C] (Hewlett-Packard Corporation) -- C:\WINDOWS\System32\hpcpn107.dll
[2012/02/21 08:42:40 | 000,059,928 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\fxcompchannel.dll
[2012/02/16 08:58:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2012/02/16 08:55:51 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_7.dll
[2012/02/16 08:55:51 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_5.dll
[2012/02/16 08:55:50 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_43.dll
[2012/02/16 08:55:50 | 000,239,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_7.dll
[2012/02/16 08:55:49 | 001,868,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_43.dll
[2012/02/16 08:55:49 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_43.dll
[2012/02/16 08:55:49 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_43.dll
[2012/02/16 08:55:48 | 001,998,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_43.dll
[2012/02/16 08:55:48 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2012/02/16 08:55:48 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2012/02/16 08:55:47 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2012/02/16 08:55:47 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2012/02/16 08:55:46 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2012/02/16 08:55:46 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2012/02/16 08:55:46 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2012/02/16 08:55:45 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2012/02/16 08:55:44 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2012/02/16 08:55:44 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2012/02/16 08:55:43 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2012/02/16 08:55:43 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2012/02/16 08:55:43 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2012/02/16 08:55:42 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2012/02/16 08:55:42 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2012/02/16 08:55:42 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2012/02/16 08:55:41 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2012/02/16 08:55:41 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2012/02/16 08:55:40 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2012/02/16 08:55:40 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2012/02/16 08:55:40 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2012/02/16 08:55:39 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2012/02/16 08:55:39 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2012/02/16 08:55:39 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2012/02/16 08:55:38 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2012/02/16 08:55:38 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2012/02/16 08:55:38 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2012/02/16 08:55:37 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2012/02/16 08:55:37 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2012/02/16 08:55:37 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2012/02/16 08:55:36 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2012/02/16 08:55:36 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2012/02/16 08:55:36 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2012/02/16 08:55:35 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2012/02/16 08:55:35 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2012/02/16 08:55:34 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2012/02/16 08:55:34 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2012/02/16 08:55:34 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2012/02/16 08:55:33 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2012/02/16 08:55:33 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2012/02/16 08:55:33 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2012/02/16 08:55:32 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2012/02/16 08:55:32 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2012/02/16 08:55:31 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2012/02/16 08:55:31 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2012/02/16 08:55:30 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2012/02/16 08:55:30 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2012/02/16 08:55:29 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2012/02/16 08:55:29 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2012/02/16 08:55:28 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2012/02/16 08:55:28 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2012/02/16 08:55:28 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2012/02/16 08:55:27 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2012/02/16 08:55:27 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2012/02/16 08:55:26 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2012/02/16 08:55:26 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2012/02/16 08:55:25 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2012/02/16 08:55:24 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2012/02/16 08:55:23 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2012/02/16 08:55:22 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2012/02/16 08:55:22 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2012/02/16 08:55:20 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2012/02/16 08:55:20 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2012/02/16 08:55:19 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2012/02/16 08:55:19 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2012/02/16 08:55:18 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2012/02/16 08:55:18 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2012/02/16 08:55:18 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2012/02/16 08:55:18 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2012/02/16 08:55:17 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2012/02/16 08:55:17 