Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Attn RKinner - Java Zero Day exploit? Thread from PM

Started by thisstinks , Aug 30 2012 06:59 AM

Please log in to reply

#1
thisstinks

Posted 30 August 2012 - 06:59 AM

Member

Member
13 posts

Clearly got hit with a Java bug

Admin OK'd starting new thread. I would take the time to clean it up later but don't want to bounce forward again.

Original thread by truthintaxation2

For RKinner anyone who can direct me to a site to learn about this new Java exploit please PM

PM Thisstinks to RKinner

I am Jim the one with the thread you are helping with. I cannot log in to geekstogo it always says you are a new user, so first I was Truthintaxation, then truthintaxation2 then 3, now I have created this account to get on because when I can't even contact support because it says Askimet thinks you are spam.

Maybe you know what to do but most likely only support can help. Could you contact support for me so I can get back on the forum, thenk you thank you.

I tried to reply to the thread under this id but it won't let me and I dont want to cluttler things up with a new thread but I am going to try to find a login help thread.

In the mean time
For support - please ask them to contact me

Sent 22 August 2012 - 10:44 PM

POST PM RKinner to Thisstinks

Are you clicking on the Sign In (to the left of the facebook f) and not on the Join Now button?

I have forwarded your message to our admin. As a work around you can send me the logs via PM and I can add them to your topic.

Sent 23 August 2012 - 01:35 AM
POST RKinner to Thisstinks

Admin tells me he thinks malware is interfering with your javascript and suggests you try disabling javascript off in your browser.

http://www.mistered..../browsers.shtml

Group: Member Posts: 1 Joined: 22-August 12
Sent 23 August 2012 - 08:11 AM
POST Thisstinks to RKinner
I have disabled javascript but will still send the details now for the next few items via PM. Then will add some snips when I get back to where I can ad some attachments.

1. Discover that even though I ran otl.exe as admin, and answered affirmative for all Comodo challenges --- Comodo reports otl was run in the sandbox mode. I have removed otl.exe from the sandbox and defined as trusted. But will not rerun until asked to. appears suspect

2. Java Clear of temp files --- to laymen appeared fine

3. TFC ran for 11 full minutes, completed, asked me to reboot --- appeared fine but timing mismatch to your post indicates suspect

4. Ran the process explorer but is similar to otl.exe, I answered all Comodo challenges affirmative and it is not sandboxed but Comodo reports it blocked procexp.exe over 400 times in 17 minutes. The flag is Accessing Memory, the target is Comodo\ComodoInternetSecurity\cmdagent.exe
Everything shows verified and I will post later --- appears suspect

5. disk check = after Tools. Error Checking. Check now. Was unable to check box two, recovery.

6. sfc /scannow reported issues.

I apologize but I need to get to work will continue as soon as possible, may not be for a while as I have some meeting scheduled, expect about 2 pm EDT As always Thx
Report
Reply
Edit
Delete
RKinner

Malware Expert

Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 23 August 2012 - 12:27 PM

Comodo is going to have to go. We can't have it blocking the tools. There is nothing wrong with OTL or with procexp. The fact that it is blocking things and sending them to the sandbox shows it is also an anti-virus and not just a firewall. If you need a firewall then use the free Online Armor.
http://www.online-ar...-armor-free.php

I have Comodo Exited but not uninstalled, Windows Firewall is on.
MS Security Essentials is off, Lavasoft is on, no point in trying to install Avast until later.
I have uninstalled the Kodak ap, accepting the yellow UAC warning on the .msi action.

Reran OTL in quick mode, then realized ran reg mode last time. the regular mode follows but can post thew quick if you need it. Sorry this is so slow but I never realized that disabling the active java scripting would effect so many things that just getting around the web has been slow for me.

I will reclear java cache, rerun TFC and take a new snapshot of Procexp when you give the OTL OK

Thanks, Jim

OTL logfile created on: 8/25/2012 12:49:31 AM - Run 4
OTL by OldTimer - Version 3.2.58.1 Folder = C:\Users\Historic Inn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.48 Gb Total Physical Memory | 3.45 Gb Available Physical Memory | 62.90% Memory free
10.95 Gb Paging File | 9.25 Gb Available in Paging File | 84.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.54 Gb Total Space | 284.26 Gb Free Space | 62.95% Space Free | Partition Type: NTFS
Drive D: | 13.92 Gb Total Space | 1.55 Gb Free Space | 11.16% Space Free | Partition Type: NTFS

Computer Name: HISTORICINN | User Name: Historic Inn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Processes (All) ==========

PRC - C:\Users\Historic Inn\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe (Lavasoft Limited)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\AdAware.exe (Lavasoft Limited)
PRC - C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe (GFI Software)
PRC - C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
PRC - C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe (CyberLink)

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV:64bit: - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
SRV:64bit: - (Carbonite-Mirror-Image-Svc) -- C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe (Carbonite)
SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AMD FUEL Service) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Advanced Micro Devices, Inc.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Ad-Aware Service) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe (Lavasoft Limited)
SRV - (IconMan_R) -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.)
SRV - (BingDesktopUpdate) -- C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
SRV - (HPWMISVC) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SBAMSvc) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe (GFI Software)
SRV - (hpCMSrv) -- C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe (Hewlett-Packard Development Company L.P.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (ACDaemon) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (RTL8192Ce) -- C:\Windows\SysNative\drivers\rtl8192ce.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.)
DRV:64bit: - (RSPCIESTOR) -- C:\Windows\SysNative\drivers\RtsPStor.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (sbhips) -- C:\Windows\SysNative\drivers\sbhips.sys (GFI Software)
DRV:64bit: - (sbapifs) -- C:\Windows\SysNative\drivers\sbapifs.sys (GFI Software)
DRV:64bit: - (SBRE) -- C:\Windows\SysNative\drivers\sbredrv.sys (GFI Software)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amd_sata) -- C:\Windows\SysNative\drivers\amd_sata.sys (Advanced Micro Devices)
DRV:64bit: - (amd_xata) -- C:\Windows\SysNative\drivers\amd_xata.sys (Advanced Micro Devices)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV:64bit: - (clwvd) -- C:\Windows\SysNative\drivers\clwvd.sys (CyberLink Corporation)
DRV:64bit: - (amdiox64) -- C:\Windows\SysNative\drivers\amdiox64.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (NVENETFD) -- C:\Windows\SysNative\drivers\nvm62x64.sys (NVIDIA Corporation)
DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (SBRE) -- C:\Windows\SysWOW64\drivers\SBREDrv.sys (GFI Software)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 07 12 42 CD DD 3C CD 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/05/18 23:35:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2012/04/07 09:20:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Historic Inn\AppData\Roaming\mozilla\Extensions
[2012/05/03 09:39:12 | 000,564,732 | ---- | M] () (No name found) -- C:\USERS\HISTORIC INN\APPDATA\ROAMING\THUNDERBIRD\PROFILES\Z4Y0VCJ6.DEFAULT\EXTENSIONS\[email protected]

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8:64bit: - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9:64bit: - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{579B1970-7426-4C37-A8E1-C2AC490679A1}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell - "" = AutoRun
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell\AutoRun\command - "" = G:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell - "" = AutoRun
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/22 20:30:10 | 002,691,192 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 09:01:25 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 00:45:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/08/22 00:44:52 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/22 00:44:52 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012/08/22 00:44:38 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/08/22 00:44:38 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/08/22 00:44:38 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012/08/21 04:11:42 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012/08/21 04:11:42 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012/08/21 04:11:42 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012/08/21 03:58:41 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012/08/20 16:28:36 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\adaware
[2012/08/20 16:28:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2012/08/20 16:28:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus
[2012/08/20 16:28:23 | 000,060,536 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbhips.sys
[2012/08/20 16:28:21 | 000,057,976 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbredrv.sys
[2012/08/20 16:28:21 | 000,045,936 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe
[2012/08/20 16:28:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2012/08/20 16:28:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus
[2012/08/20 16:27:35 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\Downloaded Installations
[2012/08/20 16:26:15 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Roaming\Ad-Aware Antivirus
[2012/08/19 21:41:02 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
[2012/08/14 22:17:40 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012/08/14 22:11:14 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/08/14 22:11:14 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/08/14 22:11:13 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/08/14 22:11:13 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/08/14 22:11:11 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/08/14 22:11:11 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/08/14 22:11:11 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/08/14 22:11:11 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/08/14 22:11:10 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/08/14 22:11:10 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/08/14 22:11:10 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/08/14 22:11:08 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/08/14 22:11:08 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/08/14 22:07:43 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012/08/14 22:07:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012/08/14 22:07:42 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012/08/14 00:28:19 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\ElevatedDiagnostics
[2012/08/10 09:08:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/07/28 00:25:55 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2012/02/27 18:52:20 | 006,221,896 | ---- | C] (LastPass) -- C:\Program Files (x86)\Common Files\lpuninstall.exe

========== Files - Modified Within 30 Days ==========

[2012/08/25 00:50:56 | 002,883,584 | -HS- | M] () -- C:\Users\Historic Inn\ntuser.dat
[2012/08/24 13:59:25 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/24 13:59:25 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/24 13:59:20 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2012/08/24 13:51:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2012/08/24 13:50:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/24 13:50:32 | 116,449,279 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/24 07:17:36 | 002,300,810 | -H-- | M] () -- C:\Users\Historic Inn\AppData\Local\IconCache.db
[2012/08/23 07:35:23 | 000,018,050 | ---- | M] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:45 | 020,975,616 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | M] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 20:30:11 | 002,691,192 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 20:12:07 | 000,000,360 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForHistoric Inn.job
[2012/08/22 09:01:26 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 08:51:42 | 000,233,880 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | M] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | M] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/08/22 00:44:20 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012/08/22 00:44:16 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012/08/22 00:44:16 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/08/22 00:44:15 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/08/22 00:44:13 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/21 04:08:10 | 000,335,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/19 22:01:02 | 136,114,056 | ---- | M] () -- C:\Users\Historic Inn\Desktop\setup_11.0.0.1245.x01_2012_08_20_04_26.exe
[2012/08/19 21:41:18 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
[2012/08/02 10:29:31 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/29 10:10:49 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/07/29 10:10:49 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/08/23 07:35:23 | 000,018,050 | ---- | C] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:44 | 020,975,616 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | C] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 09:14:24 | 002,300,810 | -H-- | C] () -- C:\Users\Historic Inn\AppData\Local\IconCache.db
[2012/08/22 08:51:42 | 000,233,880 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | C] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | C] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/08/20 16:28:28 | 000,001,828 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2012/08/19 21:57:59 | 136,114,056 | ---- | C] () -- C:\Users\Historic Inn\Desktop\setup_11.0.0.1245.x01_2012_08_20_04_26.exe
[2012/08/02 10:29:31 | 000,001,069 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/26 23:29:48 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TMContainer00000000000000000002.regtrans-ms
[2012/05/26 23:29:48 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TMContainer00000000000000000001.regtrans-ms
[2012/05/26 23:29:48 | 000,065,536 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TM.blf
[2012/04/04 14:11:40 | 000,540,672 | ---- | C] () -- C:\Windows\SysWow64\TX32.dll
[2012/04/04 14:11:40 | 000,000,478 | ---- | C] () -- C:\Windows\SysWow64\ic32.ini
[2012/04/04 14:11:38 | 000,109,056 | ---- | C] () -- C:\Windows\SysWow64\reg.dll
[2012/02/23 05:59:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/02/23 05:57:40 | 000,451,072 | ---- | C] () -- C:\Windows\SysWow64\ISSRemoveSP.exe
[2012/02/23 05:53:00 | 000,796,420 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/23 03:31:55 | 000,074,008 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\GDIPFONTCACHEV1.DAT
[2012/02/23 03:29:55 | 002,883,584 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat
[2012/02/23 03:29:55 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2012/02/23 03:29:55 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2012/02/23 03:29:55 | 000,065,536 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2012/02/23 03:29:55 | 000,000,020 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.ini
[2011/03/21 23:56:22 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/03/17 18:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

========== LOP Check ==========

[2012/08/20 22:19:15 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Ad-Aware Antivirus
[2012/02/28 21:40:44 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\OpenOffice.org
[2012/02/23 03:31:28 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Synaptics
[2012/04/07 09:20:48 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Thunderbird
[2012/08/23 17:11:43 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >
Report
Reply
Edit
Delete
RKinner

Malware Expert

Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 25 August 2012 - 02:18 AM

Copy the text in the code box by highlighting and Ctrl + c

:OTL
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell - "" = AutoRun
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell\AutoRun\command - "" = G:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell - "" = AutoRun
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

You need to uninstall Ad-Aware Anti-virus. You should not be running it with Microsoft Security Essentials.

Go on with the other steps from before.
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 25 August 2012 - 07:30 PM

The script has G: drive and F: drive, so I want to clarify....

I run an external Seagate Goflex 2Tb hard drive, single drive partitioned.

G: is for Carbonite mirror image and F; is for docs, photos and video. I disconnected this drive as soon as I thought something was wrong. Just now, I ran the script and it completed in seconds and rebooted. But the externaldrive was not reconnected.

I am going to reconnect the external drive and rerun OTL. This is just to document what I have done should I have made a mistake that will cause any trouble.

Jim
Report
Reply
Edit
Delete
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 26 August 2012 - 04:17 PM

PS I have uninstalled Comodo firewall and Ad aware scanner. Turned Windows firewall back on but never ran the two simultaneously. Use Ad Aware for scanning but did not use real time protection or any other paid features, MS Essentials has been the only real-time protection or lack there of.
Report
Reply
Edit
Delete
RKinner

Malware Expert

Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 26 August 2012 - 07:54 PM

Can you run Process Explorer now that Comodo is not in the way?
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 26 August 2012 - 09:35 PM

RKinner, on 26 August 2012 - 07:54 PM, said:

Can you run Process Explorer now that Comodo is not in the way?

The admin PM'd and said system cleaner might fix the login be blocked by malware issue. I do not know what it is and have run nothing.

I cannot run ESET online scanner. I cannot accept the license agreement with active scripting off. If I turn it on I can accept the agreement but then the downloader windoe comes up and says Initialization Failed, Cannot Get Update, Is proxy configured?

Here is Processexplorer

Process PID CPU Private Bytes Working Set Description Company Name Verified Signer User Name
System Idle Process 0 91.41 0 K 24 K NT AUTHORITY\SYSTEM
procexp64.exe 3112 4.64 24,548 K 44,556 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Sysinternals HistoricInn\Historic Inn
Interrupts n/a 1.81 0 K 0 K Hardware Interrupts and DPCs
csrss.exe 488 0.55 2,760 K 5,960 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
dwm.exe 2160 0.55 32,544 K 30,020 K Desktop Window Manager Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
System 4 0.40 396 K 1,144 K NT AUTHORITY\SYSTEM
CarboniteUI.exe 2712 0.16 14,076 K 30,336 K Carbonite User Interface Carbonite, Inc. (Verified) Carbonite, Inc HistoricInn\Historic Inn
CarboniteService.exe 1512 0.13 8,952 K 21,596 K Carbonite Secure Backup Engine Carbonite, Inc. (www.carbonite.com) (Verified) Carbonite, Inc NT AUTHORITY\SYSTEM
explorer.exe 2220 0.12 40,944 K 67,544 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
iexplore.exe 396 0.06 121,796 K 133,932 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
MsMpEng.exe 796 0.05 73,416 K 47,012 K Antimalware Service Executable Microsoft Corporation (Verified) Microsoft Corporation NT AUTHORITY\SYSTEM
msseces.exe 2592 0.05 7,244 K 18,532 K Microsoft Security Client User Interface Microsoft Corporation (Verified) Microsoft Corporation HistoricInn\Historic Inn
iexplore.exe 2700 0.01 8,648 K 21,708 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
svchost.exe 904 0.01 9,028 K 15,768 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 284 0.01 33,920 K 54,920 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
peerblock.exe 2644 < 0.01 16,136 K 19,408 K PeerBlock PeerBlock, LLC (Verified) PeerBlock, LLC HistoricInn\Historic Inn
svchost.exe 1084 < 0.01 14,268 K 15,512 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
YCMMirage.exe 2884 < 0.01 1,580 K 872 K YouCam Mirage CyberLink (Verified) CyberLink HistoricInn\Historic Inn
services.exe 516 < 0.01 6,132 K 11,680 K Services and Controller app Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchIndexer.exe 2896 < 0.01 24,300 K 17,232 K Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SMSvcHost.exe 1608 < 0.01 33,324 K 23,448 K SMSvcHost.exe Microsoft Corporation (Verified) Microsoft Corporation NT AUTHORITY\LOCAL SERVICE
svchost.exe 1544 < 0.01 7,736 K 25,188 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 660 < 0.01 4,372 K 9,888 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchProtocolHost.exe 3816 < 0.01 2,344 K 7,508 K Microsoft Windows Search Protocol Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
svchost.exe 1824 < 0.01 161,656 K 163,500 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
WmiPrvSE.exe 3636 2,608 K 6,004 K WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
winlogon.exe 864 3,004 K 7,100 K Windows Logon Application Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
wininit.exe 456 1,480 K 4,356 K Windows Start-Up Application Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
taskhost.exe 1784 3,264 K 7,568 K Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
taskeng.exe 2812 2,024 K 5,744 K Task Scheduler Engine Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
svchost.exe 1004 8,336 K 17,224 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
svchost.exe 1396 10,452 K 14,064 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 972 20,508 K 18,108 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 736 3,972 K 7,808 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
svchost.exe 1796 1,776 K 5,392 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
spoolsv.exe 1368 6,308 K 11,404 K Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
smss.exe 268 468 K 1,104 K Windows Session Manager Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchFilterHost.exe 3488 1,832 K 4,832 K Microsoft Windows Search Filter Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
lsm.exe 544 2,332 K 4,100 K Local Session Manager Service Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
lsass.exe 536 4,352 K 10,916 K Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
FlashUtil32_11_3_300_268_ActiveX.exe 1100 3,132 K 8,136 K Adobe® Flash® Player Installer/Uninstaller 11.3 r300 Adobe Systems Incorporated (Verified) Adobe Systems Incorporated HistoricInn\Historic Inn
dllhost.exe 1256 7,584 K 11,380 K COM Surrogate Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
csrss.exe 380 1,980 K 4,316 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
Report
Reply
Edit
Delete
RKinner

Malware Expert

Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 27 August 2012 - 02:48 AM

Process Explorer looks pretty good. I don't see anything hogging the CPU or anything that looks suspicious. Sometimes you can get ESET to work in Firefox but you have to install their add-on first.

Do you still have a problem?
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 27 August 2012 - 11:49 AM

I will cautiously say it looks OK.

I am running the ESET online scan right now and I will see what the results hold.

A few very important questions,

The mirror drive
What happens when I reconnect the Carbonite mirror drive? Should I just reformat the drive and start over? Will even hooking it up to reformat cause reinfection?

Computer B
What about the other computer she was using? Symptoms seem to be the same as this one, should I start a new thread or start at the beginning of your instructions and follow them with a hard stop and contact you if there is any difference?

Computer C
Seems fine, is the ESET online scan my best bet to be sure?

And lastly, where can I go and learn more about how to secure our PC's so that my children cannot do something like this again?

Thank you so very much. I am not lucky enough to live on Orcas Island but I am lucky enough to own an Inn near Monticello that was built by members of Jefferson's family in 1820. We have hosted Thomas Jefferson, Martin Van Buren, Teddy Roosevelt and Franklin Roosevelt. If you are ever out this way to visit Charlottesville there is a room here for you waiting. Jim
Report
Reply
Edit
Delete
RKinner

Malware Expert

Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 27 August 2012 - 12:31 PM

ESET is one of the best free online scans so if it says you are clean then most likely you are.

Normally Windows has an update that prevents anything from using the autorun.ini file but I don't see it on yours.

There is a program called AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC via autorun.inf if you do not have the windows update that removes autorun from everything but CD/DVDs.

Download, Save and Run by Right clicking and Run As Admin.

The other threat is easy to guard again. Do not open the drive using Explorer or Computer until after you have done the following:

Use a Command Window to put a directory called desktop.ini in the root of each drive. Say you have an external drive in F:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

F:
mkdir \desktop.ini

(you can also do the same for autorun.inf)
mkdir \autorun.inf

Then I would scan the drive with your anti-virus.