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2012/02/16 08:55:17 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2012/02/16 08:55:16 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2012/02/16 08:55:08 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2012/02/16 08:55:07 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2012/02/16 08:55:07 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2012/02/16 08:55:06 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2012/02/16 08:55:06 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2012/02/16 08:55:05 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2012/02/16 08:55:04 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2012/02/16 08:55:04 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2012/02/16 08:55:03 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2012/02/16 08:55:02 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2012/02/16 08:54:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2012/02/16 08:53:52 | 000,000,000 | ---D | C] -- C:\Program Files\AMD APP
[2012/02/16 08:53:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Catalyst Control Center
[2012/02/16 08:52:23 | 000,100,368 | ---- | C] (Advanced Micro Devices) -- C:\WINDOWS\System32\drivers\AtihdXP3.sys
[2012/02/16 08:51:56 | 003,307,776 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\dllcache\ativvaxx.dll
[2012/02/16 08:51:56 | 003,307,776 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\ativvaxx.dll
[2012/02/16 08:51:56 | 000,884,736 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati2cqag.dll
[2012/02/16 08:51:56 | 000,884,736 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2cqag.dll
[2012/02/16 08:51:56 | 000,466,944 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\ATIDEMGX.dll
[2012/02/16 08:51:56 | 000,155,648 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Oemdspif.dll
[2012/02/16 08:51:56 | 000,057,344 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticalrt.dll
[2012/02/16 08:51:56 | 000,043,520 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\ati2edxx.dll
[2012/02/16 08:51:56 | 000,017,408 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\atitvo32.dll
[2012/02/16 08:51:55 | 007,376,896 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticaldd.dll
[2012/02/16 08:51:55 | 000,304,640 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati2dvag.dll
[2012/02/16 08:51:55 | 000,304,640 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvag.dll
[2012/02/16 08:51:55 | 000,118,784 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atibtmon.exe
[2012/02/16 08:51:55 | 000,065,024 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\atimpc32.dll
[2012/02/16 08:51:55 | 000,065,024 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\amdpcom32.dll
[2012/02/16 08:51:55 | 000,053,248 | ---- | C] ( ATI Technologies Inc.) -- C:\WINDOWS\System32\ATIDDC.DLL
[2012/02/16 08:51:55 | 000,045,056 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\ATIODCLI.exe
[2012/02/16 08:51:55 | 000,026,112 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Ati2mdxx.exe
[2012/02/16 08:51:55 | 000,024,064 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\ativcoxx.dll
[2012/02/16 08:51:54 | 019,357,696 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atioglxx.dll
[2012/02/16 08:51:54 | 000,956,160 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\ativvamv.dll
[2012/02/16 08:51:54 | 000,192,512 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2evxx.dll
[2012/02/16 08:51:53 | 007,490,560 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtag.sys
[2012/02/16 08:51:53 | 007,490,560 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati2mtag.sys
[2012/02/16 08:51:53 | 005,334,656 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\dllcache\ati3duag.dll
[2012/02/16 08:51:53 | 005,334,656 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\ati3duag.dll
[2012/02/16 08:51:53 | 000,806,912 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\atikvmag.dll
[2012/02/16 08:51:53 | 000,602,112 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atiok3x2.dll
[2012/02/16 08:51:53 | 000,311,296 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\atiiiexx.dll
[2012/02/16 08:51:53 | 000,294,912 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\ATIODE.exe
[2012/02/16 08:51:53 | 000,233,472 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atiadlxx.dll
[2012/02/16 08:51:53 | 000,212,992 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\atipdlxx.dll
[2012/02/16 08:51:53 | 000,159,744 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atiapfxx.exe
[2012/02/16 08:51:53 | 000,053,248 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2erec.dll
[2012/02/16 08:51:53 | 000,053,248 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticalcl.dll
[2012/02/16 08:51:11 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012/02/16 08:51:08 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2012/02/16 08:50:01 | 000,000,000 | ---D | C] -- C:\AMD
[2012/02/15 17:09:39 | 000,012,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dot4prt.sys
[2012/02/15 17:06:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2012/02/15 17:06:41 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
[2012/02/15 17:06:39 | 000,206,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dot4.sys
[2012/02/15 17:06:37 | 000,023,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dot4usb.sys
[2012/02/14 09:07:37 | 000,092,112 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2012/02/13 16:46:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/02/13 16:46:06 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/13 16:46:06 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/02/13 16:46:06 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/02/13 16:46:06 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/02/13 09:10:37 | 000,341,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TM_CFW.sys