In your case I did not see anything really evil so I doubt that your other drives are infected. We should probably cleanup:

We need to cleanup System Restore:

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

If you could I would prefer to work from a new topic on your other PCs. It's a real pain to work via PMs. If you want to be sure I'll pick it up, put my name in the Subject and send me a PM with the link.

Start off with a custom OTL scan as follows:

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 28 August 2012 - 05:05 PM

FOUND IT! Note the little "c"

Autorun eater finds "c:\\ProgramFiles\MicrosoftSecurityclient\msseces.exe" -hide -runkey
And says this is not a valid file

MSE report says

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" -UnregisterWSC -InstallPath "c:\Program Files\Microsoft Security Client\\"
Start Time: ‎Tue ‎Aug ‎28 ‎2012 16:23:25

INFO: IWscASStatus::Unregister() Succeeded
INFO: IWscAVStatus::Unregister() Succeeded
INFO: RunCommandUnregisterWSC() Succeeded 0
MpCmdRun: End Time: ‎Tue ‎Aug ‎28 ‎2012 16:23:25
-------------------------------------------------------------------------------------

Went to CC:cleaner and remove startup line = "c:\Program Files\Microsoft Security Client\MpCmdRun.exe"

Then I rebooted and it was normal fast instead of dog slow, now I am running MSEssentials then I will run ESET online scan.

What is the nrxt step?
Report
Reply
Edit
Delete
thisstinks

New Member

Group: Member Posts: 1 Joined: 22-August 12
Sent 28 August 2012 - 06:11 PM

Autorun Eater has found the little "c" command on all three computers so clearly all three have been compromised by this. I will let ESET finish but cannot be sure that anything I am doing is actually having an effect since Essentials is compromised.

Silentrunners reports this on all three

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

CarboniteService, CarboniteService, "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [Carbonite, Inc. (www.carbonite.com)]
Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]
Net.Tcp Port Sharing Service, NetTcpPortSharing, C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [MS]

Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> MsMpSvc, Service

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> MsMpSvc, Service

---------- (launch time: 2012-08-28 15:24:28)
<<!>>: Suspicious data at a malware launch point.

Edited by thisstinks, 30 August 2012 - 03:57 PM.

#2
RKinner

Posted 30 August 2012 - 08:28 PM

Malware Expert

Expert
24,625 posts

This is all I know about the latest Java exploit.

http://krebsonsecuri...y-java-exploit/

To clean your Java Cache: http://www.java.com/...lugin_cache.xml

To Remove Java from your Browser:

http://www.geekstogo...ur-web-browser/

Alternatively with Firefox you can run the NoScript add-on. (Chrome can use ScriptNo.) Don't know of an equivalent for IE.

If we are starting a new PC could you run the custom OTL script on it:

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

#3
thisstinks

Posted 31 August 2012 - 01:47 PM

Member

Topic Starter
Member
13 posts

This ia still the first PC.

After installing Autorun Eater it gave this in the M

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" -UnregisterWSC -InstallPath "c:\Program Files\Microsoft Security Client\\"
Start Time: ‎Tue ‎Aug ‎28 ‎2012 16:29:10

INFO: IWscASStatus::Unregister() Succeeded
INFO: IWscAVStatus::Unregister() Succeeded
INFO: RunCommandUnregisterWSC() Succeeded 0
MpCmdRun: End Time: ‎Tue ‎Aug ‎28 ‎2012 16:29:11SE Scan Log

And this in the Results Log
2012-08-28 15:44:07 : Suspicious autorun.inf file deleted from (c:) - Autorun Backup: autorun0.inf - MSE / Auto Clean

With the reboot I see this in the event viewer (full text at bottom of post)

Description:
The shadow copy of volume C: being created failed to install.

Everything was fine until I rebooted. Now Bing is the only search provider, can't change. Can't download anything that requires java and the Action Center keeps reporting the security center is off, I reenable but it comes back. Then it says MSEssentials is off. In the event log I see:

Log Name: System
Source: Service Control Manager
Date: 8/31/2012 3:02:53 PM
Event ID: 7003
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HistoricInn
Description:
The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7003</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-08-31T19:02:53.276495500Z" />
<EventRecordID>78327</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2872" />
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Net.Tcp Listener Adapter</Data>
<Data Name="param2">was</Data>
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 8/31/2012 3:01:29 PM
Event ID: 7003
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HistoricInn
Description:
The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7003</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-08-31T19:01:29.426349300Z" />
<EventRecordID>78324</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2872" />
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Net.Pipe Listener Adapter</Data>
<Data Name="param2">was</Data>
</EventData>
</Event>

And this

Log Name: System
Source: Microsoft Antimalware
Date: 8/28/2012 4:30:32 PM
Event ID: 2001
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HistoricInn
Description:
Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 0.0.0.0
Update Source: Microsoft Malware Protection Center
Update Stage: Search
Source Path: http://go.microsoft....5D-99752CCA7094
Signature Type: AntiSpyware
Update Type: Full
User: HistoricInn\Historic Inn
Current Engine Version:
Previous Engine Version: 0.0.0.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft Antimalware" />
<EventID Qualifiers="0">2001</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-08-28T20:30:32.000000000Z" />
<EventRecordID>76931</EventRecordID>
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security />
</System>
<EventData>
<Data>%%860</Data>
<Data>4.0.1526.0</Data>
<Data>
</Data>
<Data>0.0.0.0</Data>
<Data>6</Data>
<Data>%%851</Data>
<Data>
</Data>
<Data>HistoricInn</Data>
<Data>Historic Inn</Data>
<Data>S-1-5-21-835331429-2790312560-2244690709-1001</Data>
<Data>2</Data>
<Data>%%801</Data>
<Data>1</Data>
<Data>%%803</Data>
<Data>
</Data>
<Data>0.0.0.0</Data>
<Data>0x80072ee7</Data>
<Data>The server name or address could not be resolved </Data>
<Data>1</Data>
<Data>%%852</Data>
<Data>http://go.microsoft....2CCA7094</Data>
</EventData>
</Event>

All beginning on the 28th, many iteratation in three days and zero prior.

Sorry for the delays in respomding but everything is compounded time wise as I write each step in my notebook.

What is my next step? Are we at the killdisk and reinstall stage?
(I hope not, but the light is dimming)

More discoveries
================================
Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 8/30/2012 5:09:23 PM
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: HistoricInn
Description:
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" />
<EventID>3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>14</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2012-08-30T21:09:23.983218300Z" />
<EventRecordID>1015</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="152" />
<Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>
<Computer>HistoricInn</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SessionName">Microsoft Security Client OOBE</Data>
<Data Name="FileName">C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl</Data>
<Data Name="ErrorCode">3221225485</Data>
<Data Name="LoggingMode">5</Data>
</EventData>
</Event>

Log Name: System
Source: Ntfs
Date: 8/31/2012 12:20:16 PM
Event ID: 55
Task Category: (2)
Level: Error
Keywords: Classic
User: N/A
Computer: HistoricInn
Description:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy14.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Ntfs" />
<EventID Qualifiers="49156">55</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-08-31T16:20:16.395483500Z" />
<EventRecordID>78268</EventRecordID>
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>\Device\HarddiskVolumeShadowCopy14</Data>
<Binary>00000C000200380002000000370004C000000000020100C000000000000000000000000000000000EE0C14000900000000000900</Binary>
</EventData>
</Event>

THIS APPEARS TO BE THE KICK OFF EVENT

Log Name: System
Source: volsnap
Date: 8/28/2012 7:26:23 PM
Event ID: 67
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HistoricInn
Description:
The shadow copy of volume C: being created failed to install.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="volsnap" />
<EventID Qualifiers="49158">67</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-08-28T23:26:23.500000000Z" />
<EventRecordID>77015</EventRecordID>
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security />
</System>
<EventData>
<Data>\Device\HarddiskVolumeShadowCopy68</Data>
<Data>C:</Data>
<Binary>000000000200300000000000430006C000000000B50000C000000000000000000000000000000000</Binary>
</EventData>
</Event>

Edited by thisstinks, 31 August 2012 - 03:15 PM.

#4
RKinner

Posted 01 September 2012 - 12:06 AM

Malware Expert

Expert
24,625 posts

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Then uninstall all Java versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)

Copy the next line:

MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter. If it works it may fix your search options

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download

Uninstall Microsoft Security Essentials

Reboot

Install Avast (right click and Run As Administrator). (Register when it asks you - they will try to talk you into buying the full product but the free version is what we want.)

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
Text version of the report is at: C:\ProgramData\Avast Software\Avast\report\aswboot.txt

Your errors indicate a problem with the Volume Shadow Copy service. See if clearing all but the last restore point will help.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

I don't see an extras log for this computer and I want a new Custom scan so:

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

#5
thisstinks

Posted 05 September 2012 - 09:00 AM

Member

Topic Starter
Member
13 posts

Been fighting through this but had to work over Labor Day weekend. Have started on your task list above but noted this oddity in the event viewer after I "uninstalled" Java.

It says "Custom dynamic link libraries are being loaded for every application" and began when I uninstalled Java and appears on every reboot since, none ever prior. Is this normal?

Also in Avast as loaded new I looked under exclusions and found ".tmp" ".dll" "?/pagfil.sys" and many others excluded. Is this normal?

Last in CCCleaner I have not run any cleaners but in looking at startup I found this, even though I "uninstalled all Java"

Name: Sun Java Console
Publisher: Not Available
Type: Browser Extension
Version: Not available
File date:
Date last accessed: Not available
Class ID: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Use count: 0
Block count: 0
File: Not available
Folder: Not available

EVENT LOG LISTING

Log Name: System
Source: Microsoft-Windows-Wininit
Date: 9/5/2012 10:06:20 AM
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: HistoricInn

Description:
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2012-09-05T14:06:20.155651800Z" />
<EventRecordID>83153</EventRecordID>
<Correlation />
<Execution ProcessID="472" ThreadID="496" />
<Channel>System</Channel>
<Computer>HistoricInn</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="StringCount">0</Data>
<Data Name="String">
</Data>
</EventData>
</Event>

Will get back on as soon as I have completed all abpve tasks you requested.

#6
thisstinks

Posted 05 September 2012 - 11:43 AM

Member

Topic Starter
Member
13 posts

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 26/08/2012 2:58:14 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 26/08/2012 5:54:09 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy32.

Log: 'System' Date/Time: 26/08/2012 5:54:09 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy32.

Log: 'System' Date/Time: 26/08/2012 5:54:09 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy32.

Log: 'System' Date/Time: 26/08/2012 5:54:09 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy32.

Log: 'System' Date/Time: 26/08/2012 5:54:09 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy32.

Log: 'System' Date/Time: 26/08/2012 5:54:06 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy33.

Log: 'System' Date/Time: 26/08/2012 5:54:04 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy33.

Log: 'System' Date/Time: 26/08/2012 5:54:02 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy33.

Log: 'System' Date/Time: 26/08/2012 5:54:00 PM
Type: Error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy33.

Log: 'System' Date/Time: 26/08/2012 5:17:27 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The Routing and Remote Access service terminated with service-specific error The requested name is valid, but no data of the requested type was found..

Log: 'System' Date/Time: 26/08/2012 5:17:24 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: SBRE

Log: 'System' Date/Time: 26/08/2012 5:17:25 PM
Type: Error Category: 0
Event: 20152 Source: RemoteAccess
The currently configured authentication provider failed to load and initialize successfully. The requested name is valid, but no data of the requested type was found.

Log: 'System' Date/Time: 26/08/2012 5:17:21 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.

Log: 'System' Date/Time: 26/08/2012 5:17:21 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.

Log: 'System' Date/Time: 26/08/2012 5:17:00 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\??\C:\Windows\SysWow64\drivers\SBREdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 26/08/2012 5:17:22 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Log: 'System' Date/Time: 26/08/2012 2:58:07 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 26/08/2012 2:59:56 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 26/08/2012 5:18:42 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Latest OTL and Extras

OTL logfile created on: 9/5/2012 1:17:01 PM - Run 6
OTL by OldTimer - Version 3.2.58.1 Folder = C:\Users\Historic Inn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.48 Gb Total Physical Memory | 4.25 Gb Available Physical Memory | 77.62% Memory free
10.95 Gb Paging File | 9.64 Gb Available in Paging File | 88.02% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.54 Gb Total Space | 351.71 Gb Free Space | 77.89% Space Free | Partition Type: NTFS
Drive D: | 14.02 Gb Total Space | 1.65 Gb Free Space | 11.79% Space Free | Partition Type: NTFS

Computer Name: HISTORICINN | User Name: Historic Inn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/21 05:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 05:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/08/19 21:41:18 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
PRC - [2012/05/08 23:39:52 | 001,061,520 | R--- | M] (Carbonite, Inc.) -- C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2012/03/05 13:38:38 | 000,035,200 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
PRC - [2012/02/17 18:53:28 | 000,522,720 | ---- | M] (Old McDonald's Farm) -- C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe
PRC - [2012/02/17 17:52:52 | 000,425,250 | ---- | M] (Old McDonald's Farm) -- C:\Program Files (x86)\Autorun Eater\billy.exe
PRC - [2011/09/13 16:49:46 | 001,098,296 | ---- | M] (Hewlett-Packard Development Company L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
PRC - [2011/03/22 15:42:40 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/08/21 05:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2012/05/08 23:31:42 | 006,715,024 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe -- (CarboniteService)
SRV:64bit: - [2012/05/05 13:45:44 | 003,168,256 | ---- | M] (Carbonite) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe -- (Carbonite-Mirror-Image-Svc)
SRV:64bit: - [2011/09/15 19:12:12 | 000,204,288 | ---- | M] (AMD) [On_Demand | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/04/13 02:58:52 | 000,365,568 | ---- | M] (Advanced Micro Devices, Inc.) [On_Demand | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/04/02 23:22:18 | 002,413,056 | ---- | M] (Realsil Microelectronics Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe -- (IconMan_R)
SRV - [2012/03/05 13:38:38 | 000,035,200 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe -- (HPWMISVC)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/09/13 16:49:46 | 001,098,296 | ---- | M] (Hewlett-Packard Development Company L.P.) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe -- (hpCMSrv)
SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/21 05:13:13 | 000,969,200 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/08/21 05:13:13 | 000,359,464 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/08/21 05:13:13 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/08/21 05:13:12 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/08/21 05:13:12 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2012/08/21 05:13:11 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/04/18 21:26:44 | 000,425,064 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2012/04/02 23:25:44 | 001,145,448 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rtl8192ce.sys -- (RTL8192Ce)
DRV:64bit: - [2012/04/02 23:23:12 | 000,528,384 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2012/04/02 23:22:18 | 000,338,536 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtsPStor.sys -- (RSPCIESTOR)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/14 04:37:44 | 000,396,848 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2011/09/15 19:51:12 | 010,206,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/09/15 18:38:42 | 000,317,952 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/03/04 18:46:20 | 000,078,976 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2011/03/04 18:46:20 | 000,038,528 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/17 12:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/07/28 13:13:50 | 000,031,088 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\clwvd.sys -- (clwvd)
DRV:64bit: - [2010/02/18 13:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 16:34:38 | 001,311,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 07 12 42 CD DD 3C CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/09/03 12:33:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2012/04/07 09:20:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Historic Inn\AppData\Roaming\mozilla\Extensions
[2012/05/03 09:39:12 | 000,564,732 | ---- | M] () (No name found) -- C:\USERS\HISTORIC INN\APPDATA\ROAMING\THUNDERBIRD\PROFILES\Z4Y0VCJ6.DEFAULT\EXTENSIONS\[email protected]

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files (x86)\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9:64bit: - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{579B1970-7426-4C37-A8E1-C2AC490679A1}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C284AAD2-9339-47FB-9F11-3833CE2F17F0}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

MsConfig:64bit - StartUpReg: PeerBlock - hkey= - key= - C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
MsConfig:64bit - State: "services" - Reg Error: Key error.
MsConfig:64bit - State: "startup" - Reg Error: Key error.

SafeBootMin:64bit: AppMgmt - Service
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet:64bit: AppMgmt - Service
SafeBootNet:64bit: Base - Driver Group
SafeBootNet:64bit: Boot Bus Extender - Driver Group
SafeBootNet:64bit: Boot file system - Driver Group
SafeBootNet:64bit: File system - Driver Group
SafeBootNet:64bit: Filter - Driver Group
SafeBootNet:64bit: HelpSvc - Service
SafeBootNet:64bit: Messenger - Service
SafeBootNet:64bit: NDIS Wrapper - Driver Group
SafeBootNet:64bit: NetBIOSGroup - Driver Group
SafeBootNet:64bit: NetDDEGroup - Driver Group
SafeBootNet:64bit: Network - Driver Group
SafeBootNet:64bit: NetworkProvider - Driver Group
SafeBootNet:64bit: PCI Configuration - Driver Group
SafeBootNet:64bit: PNP Filter - Driver Group
SafeBootNet:64bit: PNP_TDI - Driver Group
SafeBootNet:64bit: Primary disk - Driver Group
SafeBootNet:64bit: rdsessmgr - Service
SafeBootNet:64bit: sacsvr - Service
SafeBootNet:64bit: SCSI Class - Driver Group
SafeBootNet:64bit: Streams Drivers - Driver Group
SafeBootNet:64bit: System Bus Extender - Driver Group
SafeBootNet:64bit: TDI - Driver Group
SafeBootNet:64bit: vmms - Service
SafeBootNet:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet:64bit: WudfUsbccidDriver - Driver
SafeBootNet:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet:64bit: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet:64bit: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet:64bit: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet:64bit: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet:64bit: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/09/05 12:44:49 | 000,000,000 | -H-D | C] -- C:\Windows\AxInstSV
[2012/09/03 12:04:24 | 000,693,235 | ---- | C] (Farbar) -- C:\Users\Historic Inn\Desktop\FSS.exe
[2012/09/03 11:42:55 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Historic Inn\Desktop\aswMBR.exe
[2012/09/01 11:35:00 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\Google
[2012/09/01 11:35:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2012/09/01 11:34:58 | 000,359,464 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/09/01 11:34:58 | 000,025,232 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/09/01 11:34:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/09/01 11:34:56 | 000,054,072 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2012/09/01 11:34:53 | 000,969,200 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/09/01 11:34:53 | 000,059,728 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/09/01 11:34:50 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/09/01 11:34:50 | 000,071,600 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/09/01 11:34:18 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/09/01 11:34:17 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/09/01 11:34:05 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/09/01 11:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/09/01 11:15:47 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
[2012/08/30 17:14:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/08/28 19:49:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/08/28 19:49:38 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/08/28 19:48:48 | 003,927,560 | ---- | C] (Piriform Ltd) -- C:\Users\Historic Inn\Desktop\ccsetup322.exe
[2012/08/28 15:40:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Autorun Eater
[2012/08/28 15:39:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autorun Eater
[2012/08/28 15:39:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Autorun Eater
[2012/08/27 21:30:34 | 002,406,064 | ---- | C] (Trend Micro Inc.) -- C:\Users\Historic Inn\Desktop\HousecallLauncher64.exe
[2012/08/27 11:02:30 | 000,000,000 | ---D | C] -- C:\ProgramData\GFI Software
[2012/08/26 10:47:27 | 001,479,536 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp64.exe
[2012/08/25 18:49:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VS Revo Group
[2012/08/25 18:49:12 | 002,617,648 | ---- | C] (VS Revo Group Ltd.) -- C:\Users\Historic Inn\Desktop\revosetup.exe
[2012/08/25 18:35:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/08/25 17:53:17 | 000,000,000 | ---D | C] -- C:\silent runners
[2012/08/24 13:28:40 | 002,211,928 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Historic Inn\Desktop\TDSSKiller.exe
[2012/08/22 20:30:10 | 002,691,192 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 09:01:25 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 00:44:52 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/21 04:11:42 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012/08/21 04:11:42 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012/08/21 04:11:42 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012/08/21 03:58:41 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012/08/20 16:27:35 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\Downloaded Installations
[2012/08/19 21:41:02 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
[2012/08/14 22:17:40 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012/08/14 22:11:14 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/08/14 22:11:14 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/08/14 22:11:13 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/08/14 22:11:13 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/08/14 22:11:11 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/08/14 22:11:11 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/08/14 22:11:11 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/08/14 22:11:11 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/08/14 22:11:10 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/08/14 22:11:10 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/08/14 22:11:10 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/08/14 22:11:08 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/08/14 22:11:08 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/08/14 22:07:43 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012/08/14 22:07:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012/08/14 22:07:42 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012/08/14 00:28:19 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\ElevatedDiagnostics
[2012/02/27 18:52:20 | 006,221,896 | ---- | C] (LastPass) -- C:\Program Files (x86)\Common Files\lpuninstall.exe