[2012/02/13 09:02:38 | 000,191,248 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/02/13 09:02:38 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2012/02/13 09:02:38 | 000,065,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2012/02/13 09:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro Worry-Free Business Security Agent
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/06 08:20:07 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/06 08:19:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/02 21:52:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/03/02 13:52:58 | 000,000,218 | ---- | M] () -- C:\WINDOWS\tasks\JkDefrag.job
[2012/02/28 03:18:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/27 08:23:16 | 000,001,809 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/27 08:23:14 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/02/27 08:22:58 | 000,457,016 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/27 08:22:58 | 000,075,922 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/21 09:27:40 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/21 09:26:47 | 000,000,512 | ---- | M] () -- C:\MBR.dat
[2012/02/21 08:58:02 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/21 08:50:03 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/02/21 08:43:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\HPMProp.INI
[2012/02/21 08:40:41 | 000,000,158 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[2012/02/17 08:49:00 | 000,266,208 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 08:52:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ativpsrm.bin
[2012/02/15 17:05:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 16:45:56 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/02/13 16:45:56 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/02/13 16:45:56 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/02/13 16:45:56 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/02/13 16:45:55 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/13 08:41:46 | 000,018,804 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/27 08:23:14 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2012/02/27 08:23:14 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/02/21 09:27:40 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/21 09:26:47 | 000,000,512 | ---- | C] () -- C:\MBR.dat
[2012/02/21 08:50:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/02/21 08:49:59 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/21 08:46:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/21 08:46:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/21 08:46:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/21 08:46:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/21 08:46:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/21 08:43:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2012/02/21 08:40:41 | 000,000,158 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2012/02/16 13:25:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 13:25:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/16 08:52:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2012/02/16 08:51:56 | 002,097,056 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.cap
[2012/02/16 08:51:56 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2012/02/16 08:51:55 | 000,219,080 | ---- | C] () -- C:\WINDOWS\System32\atiapfxx.blb
[2012/02/16 08:51:55 | 000,036,338 | ---- | C] () -- C:\WINDOWS\atiogl.xml
[2012/02/16 08:51:53 | 000,608,507 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2012/02/16 08:51:53 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/12/23 09:41:49 | 000,000,048 | ---- | C] () -- C:\WINDOWS\ACare.ini
[2011/12/23 09:41:43 | 000,000,242 | ---- | C] () -- C:\WINDOWS\SLasstcare.ini
[2011/12/12 14:52:47 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/12/05 22:04:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OpenVideo.dll
[2011/12/05 22:03:52 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/09/12 08:35:06 | 000,000,027 | ---- | C] () -- C:\WINDOWS\INSDESK.INI
[2011/09/12 08:29:50 | 000,000,072 | ---- | C] () -- C:\WINDOWS\L&EAPPS.INI
[2011/08/18 23:33:53 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2010/12/29 09:39:26 | 000,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2010/08/16 10:35:29 | 000,005,910 | ---- | C] () -- C:\WINDOWS\cfgspyrt.ini
[2010/08/16 10:35:27 | 000,006,794 | ---- | C] () -- C:\WINDOWS\cfgrt.ini
[2010/08/11 14:29:49 | 000,006,007 | ---- | C] () -- C:\WINDOWS\cfgspyps.ini
[2010/08/11 14:29:45 | 000,006,859 | ---- | C] () -- C:\WINDOWS\cfgps.ini
[2010/07/21 10:52:52 | 000,000,068 | ---- | C] () -- C:\WINDOWS\pmlfo.ini
[2010/01/26 12:50:23 | 000,000,046 | ---- | C] () -- C:\WINDOWS\aisbma.ini
[2010/01/04 09:36:38 | 000,000,101 | ---- | C] () -- C:\WINDOWS\applink.ini
[2010/01/04 09:36:38 | 000,000,097 | ---- | C] () -- C:\WINDOWS\Utdsysap.ini
[2010/01/04 09:36:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tmp.ini
[2009/12/17 10:56:40 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/12 15:49:11 | 000,937,984 | ---- | C] () -- C:\WINDOWS\System32\CTS_G729A.dll
[2009/10/12 15:49:10 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\CTSMail.dll
[2009/10/01 14:35:05 | 000,018,804 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2009/05/13 13:05:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/05/13 12:54:43 | 000,000,476 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/13 12:45:46 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/05/13 11:28:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/05/13 11:22:24 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/05/13 06:15:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/05/13 06:14:23 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/03 11:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 04:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,457,016 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,075,922 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2008/02/01 09:50:04 | 000,229,376 | ---- | M] (J.C. Kessels) -- C:\JkDefrag.exe