========== Files - Modified Within 30 Days ==========

[2012/09/05 13:13:48 | 000,113,734 | ---- | M] () -- C:\Users\Historic Inn\Desktop\cmd prompt message.PNG
[2012/09/05 13:00:19 | 000,077,438 | ---- | M] () -- C:\Users\Historic Inn\Desktop\avast p2p exclusions.PNG
[2012/09/05 12:58:35 | 000,077,346 | ---- | M] () -- C:\Users\Historic Inn\Desktop\avast file exclsions 2.PNG
[2012/09/05 12:57:14 | 000,118,781 | ---- | M] () -- C:\Users\Historic Inn\Desktop\avast file exclusions 1.PNG
[2012/09/05 12:50:33 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/05 12:50:33 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/05 12:44:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/05 12:44:31 | 116,449,279 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/04 12:54:40 | 002,211,928 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Historic Inn\Desktop\TDSSKiller.exe
[2012/09/04 12:54:11 | 002,193,184 | ---- | M] () -- C:\Users\Historic Inn\Desktop\tdsskiller.zip
[2012/09/04 12:42:55 | 000,043,789 | ---- | M] () -- C:\Users\Historic Inn\Desktop\2012-08-15 11.34.14-1.jpg
[2012/09/03 12:33:03 | 000,002,070 | ---- | M] () -- C:\Users\Historic Inn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2012/09/03 12:33:03 | 000,002,046 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2012/09/03 12:27:08 | 000,029,278 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Avastthdrbirdwarning.PNG
[2012/09/03 12:20:54 | 000,000,512 | ---- | M] () -- C:\Users\Historic Inn\Desktop\MBR.dat
[2012/09/03 12:04:30 | 000,693,235 | ---- | M] (Farbar) -- C:\Users\Historic Inn\Desktop\FSS.exe
[2012/09/03 11:58:03 | 000,006,181 | ---- | M] () -- C:\Users\Historic Inn\Desktop\free_av_7.0.1466_2012-9-3_11-57-54.avastconfig
[2012/09/03 11:43:03 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Historic Inn\Desktop\aswMBR.exe
[2012/09/03 10:02:36 | 000,006,141 | ---- | M] () -- C:\Users\Historic Inn\Desktop\free_av_7.0.1466_2012-9-3_9-57-1.avastconfig
[2012/09/01 19:26:47 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012/09/01 11:34:58 | 000,001,922 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/09/01 11:29:46 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/09/01 11:29:31 | 000,660,318 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/09/01 11:29:31 | 000,121,214 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/09/01 11:26:37 | 093,654,616 | ---- | M] () -- C:\Users\Historic Inn\Desktop\avast_free_antivirus_setup.exe
[2012/09/01 11:15:47 | 000,001,224 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Revo Uninstaller.lnk
[2012/08/31 21:05:27 | 000,782,270 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/08/30 20:33:44 | 000,001,915 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Microsoft Security Essentials.lnk
[2012/08/30 20:28:43 | 005,523,485 | ---- | M] () -- C:\Users\Historic Inn\AppData\Local\census.cache
[2012/08/30 20:24:01 | 000,094,602 | ---- | M] () -- C:\Users\Historic Inn\AppData\Local\ars.cache
[2012/08/28 21:26:05 | 000,007,605 | ---- | M] () -- C:\Users\Historic Inn\AppData\Local\Resmon.ResmonCfg
[2012/08/28 19:49:39 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/08/28 19:48:50 | 003,927,560 | ---- | M] (Piriform Ltd) -- C:\Users\Historic Inn\Desktop\ccsetup322.exe
[2012/08/28 16:30:22 | 000,796,420 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/08/28 15:39:44 | 000,000,943 | ---- | M] () -- C:\Users\Public\Desktop\Autorun Eater.lnk
[2012/08/28 15:35:28 | 001,458,415 | ---- | M] (Old McDonald's Farm) -- C:\Users\Historic Inn\Desktop\aesetup2.6.exe
[2012/08/28 15:34:21 | 001,426,020 | ---- | M] () -- C:\Users\Historic Inn\Desktop\aesetup2.6.zip
[2012/08/27 21:31:21 | 000,000,036 | ---- | M] () -- C:\Users\Historic Inn\AppData\Local\housecall.guid.cache
[2012/08/27 21:30:34 | 002,406,064 | ---- | M] (Trend Micro Inc.) -- C:\Users\Historic Inn\Desktop\HousecallLauncher64.exe
[2012/08/26 15:44:09 | 000,029,322 | ---- | M] () -- C:\Users\Historic Inn\Desktop\ESET Proxy Configured.PNG
[2012/08/26 14:56:20 | 000,061,440 | ---- | M] ( ) -- C:\Users\Historic Inn\Desktop\VEW.exe
[2012/08/26 10:47:28 | 001,479,536 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp64.exe
[2012/08/25 18:49:27 | 002,617,648 | ---- | M] (VS Revo Group Ltd.) -- C:\Users\Historic Inn\Desktop\revosetup.exe
[2012/08/25 17:54:13 | 000,484,445 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Silent Runners.vbs
[2012/08/23 07:35:23 | 000,018,050 | ---- | M] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:45 | 020,975,616 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | M] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 20:30:11 | 002,691,192 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 09:01:26 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 08:51:42 | 000,233,880 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | M] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | M] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/08/22 00:44:13 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/22 00:44:13 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2012/08/21 05:13:13 | 000,969,200 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/08/21 05:13:13 | 000,359,464 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/08/21 05:13:13 | 000,059,728 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/08/21 05:13:12 | 000,071,600 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/08/21 05:13:12 | 000,054,072 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2012/08/21 05:13:11 | 000,025,232 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/08/21 05:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/08/21 05:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/08/21 05:12:02 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/08/21 04:08:10 | 000,335,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/19 21:41:18 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2012/09/05 13:13:47 | 000,113,734 | ---- | C] () -- C:\Users\Historic Inn\Desktop\cmd prompt message.PNG
[2012/09/05 13:00:19 | 000,077,438 | ---- | C] () -- C:\Users\Historic Inn\Desktop\avast p2p exclusions.PNG
[2012/09/05 12:58:35 | 000,077,346 | ---- | C] () -- C:\Users\Historic Inn\Desktop\avast file exclsions 2.PNG
[2012/09/05 12:57:14 | 000,118,781 | ---- | C] () -- C:\Users\Historic Inn\Desktop\avast file exclusions 1.PNG
[2012/09/04 12:54:06 | 002,193,184 | ---- | C] () -- C:\Users\Historic Inn\Desktop\tdsskiller.zip
[2012/09/04 12:42:55 | 000,043,789 | ---- | C] () -- C:\Users\Historic Inn\Desktop\2012-08-15 11.34.14-1.jpg
[2012/09/03 12:33:03 | 000,002,046 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2012/09/03 12:27:08 | 000,029,278 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Avastthdrbirdwarning.PNG
[2012/09/03 11:59:34 | 000,000,512 | ---- | C] () -- C:\Users\Historic Inn\Desktop\MBR.dat
[2012/09/03 11:58:03 | 000,006,181 | ---- | C] () -- C:\Users\Historic Inn\Desktop\free_av_7.0.1466_2012-9-3_11-57-54.avastconfig
[2012/09/03 10:02:36 | 000,006,141 | ---- | C] () -- C:\Users\Historic Inn\Desktop\free_av_7.0.1466_2012-9-3_9-57-1.avastconfig
[2012/09/01 11:34:58 | 000,001,922 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/09/01 11:34:50 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2012/09/01 11:25:02 | 093,654,616 | ---- | C] () -- C:\Users\Historic Inn\Desktop\avast_free_antivirus_setup.exe
[2012/08/30 20:33:44 | 000,001,915 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Microsoft Security Essentials.lnk
[2012/08/28 20:50:33 | 000,007,605 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\Resmon.ResmonCfg
[2012/08/28 19:49:39 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/08/28 15:39:44 | 000,000,943 | ---- | C] () -- C:\Users\Public\Desktop\Autorun Eater.lnk
[2012/08/28 15:34:18 | 001,426,020 | ---- | C] () -- C:\Users\Historic Inn\Desktop\aesetup2.6.zip
[2012/08/27 23:06:08 | 005,523,485 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\census.cache
[2012/08/27 23:03:29 | 000,094,602 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\ars.cache
[2012/08/27 21:31:21 | 000,000,036 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\housecall.guid.cache
[2012/08/26 15:44:09 | 000,029,322 | ---- | C] () -- C:\Users\Historic Inn\Desktop\ESET Proxy Configured.PNG
[2012/08/26 14:56:10 | 000,061,440 | ---- | C] ( ) -- C:\Users\Historic Inn\Desktop\VEW.exe
[2012/08/25 18:49:50 | 000,001,224 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Revo Uninstaller.lnk
[2012/08/23 07:35:23 | 000,018,050 | ---- | C] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:44 | 020,975,616 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | C] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 08:51:42 | 000,233,880 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | C] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | C] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/04/04 14:11:40 | 000,540,672 | ---- | C] () -- C:\Windows\SysWow64\TX32.dll
[2012/04/04 14:11:40 | 000,000,478 | ---- | C] () -- C:\Windows\SysWow64\ic32.ini
[2012/04/04 14:11:38 | 000,109,056 | ---- | C] () -- C:\Windows\SysWow64\reg.dll
[2012/02/23 05:59:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/02/23 05:57:40 | 000,451,072 | ---- | C] () -- C:\Windows\SysWow64\ISSRemoveSP.exe
[2012/02/23 05:53:00 | 000,796,420 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/03/21 23:56:22 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/03/17 18:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: ST950032 5AS SATA Disk Device
Partitions: 3
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 0.00GB
Starting Offset: 1048576
Hidden sectors: 0

DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 452.00GB
Starting Offset: 209715200
Hidden sectors: 0

DeviceID: Disk #0, Partition #2
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 14.00GB
Starting Offset: 485048188928
Hidden sectors: 0

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2012/04/06 08:41:12 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Adobe
[2012/05/19 08:08:18 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Apple Computer
[2012/05/20 11:40:54 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\ArcSoft
[2012/02/23 03:32:27 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\ATI
[2012/04/28 19:56:21 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\FastStone
[2012/04/02 23:20:56 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Hewlett-Packard
[2012/04/02 23:28:57 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\hpqLog
[2012/02/23 03:31:07 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Identities
[2012/05/18 23:20:39 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Kodak
[2012/02/23 03:34:20 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Macromedia
[2012/04/14 09:08:31 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Malwarebytes
[2012/02/23 05:38:31 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Media Center Programs
[2012/09/01 11:29:18 | 000,000,000 | --SD | M] -- C:\Users\Historic Inn\AppData\Roaming\Microsoft
[2012/04/07 09:20:49 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Mozilla
[2012/02/28 21:40:44 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\OpenOffice.org
[2012/02/23 03:31:28 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Synaptics
[2012/04/07 09:20:48 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Thunderbird
[2012/08/08 16:17:42 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\vlc

< MD5 for: ATAPI.SYS >
[2009/07/13 21:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/13 21:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
[2009/07/13 21:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

< MD5 for: CSRSS.EXE >
[2009/07/13 21:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\SysNative\csrss.exe
[2009/07/13 21:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe

< MD5 for: EXPLORER.EXE >
[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2011/02/25 02:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
[2011/02/25 02:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011/02/26 02:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2010/11/20 23:24:25 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2010/11/20 23:24:11 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2010/11/20 23:24:00 | 000,326,144 | ---- | M] (Microsoft Corporation) MD5=1D5185A4C7E6695431AE4B55C3D7D333 -- C:\Windows\SysNative\mswsock.dll
[2010/11/20 23:24:00 | 000,326,144 | ---- | M] (Microsoft Corporation) MD5=1D5185A4C7E6695431AE4B55C3D7D333 -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_16795c7543eb48cf\mswsock.dll
[2010/11/20 23:24:09 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=8999B8631C7FD9F7F9EC3CAFD953BA24 -- C:\Windows\SysWOW64\mswsock.dll
[2010/11/20 23:24:09 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=8999B8631C7FD9F7F9EC3CAFD953BA24 -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_ba5ac0f18b8dd799\mswsock.dll

< MD5 for: NAPINSP.DLL >
[2009/07/13 21:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\SysWOW64\NapiNSP.dll
[2009/07/13 21:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\winsxs\x86_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_abf396ebf0847c31\NapiNSP.dll
[2009/07/13 21:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\SysNative\NapiNSP.dll
[2009/07/13 21:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\winsxs\amd64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_0812326fa8e1ed67\NapiNSP.dll

< MD5 for: NLAAPI.DLL >
[2010/11/20 23:24:01 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=104A1070E90F1C530328E69B49718841 -- C:\Windows\SysWOW64\nlaapi.dll
[2010/11/20 23:24:01 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=104A1070E90F1C530328E69B49718841 -- C:\Windows\winsxs\wow64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17514_none_d000a58855ea91a1\nlaapi.dll
[2010/11/20 23:23:54 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=2DF36F15B2BC1571A6A542A3C2107920 -- C:\Windows\SysNative\nlaapi.dll
[2010/11/20 23:23:54 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=2DF36F15B2BC1571A6A542A3C2107920 -- C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17514_none_c5abfb362189cfa6\nlaapi.dll

< MD5 for: PNRPNSP.DLL >
[2009/07/13 21:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\SysWOW64\pnrpnsp.dll
[2009/07/13 21:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\winsxs\wow64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_d7c8b1ac70865dab\pnrpnsp.dll
[2009/07/13 21:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\SysNative\pnrpnsp.dll
[2009/07/13 21:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\winsxs\amd64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_cd74075a3c259bb0\pnrpnsp.dll

< MD5 for: PRINTISOLATIONHOST.EXE >
[2009/07/13 21:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\SysNative\PrintIsolationHost.exe
[2009/07/13 21:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe

< MD5 for: SERVICES.EXE >
[2009/07/13 21:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2009/07/13 21:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

< MD5 for: USER32.DLL >
[2010/11/20 23:24:20 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=5E0DB2D8B2750543CD2EBB9EA8E6CDD3 -- C:\Windows\SysWOW64\user32.dll
[2010/11/20 23:24:20 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=5E0DB2D8B2750543CD2EBB9EA8E6CDD3 -- C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
[2010/11/20 23:24:09 | 001,008,128 | ---- | M] (Microsoft Corporation) MD5=FE70103391A64039A921DBFFF9C7AB1B -- C:\Windows\SysNative\user32.dll
[2010/11/20 23:24:09 | 001,008,128 | ---- | M] (Microsoft Corporation) MD5=FE70103391A64039A921DBFFF9C7AB1B -- C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll

< MD5 for: USERINIT.EXE >
[2010/11/20 23:23:55 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
[2010/11/20 23:23:55 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2010/11/20 23:24:28 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\SysNative\userinit.exe
[2010/11/20 23:24:28 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2010/11/20 23:24:29 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\SysNative\winlogon.exe
[2010/11/20 23:24:29 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe

< MD5 for: WINRNR.DLL >
[2009/07/13 21:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\SysNative\winrnr.dll
[2009/07/13 21:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_b543449669c73e11\winrnr.dll
[2009/07/13 21:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\SysWOW64\winrnr.dll
[2009/07/13 21:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_5924a912b169ccdb\winrnr.dll

< MD5 for: WSHELPER.DLL >
[2009/07/13 21:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\SysWOW64\wshelper.dll
[2009/07/13 21:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\winsxs\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b\wshelper.dll
[2009/07/13 21:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\SysNative\wshelper.dll
[2009/07/13 21:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\wshelper.dll

< C:\Windows\assembly\tmp\U\*.* /s >

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2012/02/23 04:40:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2012/02/23 04:40:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2012/02/23 04:40:29 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2012/06/28 21:00:47 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files (x86)\Internet Explorer\iexplore.exe [2012/06/28 21:00:47 | 000,748,664 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2012/02/23 04:40:27 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2012/02/23 04:40:27 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2012/02/23 04:40:27 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2012/06/28 21:00:47 | 000,748,664 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE [2012/06/28 21:00:47 | 000,748,664 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >
[2012/06/28 20:27:10 | 009,737,728 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\system32\ieframe.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemdrive%\$Recycle.Bin|@;true;true;true >

< End of report >

OTL Extras logfile created on: 9/5/2012 1:17:01 PM - Run 6
OTL by OldTimer - Version 3.2.58.1 Folder = C:\Users\Historic Inn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.48 Gb Total Physical Memory | 4.25 Gb Available Physical Memory | 77.62% Memory free
10.95 Gb Paging File | 9.64 Gb Available in Paging File | 88.02% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.54 Gb Total Space | 351.71 Gb Free Space | 77.89% Space Free | Partition Type: NTFS
Drive D: | 14.02 Gb Total Space | 1.65 Gb Free Space | 11.79% Space Free | Partition Type: NTFS

Computer Name: HISTORICINN | User Name: Historic Inn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm[@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl[@ = cplfile] -- C:\Windows\SysNative\control.exe (Microsoft Corporation)
.hlp[@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta[@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html[@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf[@ = inffile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.ini[@ = inifile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
.js[@ = JSFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.jse[@ = JSEFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.reg[@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.txt[@ = txtfile] -- C:\Windows\SysNative\NOTEPAD.EXE (Microsoft Corporation)
.vbe[@ = VBEFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.vbs[@ = VBSFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.wsf[@ = WSFFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)
.wsh[@ = WSHFile] -- C:\Windows\SysNative\WScript.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = comfile] -- "%1" %*
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\SysWow64\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\Windows\SysWow64\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2C7263D3-8ABE-47A8-8AB9-F70ED95F3581}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{34FEF9A3-EC4A-4A27-BEA5-F17CF7E28391}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{5B355887-4F93-454A-9C85-169BD8948C68}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{6C7AA5C5-8D0F-440E-B4CB-612223805543}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{88EA75C9-014B-4DA6-A851-BA7920E42A0B}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
"{A2862F3B-60DC-4570-BB16-7F6ACF7F6933}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C41FC16C-62EA-4E8C-BAB5-920EE1B2E37C}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{DB3F5778-55D0-475D-AD27-F558891BD84A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{EFCEFFB5-11F0-46EF-876E-9ED8B5603CCC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)
"{171BC611-B074-4524-86DD-068AE3AD93BE}" = Carbonite Mirror Image: Carbonite Mirror Image (64 bit)
"{30A37772-7131-E172-F477-633EBAF652E9}" = ATI Catalyst Install Manager
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6B485688-7BF1-75FD-B4B6-0484F6E3B436}" = AMD Fuel
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8373E7A8-6A93-C509-279D-806134BBD22E}" = WMV9/VC-1 Video Playback
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{E2400088-BA57-FB78-0CBD-9BC448D947AD}" = ccc-utility64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{0CB02DE7-CCC1-2D4D-1DAF-134517AEBC4A}" = CCC Help Polish
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F69006A-CD2F-4C12-A786-C659C8F98423}" = Catalyst Control Center - Branding
"{0FB99251-4E5D-C37C-B32D-3D4F8AA49C52}" = CCC Help French
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3668EED7-FBD2-5AC0-63B5-BB75DB297C0F}" = CCC Help English
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Windows 7
"{3F066568-2A33-BEA1-888B-87625D1F82EB}" = CCC Help Swedish
"{48F6DE0D-F0C8-A829-9EE1-4ED7B4B613BD}" = CCC Help Danish
"{505DA0FF-F633-F7FF-050F-46C88AB2F0A5}" = CCC Help Italian
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{53B17A98-5BF0-40BC-AAFF-850A357975AC}" = HP Quick Launch
"{63642CD0-9029-EABD-0325-57E2F0F68881}" = CCC Help Greek
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8E02FF19-ED6C-7A47-0BF3-4619548AEFB3}" = CCC Help German
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{962CB079-85E6-405F-8704-1C62365AE46F}" = HP Software Framework
"{98F5A9F9-C0AF-E445-2DEB-476ABE017C7A}" = CCC Help Dutch
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D3D8C60-A55F-4123-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver
"{A211D79C-6757-6599-CD26-397CED3A4158}" = AMD VISION Engine Control Center
"{A28FA8DC-FEA4-858A-2006-85815B35708D}" = CCC Help Portuguese
"{A3F02181-105C-661F-17E5-FB4A019EDAF4}" = CCC Help Spanish
"{AB16A0F0-CDF1-E79F-5E72-AA10FF3D0B5C}" = CCC Help Chinese Traditional
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AE175D9F-D7D5-6E82-857F-034F4509FDCC}" = CCC Help Norwegian
"{B65FCAA5-F3A6-4B3F-ABEE-CBC2B085796B}" = HP Connection Manager
"{BA25D864-65DF-13DF-08A2-35C5B3FC47BC}" = CCC Help Russian
"{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
"{BEF0D35E-BEF4-7C91-B964-E16F8F710AE4}" = CCC Help Japanese
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C1C82DC9-1547-4038-8F0A-C069F0B7F2ED}" = AMD System Monitor
"{CD95BC82-D5F2-9A62-291C-ED4A5D945064}" = CCC Help Korean
"{CED189B9-2422-AA34-003D-CF11C8C86E5C}" = CCC Help Finnish
"{D19E07F6-3EE1-85F7-D4EE-A56A66FB5DAF}" = CCC Help Thai
"{DBCD5E64-7379-4648-9444-8A6558DCB614}" = Recovery Manager
"{E118D4B8-C626-C066-D92B-BAB273D073CE}" = CCC Help Chinese Standard
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E5C4D9C6-D091-9E92-E47E-FC021FBD9D86}" = Catalyst Control Center Localization All
"{E65818A4-63CF-7ADC-A32B-66F7B68EB879}" = CCC Help Hungarian
"{E87D76C7-7322-A217-E1FF-52E1124CFDA4}" = Catalyst Control Center InstallProxy
"{E9E33939-0216-8683-78CA-68E05604D31C}" = CCC Help Czech
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EBE23921-116B-4CD4-9AAA-025AD3DDCF4E}" = CCC Help Turkish
"{ED1BD69A-07E3-418C-91F1-D856582581BF}" = HP On Screen Display
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{EDC930DA-187B-C1FB-783D-3419BAAA74C4}" = Catalyst Control Center Graphics Previews Common
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Autorun Eater_is1" = Autorun Eater v2.6
"avast" = avast! Free Antivirus
"Carbonite Backup" = Carbonite
"FastStone Image Viewer" = FastStone Image Viewer 4.6
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"LastPass" = LastPass (uninstall only)
"Mozilla Thunderbird 15.0 (x86 en-US)" = Mozilla Thunderbird 15.0 (x86 en-US)
"Revo Uninstaller" = Revo Uninstaller 1.94
"RezOvation Desktop_is1" = RezOvation Desktop
"VLC media player" = VLC media player 2.0.2

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2012 9:22:47 PM | Computer Name = HistoricInn | Source = Application Hang | ID = 1002
Description = The program RezOvation.exe version 7.1.0.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 4e0 Start
Time: 01cd89724a0416bc Termination Time: 32 Application Path: C:\Program Files (x86)\RezOvation\RezOvation.exe

Report
Id: aa395850-f565-11e1-a2c3-2c27d7e76de4

Error - 9/3/2012 9:42:07 AM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/3/2012 12:00:00 PM | Computer Name = HistoricInn | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16448,
time stamp: 0x4fecf1b7 Faulting module name: aswWebRepIE.dll, version: 7.0.1466.549,
time stamp: 0x5033506e Exception code: 0x40000015 Fault offset: 0x0001b1bc Faulting
process id: 0x940 Faulting application start time: 0x01cd89e74770bf1e Faulting application
path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path:
C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Report Id: 69e279a2-f5e0-11e1-b7cf-2c27d7e76de4

Error - 9/3/2012 12:07:57 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/3/2012 12:37:07 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/3/2012 2:44:48 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/4/2012 12:24:08 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/4/2012 4:40:25 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/5/2012 10:07:08 AM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

Error - 9/5/2012 12:45:33 PM | Computer Name = HistoricInn | Source = WinMgmt | ID = 10
Description =

[ HP Connection Manager Events ]
Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.132|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.194|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.194|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.225|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.225|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:17 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:17.880|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:29:18 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:29:18.411|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:30:12 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:30:12.325|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 5/26/2012 2:53:11 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/05/26 14:53:11.219|00000B74|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 9/1/2012 2:09:49 PM | Computer Name = HistoricInn | Source = hpCMSrv | ID = 5
Description = 2012/09/01 14:09:49.787|00000664|Error |ChpCMSrvModule::Run|Failed
PreMessageLoop hr:0x80004015

[ HP Software Framework Events ]
Error - 8/11/2012 12:00:40 AM | Computer Name = HistoricInn | Source = CaslSmBios | ID = 5
Description = 2012/08/11 00:00:40.177|00000660|Error |[CaslWmi]A::A{bool()}|Error
connecting to Global Event server. Exception: Retrieving the COM class factory
for component with CLSID {69D77689-DA2B-4308-8404-2614CBF9896E} failed due to the
following error: 80070422.

Error - 8/15/2012 7:38:12 PM | Computer Name = HistoricInn | Source = hpCasl | ID = 5
Description = 2012/08/15 19:38:12.655|00000F88|Error |[hpcasl]Command::Get{hpCasl.enReturnCode(string,object&)}|An
exception occurred Retrieving the COM class factory for component with CLSID {F5539356-2F02-40D4-999E-FA61F45FE12E}
failed due to the following error: 80070422.

Error - 8/15/2012 7:38:12 PM | Computer Name = HistoricInn | Source = CaslSmBios | ID = 5
Description = 2012/08/15 19:38:12.746|000009F0|Error |[CaslWmi]A::A{bool()}|Error
connecting to Global Event server. Exception: Retrieving the COM class factory
for component with CLSID {69D77689-DA2B-4308-8404-2614CBF9896E} failed due to the
following error: 80070422.

Error - 8/15/2012 7:38:14 PM | Computer Name = HistoricInn | Source = hpCasl | ID = 5
Description = 2012/08/15 19:38:14.445|00000428|Error |[hpcasl]Command::Set{hpCasl.enReturnCode(string,object)}|An
exception occurred Retrieving the COM class factory for component with CLSID {F5539356-2F02-40D4-999E-FA61F45FE12E}
failed due to the following error: 80070422.

Error - 8/15/2012 7:38:14 PM | Computer Name = HistoricInn | Source = CaslSmBios | ID = 5
Description = 2012/08/15 19:38:14.493|00000368|Error |[CaslWmi]A::A{bool()}|Error
connecting to Global Event server. Exception: Retrieving the COM class factory
for component with CLSID {69D77689-DA2B-4308-8404-2614CBF9896E} failed due to the
following error: 80070422.

Error - 8/22/2012 7:06:29 PM | Computer Name = HistoricInn | Source = hpCasl | ID = 5
Description = 2012/08/22 19:06:29.505|00000BFC|Error |[hpcasl]Command::Get{hpCasl.enReturnCode(string,object&)}|An
exception occurred Retrieving the COM class factory for component with CLSID {F5539356-2F02-40D4-999E-FA61F45FE12E}
failed due to the following error: 80070422.

Error - 8/22/2012 7:06:29 PM | Computer Name = HistoricInn | Source = CaslSmBios | ID = 5
Description = 2012/08/22 19:06:29.624|00000B98|Error |[CaslWmi]A::A{bool()}|Error
connecting to Global Event server. Exception: Retrieving the COM class factory
for component with CLSID {69D77689-DA2B-4308-8404-2614CBF9896E} failed due to the
following error: 80070422.

Error - 8/22/2012 7:06:31 PM | Computer Name = HistoricInn | Source = hpCasl | ID = 5
Description = 2012/08/22 19:06:31.101|00000844|Error |[hpcasl]Command::Set{hpCasl.enReturnCode(string,object)}|An
exception occurred Retrieving the COM class factory for component with CLSID {F5539356-2F02-40D4-999E-FA61F45FE12E}
failed due to the following error: 80070422.

Error - 8/22/2012 7:06:31 PM | Computer Name = HistoricInn | Source = CaslSmBios | ID = 5
Description = 2012/08/22 19:06:31.147|000004A4|Error |[CaslWmi]A::A{bool()}|Error
connecting to Global Event server. Exception: Retrieving the COM class factory
for component with CLSID {69D77689-DA2B-4308-8404-2614CBF9896E} failed due to the
following error: 80070422.

Error - 9/1/2012 2:09:49 PM | Computer Name = HistoricInn | Source = hpqWmiEx | ID = 5
Description = 2012/09/01 14:09:49.740|000006C4|Error |CWirelessDevicesState::StartWirelessEvents|Error
0x80004005 registering GUID_NDIS_LAN_CLASS for PCI device

[ System Events ]
Error - 9/5/2012 12:45:30 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the HP
Software Framework Service service to connect.

Error - 9/5/2012 12:45:30 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7000
Description = The HP Software Framework Service service failed to start due to the
following error: %%1053

Error - 9/5/2012 12:45:30 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7003
Description = The Net.Pipe Listener Adapter service depends the following service:
was. This service might not be installed.

Error - 9/5/2012 12:45:30 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7003
Description = The Net.Tcp Listener Adapter service depends the following service:
was. This service might not be installed.

Error - 9/5/2012 12:45:31 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Secure
Socket Tunneling Protocol Service service which failed to start because of the
following error: %%1058

Error - 9/5/2012 12:45:31 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7001
Description = The Routing and Remote Access service depends on the Remote Access
Connection Manager service which failed to start because of the following error:
%%1068

Error - 9/5/2012 12:45:31 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7001
Description = The Internet Connection Sharing (ICS) service depends on the Remote
Access Connection Manager service which failed to start because of the following
error: %%1068

Error - 9/5/2012 12:45:32 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7001
Description = The Remote Access Auto Connection Manager service depends on the Remote
Access Connection Manager service which failed to start because of the following
error: %%1068

Error - 9/5/2012 12:46:54 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7022
Description = The HP Connection Manager 4 Service service hung on starting.

Error - 9/5/2012 12:46:54 PM | Computer Name = HistoricInn | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
aswSnx SBRE

< End of report >

Edited by thisstinks, 05 September 2012 - 11:53 AM.

#7
thisstinks

Posted 05 September 2012 - 11:50 AM

Member

Topic Starter
Member
13 posts

URGENT

Noticed OTL did not seem to run as other times, just seemed a little glitchy nothing specific other than pauses with screen blinks

But I noticed the custom scan window returned to the top mid way through

Here is the before and after in the custom scan area of OTL

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

DRIVES
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true

#8
RKinner

Posted 06 September 2012 - 10:37 AM

Malware Expert

Expert
24,625 posts

Sorry for the delay. Was off-island yesterday.

Copy the text in the code box by highlighting and Ctrl + c


:OTL
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O8:64bit: - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found

sfc  /scannow

(This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Download, Save and Run (win 7 or Vista => Right click and Run as Admin.) farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

#9
thisstinks

Posted 11 September 2012 - 03:48 PM

Member

Topic Starter
Member
13 posts

Ran OTL with your lines pasted in
Ran only a second said completed sucessfully but did NOT reboot itself
I did a manual reboot

========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}\ not found.
File C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
File C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}\ not found.
File C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.
File C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll not found.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass\ not found.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass Fill Forms\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass Fill Forms\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.

OTL by OldTimer - Version 3.2.58.1 log created on 09112012_153713

Ran ESET services repair found "several services" needed fixing

cleared logs

rebooted

ran sfc as admin

found all OK

NOTE FOR BELOW correct local time IS 5:38 pm not 9:13 PM as listed in Vino's, if that gives you any hints

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 11/09/2012 5:38:55 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/09/2012 9:13:06 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: aswSnx SBRE

Log: 'System' Date/Time: 11/09/2012 9:13:06 PM
Type: Error Category: 0
Event: 7022 Source: Service Control Manager
The HP Connection Manager 4 Service service hung on starting.

Log: 'System' Date/Time: 11/09/2012 9:11:43 PM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Remote Access Auto Connection Manager service depends on the Remote Access Connection Manager service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 11/09/2012 9:11:42 PM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Routing and Remote Access service depends on the Remote Access Connection Manager service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 11/09/2012 9:11:42 PM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The HP Software Framework Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the HP Software Framework Service service to connect.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/09/2012 9:11:06 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Log: 'System' Date/Time: 11/09/2012 9:10:57 PM
Type: Warning Category: 0
Event: 121 Source: MSiSCSI
The firewall exception to allow Internet Storage Name Server (iSNS) client functionality is not enabled. iSNS client functionality is not available.

Log: 'System' Date/Time: 11/09/2012 9:10:07 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 11/09/2012 5:41:15 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 11/09/2012 9:12:22 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 11/09/2012 9:09:59 PM
Type: Error Category: 0
Event: 8193 Source: VSS
Volume Shadow Copy Service error: Unexpected error calling routine OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT). hr = 0x8007045b, A system shutdown is in progress. .

Operation:
Initialize For Backup

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Farbar Service Scanner Version: 06-08-2012
Ran by Historic Inn (administrator) on 11-09-2012 at 17:45:10
Running from "C:\Users\Historic Inn\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

#10
RKinner

Posted 11 September 2012 - 04:30 PM

Malware Expert

Expert
24,625 posts

Vino's knows what time it is:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 11/09/2012 5:38:55 PM

The Event reports are always in UCT or GMT without the offset for your time zone.

How is it running now? You have quite a few services which are not happy so I expect there is a bit of a delay at boot. Some of them I have no idea why they are running.

I'll look through them after my nap.

#11
RKinner

Posted 11 September 2012 - 09:00 PM

Malware Expert

Expert
24,625 posts

Log: 'System' Date/Time: 11/09/2012 9:13:06 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: aswSnx SBRE

aswSnx is a part of Avast which apparently did not install correctly.

SBRE = Sbredrv.sys with description 64-bit Anti-Rootkit Engine is a driver file from company Sunbelt Software belonging to product CounterSpy.
The file is digitally signed from GFI Software Development Ltd. - VeriSign Time Stamping Services Signer - G2

I would uninstall Counterspy then reinstall Avast (remember to right click and Run As Admin) as they may have been fighting each other.

Log: 'System' Date/Time: 11/09/2012 9:13:06 PM
Type: Error Category: 0
Event: 7022 Source: Service Control Manager
The HP Connection Manager 4 Service service hung on starting.

I don't know much about HP Connection Manager but it's obviously not working correctly so I would uninstall it. IF it is something you want then try a new download and install (remember to right click and Run As Admin)

Log: 'System' Date/Time: 11/09/2012 9:11:43 PM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Remote Access Auto Connection Manager service depends on the Remote Access Connection Manager service which failed to start because of the following error: The dependency service or group failed to start.

If you use Remote Access then right click on Computer and select Manage then Services and Applications then Services. Find the Telephony service, Right click on it select Properties then make sure it has Startup Type set to Manual. Apply verify it will Start. Then do the same for Secure Socket Tunneling Protocol Service. If you get an error let me know. Then go to Remote Access Connection Manager and do the same thing. Will it start now?

If you don't use Remote Access then change the startup type for Remote Access Connection Manager to Disabled. Apply.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7003 Source: Service Control Manager
The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.

These two are not normally required at home:

This service is not installed by default. You can add or remove this service by heading to:

Head to Start
Select Control Panel
Select Programs
Select Programs and Features
Select Turn Windows Features on or off

If you want it to work you have to get WAS to work:

The Windows Process Activation Service (WAS) provides process activation, resource management and health management services for message-activated applications.
Additional Information

This service is not installed by default. You can add or remove this service by heading to:

Head to Start
Select Control Panel
Select Programs
Select Programs and Features
Select Turn Windows Features on or off

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The HP Software Framework Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 11/09/2012 9:11:41 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the HP Software Framework Service service to connect.

No idea what HP Software Framework Service does. Can be turned off by setting Startup Type to Disabled and Apply. Otherwise uninstall and download a new version and reinstall.

Log: 'System' Date/Time: 11/09/2012 9:11:06 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

This one is odd. There should be an O20 entry in OTL if this is the case.

Let's look and see if it is hiding:

Copy the next line:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /s > \junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear.

Attach the file c:\junk.txt to your next post.

Log: 'System' Date/Time: 11/09/2012 9:10:57 PM
Type: Warning Category: 0
Event: 121 Source: MSiSCSI
The firewall exception to allow Internet Storage Name Server (iSNS) client functionality is not enabled. iSNS client functionality is not available.

No idea why iSNS would be installed on your PC. iSNS provides management services similar to those found in Fibre Channel networks, allowing a standard IP network to operate in much the same way that a Fibre Channel storage area network does. Because iSNS is able to emulate Fibre Channel fabric services and manage both iSCSI and Fibre Channel devices, an iSNS server can be used as a consolidated configuration point for an entire storage network. However, standards-compliant iSNS implementations are required to support the iFCP protocol, supporting the iSCSI protocol is optional. If you want it to work you have to tell the firewall to let it through.

#12
thisstinks

Posted 11 September 2012 - 10:14 PM

Member

Topic Starter
Member
13 posts

One by one
I do not know what CounterSpy is and could not find it listed in RevoUninstaller or in Control Panel uninstall programs, so I did not try to reinstall Avast for fear it might leave me exposed

HP Connection Mgr must have come with laptop when new, UNINSTALLED

Net TCP and Pipe Listeners
did not see anything by those names in Windows Features so Disabled in Services

Did not see or address WAS

HP Software Framework must have come with laptop when new, DISABLED

Microsoft Windows wininit

junk.txt here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
IconServiceLib REG_SZ IconCodecService.dll
DdeSendTimeout REG_DWORD 0x0
DesktopHeapLogging REG_DWORD 0x1
GDIProcessHandleQuota REG_DWORD 0x2710
ShutdownWarningDialogTimeout REG_DWORD 0xffffffff
USERNestedWindowLimit REG_DWORD 0x32
USERPostMessageLimit REG_DWORD 0x2710
USERProcessHandleQuota REG_DWORD 0x2710
(Default) REG_SZ mnmsrvc
DeviceNotSelectedTimeout REG_SZ 15
Spooler REG_SZ yes
TransmissionRetryTimeout REG_SZ 90
AppInit_DLLs REG_SZ
LoadAppInit_DLLs REG_DWORD 0x1

I do not know what ISNS is and assume I do not want to let it through the firewall, how do I turn off?

Thanks, will reboot and see if I am moving forward.

As far as Vino it was the minutes place that threw me. 5 pm here is altered by GMT but if it is 35 or so after the hour in real time why does Vino report system times of 10 to 13 after the hour? Is it a last time of access timestamp?

UPDATE: Reboot included three Windows Updates KB2735855 no description, KB2736233 Rollup for ActiveX killbits, and KB890830 malicious software removal tool, so was normal slow for WU install, next reboot was 1:12 down from average 1:43 but still slwer than usual three or four weeks ago. However I did not time prior boots so my guess is boot time is still doubled more or less.

Edited by thisstinks, 11 September 2012 - 11:29 PM.

#13
RKinner

Posted 12 September 2012 - 09:07 AM

Malware Expert

Expert
24,625 posts

Copy the text in the code box by highlighting and Ctrl + c



:files
sc config SBRE start= disabled /c
sc delete SBRE /c
sc config iSNS start= disabled /c

:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=-

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply. This will also create a file winsock2.reg on your desktop. It is an insurance file. If you can't get on the Internet after the fix, try right clicking on the winsock2.reg and Merge then reboot. If that doesn't help then do a System Restore.
It appears that Old Timer is now hiding the log in c:\_OTL\RemovedFiles\09122012-some number.log.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron

#14
thisstinks

Posted 13 September 2012 - 05:46 PM

Member

Topic Starter
Member
13 posts

Copied lines into OTL, run as Admin, after a few seconds, two flashes of DOS black CMD box so quick I could not read then for the last 12 hours all OTL say is "not responding", will leave it undisturbed in case it is still going but disk light is dark.