< %SYSTEMDRIVE%\*.exe >
[2008/02/01 09:50:04 | 000,229,376 | ---- | M] (J.C. Kessels) -- C:\JkDefrag.exe

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2012/03/06 08:22:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2012/03/06 08:21:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ATI
[2012/03/06 08:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CTS
[2009/05/13 12:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2012/03/06 08:22:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2012/03/06 08:21:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2012/03/06 08:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search

< MD5 for: ATAPI.SYS >
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SFCFILES.DLL >
[2008/05/22 12:39:52 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=5378E4A3DF2D44C71CCB5FE4D5FB8A0E -- C:\WINDOWS\system32\sfcfiles.dll

< MD5 for: SVCHOST.EXE >
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/02/28 08:30:08 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/02/28 08:30:20 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 06:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< >

< End of report >

OTL Extras logfile created on: 3/6/2012 8:26:59 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = Z:\Megan Larkins\Anti-virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 197.08 Mb Available Physical Memory | 20.56% Memory free
2.26 Gb Paging File | 1.31 Gb Available in Paging File | 58.10% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.39 Gb Total Space | 12.15 Gb Free Space | 36.39% Space Free | Partition Type: NTFS
Drive Z: | 120.01 Gb Total Space | 22.58 Gb Free Space | 18.82% Space Free | Partition Type: NTFS

Computer Name: EmployeeName-XP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\PROGRA~1\MICROS~2\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\PROGRA~1\MICROS~2\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"42419:TCP" = 42419:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Toshiba\Net Phone\netphone.exe" = C:\Program Files\Toshiba\Net Phone\netphone.exe:*:Enabled:Strata Net Phone -- (Toshiba America)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{09C6A4C7-A2D2-1DD9-A81C-44C30042A00C}" = CCC Help Greek
"{0A07E717-BB5D-4B99-840B-6C5DED52B277}" = Trend Micro Worry-Free Business Security Agent
"{0A173336-214D-0609-4897-5E2547D0395D}" = CCC Help Dutch
"{1B9E212F-DFDC-F1D4-D1FD-986149513125}" = CCC Help Russian
"{1CAEFAE2-D12E-CA26-62BC-DF452004B3B1}" = CCC Help Swedish
"{1D9B2B74-82B1-9CE7-0A9A-6234008D11EE}" = CCC Help Polish
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java™ 6 Update 30
"{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}" = WeatherBug
"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3702BAD5-17AB-4D0B-852C-09A57D01D221}" = GALIC Secure American
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{406AE7DC-5FD1-FC3A-00F5-024AD25DF01B}" = CCC Help Danish
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A39A186-867C-48C7-890A-8824B8B0874E}" = GALIC Fixed-Indexed Annuities
"{4A742CBE-078E-03FF-C7D5-B3E1B676BDF2}" = CCC Help Czech
"{4B6DD00B-BC05-185B-BE8B-997A23B367C4}" = CCC Help Chinese Traditional
"{58D92B58-1BE9-4DE4-AE88-ACB205D75B63}" = PDFlib 4.0.1
"{5A29E75C-A8DE-49B4-9AF3-2266CE76C428}" = Sun ODF Plugin for Microsoft Office 1.2
"{5F1AE198-965A-C65D-218A-B76F19B86BEC}" = CCC Help German
"{5FEEB4D3-31F1-FF10-5F61-A988CD44CA59}" = CCC Help Hungarian
"{651CD0A0-8B64-B3F1-23B9-294C39F09A31}" = CCC Help Finnish
"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A119445-2D4B-4B39-9496-C9C81D99E7AC}" = Retirement Analyzer Pro Plus
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77514C51-66D9-2F7C-56D8-5495B8CFAF5E}" = CCC Help French
"{792A669E-71A6-9210-2C06-3FCF0DDFC4C5}" = Catalyst Control Center Localization All
"{83719B4A-8F73-480E-B458-9A1468BC5CDB}" = Plantronics Merge Module
"{860BD052-49CB-7220-8792-15523D08C2A2}" = CCC Help Korean
"{86BBD345-0CE6-4AB1-8ADE-FB12D86EAB90}" = 32 Bit HP CIO Components Installer
"{8C93615B-5333-B61B-625E-0D4DCD9E09CA}" = CCC Help Norwegian
"{8CA32D58-3DDB-4BB9-8108-218FF73CFF47}" = Foxit Reader
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9C2B41C5-919A-7037-F5E8-42A5E90873B8}" = Catalyst Control Center Graphics Previews Common
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6991E11-AF13-652B-5736-C8800EF5527B}" = Catalyst Control Center
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{ADD24D05-DDEA-39CB-0E92-AA371AEE2894}" = Catalyst Control Center InstallProxy
"{B2420CAA-ADC1-8581-938A-2B25C22EF17A}" = ccc-utility
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B81D9181-67D7-6A90-78EA-34108EBBCF7F}" = CCC Help Thai
"{BA314F9D-8401-1E44-11BF-F112E93F465E}" = CCC Help English
"{BEB0B424-3692-E0DC-8D25-04A36C7AB580}" = CCC Help Portuguese
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4186C0D-FB9F-5D83-21FB-A737A13EFAE6}" = AMD Catalyst Install Manager
"{C4574477-C9FA-CF5F-B5AC-D379D655A962}" = CCC Help Chinese Standard
"{CBA4DD0F-0871-39EB-A48B-03BC9E5E437B}" = CCC Help Japanese
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DE0C72A8-B4A3-4B80-3CF9-2DC45CF865D5}" = CCC Help Spanish
"{E5B2C34F-BEDE-5AF8-DBD3-C05E8C030588}" = CCC Help Italian
"{F0A6D1C4-7E73-963B-C4C6-C97121B1992B}" = CCC Help Turkish
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FB948EEB-0F6C-4C12-B441-D0C46B3FB1F6}" = GILICO Product Illustration System
"7-Zip" = 7-Zip 4.65
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"American Equity Investment" = American Equity Investment
"Americo Insurance Desk" = Americo Insurance Desk
"ie8" = Windows Internet Explorer 8
"ING Presents" = ING Presents
"Lincoln DesignIt - Lincoln Financial Distributors" = Lincoln DesignIt - Lincoln Financial Distributors
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"Net Phone" = Net Phone
"PrintKey2000" = PrintKey2000
"PROPLUS" = Microsoft Office Professional Plus 2007
"SLAsset Care Illustration" = SL Asset Care Illustrations
"Wofie" = Trend Micro Worry-Free Business Security Agent
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/14/2011 10:04:20 AM | Computer Name = EmployeeName-XP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/8/2011 12:44:56 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 2/22/2011 5:07:14 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 2/22/2011 5:37:51 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 2/24/2011 11:32:57 AM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 2/24/2011 12:17:32 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 2/25/2011 11:21:06 AM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 3/1/2011 10:56:42 AM | Computer Name = EmployeeName-XP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/1/2011 3:32:03 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

Error - 3/4/2011 11:10:16 AM | Computer Name = EmployeeName-XP | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 12/8/2010 5:05:08 PM | Computer Name = EmployeeName-XP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 24923
seconds with 1860 seconds of active time. This session ended with a crash.

Error - 1/11/2011 12:39:19 PM | Computer Name = EmployeeName-XP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6548.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 591816
seconds with 11400 seconds of active time. This session ended with a crash.

Error - 1/11/2011 1:34:30 PM | Computer Name = EmployeeName-XP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6548.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 168
seconds with 60 seconds of active time. This session ended with a crash.

Error - 11/15/2011 5:11:48 PM | Computer Name = EmployeeName-XP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 81008
seconds with 4920 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/4/2012 9:11:36 PM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver Canon iR C3200-C1 PCL5c required for printer DNA - Color Copier
(Reception) is unknown. Contact the administrator to install the driver before
you log in again.

Error - 3/4/2012 9:11:36 PM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver Foxit PDF Printer Driver required for printer Foxit PDF Printer
is unknown. Contact the administrator to install the driver before you log in again.

Error - 3/4/2012 9:11:37 PM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver hp officejet 4200 series required for printer hp officejet
4200 series is unknown. Contact the administrator to install the driver before you
log in again.

Error - 3/4/2012 9:11:37 PM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver hp officejet 4200 series fax required for printer hp officejet
4200 series fax is unknown. Contact the administrator to install the driver before
you log in again.

Error - 3/5/2012 10:11:33 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver CutePDF Writer required for printer CutePDF Writer is unknown.
Contact the administrator to install the driver before you log in again.

Error - 3/5/2012 10:11:34 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver Canon iR5000-6000-L1 PCL5e required for printer DNA - Black
& White Copier (Mailroom) is unknown. Contact the administrator to install the
driver before you log in again.

Error - 3/5/2012 10:11:34 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver Canon iR C3200-C1 PCL5c required for printer DNA - Color Copier
(Reception) is unknown. Contact the administrator to install the driver before
you log in again.

Error - 3/5/2012 10:11:34 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver Foxit PDF Printer Driver required for printer Foxit PDF Printer
is unknown. Contact the administrator to install the driver before you log in again.

Error - 3/5/2012 10:11:35 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver hp officejet 4200 series required for printer hp officejet
4200 series is unknown. Contact the administrator to install the driver before you
log in again.

Error - 3/5/2012 10:11:35 AM | Computer Name = EmployeeName-XP | Source = TermServDevices | ID = 1111
Description = Driver hp officejet 4200 series fax required for printer hp officejet
4200 series fax is unknown. Contact the administrator to install the driver before
you log in again.

< End of report >

#8
RKinner

Posted 06 March 2012 - 03:58 PM

Malware Expert

Expert
24,426 posts

< MD5 for: SFCFILES.DLL >
[2008/05/22 12:39:52 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=5378E4A3DF2D44C71CCB5FE4D5FB8A0E -- C:\WINDOWS\system32\sfcfiles.dll

This is not a valid MD5 and there are no other files on your PC. I am going to attach a file called sfcfiles.zip to this post. Download, Save and right click on it and Extract All and you should find sfcfiles.dll. First rename the original file: C:\WINDOWS\system32\sfcfiles.dll to C:\WINDOWS\system32\sfcfiles.bad then copy the new file to C:\WINDOWS\system32\sfcfiles.dll.
I don't think the file should be in use so you should be able to do that. if you can't see the file then:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.

Your Trend Micro seems to be having problems with Firefox. I assume this is a paid for version and you have the license key somewhere. Download a new copy of Trend, uninstall the old then reboot and reinstall.

#9
RKinner

Posted 07 March 2012 - 12:40 AM

Malware Expert

Expert
24,426 posts

Forgotto attach the

#10
Aristazi

Posted 07 March 2012 - 02:23 PM

Member

Topic Starter
Member
266 posts

Thank you RKinner!

I've reinstalled Trend and also replaced the sfcfiles.dll as you instructed.

I don't want to take up too much more of your time but, can I ask, how did you know the sfcfiles.dll file was invalid? I did a little research and read about running a MD5 Checksum Verifier, so I assume that's what you did. But based on the information provided how did you decide to run it?

< MD5 for: SFCFILES.DLL >
[2008/05/22 12:39:52 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=5378E4A3DF2D44C71CCB5FE4D5FB8A0E -- C:\WINDOWS\system32\sfcfiles.dll

And also with Firefox & TrendMicro, you're completely right. The user didn't tell me but when I mentioned the problem to him he confirmed there had been issues. What in the log tipped you off?

Thank you so much!!
Megan/Aristazi

#11
RKinner

Posted 07 March 2012 - 07:56 PM

Malware Expert

Expert
24,426 posts

Combofix told me it was bad:

.

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-22 . 5378E4A3DF2D44C71CCB5FE4D5FB8A0E . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

(It will say [7] if the MD5 is good.)

I then did a google search on it and only got one hit. That confirms that it is bad. I had OTL look for all sfcfiles.dll and only found the one instance.

As for Trend being sick that was in the Event logs:

Error - 3/1/2011 3:32:03 PM | Computer Name = EmployeeName-XP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3989, faulting module
tmffext.dll, version 5.82.0.1008, fault address 0x00015406.

tmffext.dll googles as being from Trend Micro.

Sound like it is time to clean up:

We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update. Seems to work best if Firefox is the default browser.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/ tho the free version only blocks the first 200 ads a day. (Good reason to use Firefox or Chrome.)

If Firefox is slow loading make sure it only has the current Java Console add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit. You should run Speedy Fox anytime you make a change to Firefox such as deleting or adding an add-on or upgrading Firefox.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron