[joseph456]

Is there a way to know whether or not you have a keylogger on your computer vs a security breach on a website? I have MSE installed real time.

Thanks for your help.

[Advertisements]

Hello joseph456 and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan/Fixes box paste this in
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  services.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post using "Add Reply" button

[maliprog]

Hello joseph456 and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan/Fixes box paste this in
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  services.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post using "Add Reply" button

[joseph456]

Thanks for your help!

OTL Log:

OTL logfile created on: 10/19/2012 8:01:37 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.74% Memory free
3.85 Gb Paging File | 3.54 Gb Available in Paging File | 91.83% Paging File free
Paging file location(s): C:\pagefile.sys 2046 2046 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 9.87 Gb Free Space | 26.48% Space Free | Partition Type: NTFS

Computer Name: S0034324532 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/19 19:23:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\desktop\OTL.exe
PRC - [2012/09/20 00:02:24 | 000,363,752 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/20 17:23:00 | 000,599,419 | ---- | M] () -- C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll
MOD - [2006/06/26 19:02:49 | 000,049,852 | ---- | M] () -- C:\WINNT\system32\pdf995mon.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/10/09 18:56:45 | 000,115,168 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2003/10/15 18:13:06 | 000,077,824 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe -- (PassThru)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Program Files\Internet Explorer\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\Drivers\PROCEXP151.SYS -- (PROCEXP151)
DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2011/03/18 12:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\WINNT\system32\speedfan.sys -- (speedfan)
DRV - [2007/09/28 14:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 14:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2007/06/05 11:56:40 | 000,044,928 | ---- | M] (Panda Software) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\SDTHOOK.SYS -- (SDTHOOK)
DRV - [2006/04/26 21:44:22 | 000,028,672 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - [2005/08/09 20:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/31 15:21:32 | 000,200,704 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\System32\drivers\udfreadr.sys -- (UdfReadr)
DRV - [2003/10/14 17:05:28 | 000,252,144 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2003/07/17 18:40:06 | 000,265,728 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2003/06/27 09:53:44 | 001,196,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/03/17 18:39:12 | 000,020,352 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\iqvw32.sys -- (NAL)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINNT\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Overture
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.overture....s={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.netaddress.com/tpl/Doo [Binary data over 200 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...urce=gama&hl=en
IE - HKCU\..\SearchScopes,DefaultScope = {91E988AB-50B7-46B0-B45D-5CF6103F052F}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{79141AC0-4211-45BD-8AD5-0CAC7ACCA01B}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{91E988AB-50B7-46B0-B45D-5CF6103F052F}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co...ange/&reason=0"
FF - prefs.js..extensions.enabledAddons: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:4.1.3.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINNT\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINNT\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/09 18:56:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/10/01 11:21:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2012/10/04 21:55:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\miobjuei.default-1349313115875\extensions
[2012/10/04 21:55:09 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\miobjuei.default-1349313115875\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2012/10/09 18:55:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/09 18:56:47 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/03 13:14:35 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/09 18:55:35 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2005/10/23 22:33:52 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk = C:\QUICKENW\billmind.exe (Intuit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O15 - HKCU\..Trusted Domains: geekstogo.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {1663ed6a-23eb-11d2-b92f-008048fdd814} https://www6.glic.co...cripts/smsx.cab (MeadCo Extended HTML Printing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341707470406 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{050C88C6-9DB9-4307-B7C2-8D384252F0A1}: DhcpNameServer = 192.168.100.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{268204A6-66E6-4020-A2ED-28CD4BE3D120}: DhcpNameServer = 192.168.1.1 4.2.2.2
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 () -
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/15 23:31:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5e59674a-b37a-11e1-9bd2-00904b847847}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{639d715b-fea5-11dc-9768-00904b847847}\Shell\AutoRun\command - "" = E:\MigoSyncEncrypt.exe
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{663fc156-6412-11e1-9ba3-00904b847847}\Shell\AutoRun\command - "" = E:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8382f4fc-c626-11dd-9808-00904b847847}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell - "" = AutoRun
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f2e57b0-d2a7-11dd-9825-00904b847847}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/10/19 19:25:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder (2)
[2012/10/18 00:45:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/10/17 09:34:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/10/15 21:08:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder
[2012/10/15 13:53:02 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012/10/09 19:27:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SlimCleaner
[2012/10/09 18:55:15 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/10/01 20:41:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2012/10/01 20:41:08 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/09/24 13:58:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mead & Company
[2012/09/24 13:58:10 | 000,000,000 | ---D | C] -- C:\Program Files\MeadCo ScriptX
[2012/09/24 13:58:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MeadCo ScriptX
[2006/10/10 20:40:37 | 000,389,120 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Administrator\remote.exe

========== Files - Modified Within 30 Days ==========

[2012/10/19 19:27:18 | 000,119,223 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Keylogger - Credit Card Security Breach - Geeks to Go Forums.pdf
[2012/10/19 19:23:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/10/19 18:10:41 | 000,004,616 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2012/10/19 11:09:09 | 000,002,231 | ---- | M] () -- C:\WINNT\QUICKEN.INI
[2012/10/18 23:03:12 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Calculator Plus.lnk
[2012/10/18 00:50:35 | 000,000,384 | -H-- | M] () -- C:\WINNT\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/10/18 00:40:39 | 000,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2012/10/18 00:40:00 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2012/10/18 00:37:48 | 000,002,522 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\KL Report 10.18.12.rtf
[2012/10/17 00:17:52 | 000,100,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RCP.pdf
[2012/10/08 00:23:31 | 001,311,798 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\section.pdf
[2012/10/04 22:03:42 | 000,022,011 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cr.pdf
[2012/10/02 21:46:41 | 000,000,115 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Credit Card Home.URL
[2012/10/02 09:46:23 | 000,035,023 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ATT.pdf
[2012/10/01 20:06:57 | 000,259,664 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Global Payments Suffers the Latest Massive Data Breach - American Banker.pdf
[2012/10/01 00:22:46 | 000,139,177 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Home AnalyzerSummary.pdf
[2012/09/29 19:20:04 | 000,000,458 | ---- | M] () -- C:\WINNT\tasks\EasyShare Registration Task.job
[2012/09/28 22:28:22 | 000,001,945 | ---- | M] () -- C:\WINNT\epplauncher.mif
[2012/09/28 21:22:30 | 000,001,341 | ---- | M] () -- C:\quotes.csv
[2012/09/28 00:33:08 | 000,217,357 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WSJ.pdf
[2012/09/23 22:10:39 | 001,274,190 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CNL33.pdf

========== Files Created - No Company Name ==========

[2012/10/19 19:27:17 | 000,119,223 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Keylogger - Credit Card Security Breach - Geeks to Go Forums.pdf
[2012/10/18 00:37:48 | 000,002,522 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\KL Report 10.18.12.rtf
[2012/10/17 00:17:50 | 000,100,188 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RCP.pdf
[2012/10/15 13:53:35 | 000,001,800 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
[2012/10/08 00:23:31 | 001,311,798 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HAMWM11section.pdf
[2012/10/04 22:03:40 | 000,022,011 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\carracino.pdf
[2012/10/02 21:46:41 | 000,000,115 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AT&T Universal Card Home.URL
[2012/10/02 09:46:23 | 000,035,023 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ATT.pdf
[2012/10/01 20:06:55 | 000,259,664 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Global Payments Suffers the Latest Massive Data Breach - American Banker.pdf
[2012/10/01 00:22:42 | 000,139,177 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Home AnalyzerSummary.pdf
[2012/09/28 22:38:10 | 000,000,384 | -H-- | C] () -- C:\WINNT\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/28 21:22:29 | 000,001,341 | ---- | C] () -- C:\quotes.csv
[2012/09/28 00:33:07 | 000,217,357 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\WSJ.pdf
[2012/09/23 22:10:37 | 001,274,190 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CNL33.pdf
[2012/02/16 01:47:39 | 000,003,072 | ---- | C] () -- C:\WINNT\System32\iacenc.dll
[2012/01/12 20:15:28 | 002,618,968 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-515416071-1635729839-3118798863-500-0.dat
[2012/01/12 20:15:25 | 000,357,562 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/01/12 19:55:59 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2011/11/20 12:49:01 | 003,153,920 | ---- | C] () -- C:\Documents and Settings\Administrator\secsetup.sdb
[2011/07/11 23:50:36 | 000,000,193 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2011/03/20 14:38:55 | 000,000,169 | ---- | C] () -- C:\WINNT\InforceDownloadClient.ini
[2010/12/16 20:08:56 | 000,103,720 | ---- | C] () -- C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
[2008/02/13 16:43:33 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Administrator\g2mdlhlpx.exe
[2006/06/08 23:07:13 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\Administrator\backup.sus
[2005/11/16 19:37:50 | 000,052,337 | ---- | C] () -- C:\Documents and Settings\Administrator\WinPatrolLog.html
[2005/11/10 21:48:57 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/11/02 17:50:38 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2005/10/18 21:18:38 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/26 23:06:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\chkdsk
[2005/08/05 22:22:18 | 000,000,302 | ---- | C] () -- C:\Program Files\temp995.bat

========== ZeroAccess Check ==========

[2003/10/07 08:59:36 | 000,000,227 | RHS- | M] () -- C:\WINNT\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\System32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINNT\System32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINNT\System32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2007/06/02 19:56:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\aignes
[2010/01/31 13:07:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AltrixSoft
[2011/09/14 14:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Auslogics
[2008/06/16 22:00:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BinarySense
[2010/01/03 16:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2012/06/24 11:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon Easy-WebPrint EX
[2010/06/12 16:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/14 11:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\cronometer
[2010/11/18 00:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EISI
[2012/04/19 09:17:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ElevatedDiagnostics
[2009/10/26 19:33:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FreshDiagnose
[2012/09/08 10:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GARMIN
[2011/06/26 12:58:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GlarySoft
[2011/11/17 00:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IObit
[2007/05/30 20:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\iolo
[2008/06/28 18:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\samplegames
[2007/09/20 19:26:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2005/11/01 22:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Learn2.com
[2009/07/13 20:57:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Neverball
[2004/10/25 23:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\pdf995
[2007/05/08 13:41:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SmartDraw
[2008/12/24 00:12:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Software Informer
[2010/06/13 01:44:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
[2008/12/13 01:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2012/07/14 17:18:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinPatrol
[2009/01/08 00:22:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ActiveSMART
[2010/01/02 19:17:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/01/12 10:45:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/01/03 16:25:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2011/10/14 20:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ClubSanDisk
[2011/03/15 09:03:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/02/14 02:59:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2012/09/20 09:20:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2007/05/30 20:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2012/05/19 08:36:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/07/28 23:25:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2012/10/17 22:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/09/06 04:07:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/01/05 19:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
[2005/02/08 23:37:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{2F072519-01D6-4864-AE2C-222D899DD62A}
[2012/03/03 19:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINNT\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINNT\ServicePackFiles\i386\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINNT\system32\dllcache\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINNT\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINNT\$NtServicePackUninstall$\explorer.exe

< MD5 for: SERVICES.EXE >
[2009/02/06 07:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINNT\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINNT\ServicePackFiles\i386\services.exe
[2009/02/06 13:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINNT\$NtServicePackUninstall$\services.exe
[2009/02/06 06:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINNT\$hf_mig$\KB956572\SP2QFE\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINNT\$hf_mig$\KB956572\SP3GDR\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINNT\system32\dllcache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINNT\system32\services.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINNT\ServicePackFiles\i386\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINNT\system32\dllcache\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINNT\system32\svchost.exe
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004/08/04 01:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINNT\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 01:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINNT\$NtServicePackUninstall$\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINNT\ServicePackFiles\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINNT\system32\dllcache\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINNT\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 01:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINNT\$NtServicePackUninstall$\winlogon.exe
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINNT\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINNT\system32\dllcache\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINNT\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< >
[1980/01/01 01:00:00 | 000,000,065 | RH-- | C] () -- C:\WINNT\Tasks\desktop.ini
[2003/10/06 17:41:17 | 000,000,006 | -H-- | C] () -- C:\WINNT\Tasks\SA.DAT
[2011/11/14 21:04:38 | 000,000,604 | ---- | C] () -- C:\WINNT\Tasks\SCHEDLGU.TXT
[2012/03/03 20:21:09 | 000,000,458 | ---- | C] () -- C:\WINNT\Tasks\EasyShare Registration Task.job
[2012/09/28 22:38:10 | 000,000,384 | -H-- | C] () -- C:\WINNT\Tasks\Microsoft Antimalware Scheduled Scan.job

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6DFF1A8A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2BE9FEFC
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

Edited by joseph456, 20 October 2012 - 10:01 PM.

[joseph456]

OTL Extras -

NOTE - This is the first OTL Extras I received (see the date) when I ran this program the first time. When I ran the program today there was an OTL log but did not produce an OTL Extras log. This is the same log I posted in the Waiting Room (Along with the OTL Log)

OTL Extras logfile created on: 10/18/2012 12:45:58 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.42% Memory free
3.85 Gb Paging File | 3.43 Gb Available in Paging File | 89.14% Paging File free
Paging file location(s): C:\pagefile.sys 2046 2046 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 9.99 Gb Free Space | 26.81% Space Free | Partition Type: NTFS

Computer Name: S0034324532 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"50000:UDP" = 50000:UDP:*:Enabled:IHA_MessageCenter
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour Port 5353

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Soluto\solutoinstaller.exe" = C:\Documents and Settings\Administrator\My Documents\My Downloads 121408\Computer Security\Soluto\solutoinstaller.exe:*:Enabled:SolutoInstaller
"C:\WINNT\system32\dxdiag.exe" = C:\WINNT\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool -- (Microsoft Corporation)
"C:\WINNT\system32\dpvsetup.exe" = C:\WINNT\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00FE2935-FB56-4410-AB5F-D6E70C1771D2}" = Garmin WebUpdater
"{038A524F-58DB-438A-8391-8F7F0CA14B9E}" = Microsoft® Winter Fun Pack 2004 for Windows® XP
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP490_series" = Canon MP490 series MP Drivers
"{16B2498C-C6C1-4AE7-95EF-D2A09F50071C}" = KODAK Share Button App
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FE80E58-0774-4EC3-B6BA-68876B88D4B9}" = TurboTax 2011 wvaiper
"{20CFBF87-73BD-4EC5-80B4-9C894126BD14}" = TurboTax 2008 wvaiper
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3D29DFC0-EAA2-012B-AED3-000000000000}" = TurboTax 2009 wvaiper
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}" = IHA_MessageCenter
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{759FF0F7-5C37-46B7-9360-F0E88B1DC323}" = SlimCleaner
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A62F9CD0-B2E0-4F2A-88F2-79254A3C8539}" = WinPatrol
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABA5E381-EC46-425C-86C5-5CD15BBFB4BF}" = Garmin USB Drivers
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B82919F6-31AA-43B3-B566-5DE35D69069A}" = TurboTax ItsDeductible 2004
"{BB830F9E-53B3-492F-B39C-2DF615D1C9E1}" = TurboTax 2010 wvaiper
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7DD94A8-F775-426C-B56C-8E555A59F9E2}" = Garmin Communicator Plugin
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
"{F2682E66-3DEF-4066-AD9F-70DDB96CDDCC}" = MeadCo ScriptX (v7.0.0.8 (x86))
"{F8A10A25-D8DD-4661-9A1E-7F6DBAAA3C5E}" = inSSIDer
"{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
"98157A226B40B173301B0F53C8E98C47805D5152" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
"Adaptec UDF Reader" = Adaptec UDF Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"aignesamdeadlink_is1" = AM-DeadLink 4.4
"ATI Display Driver" = ATI Display Driver
"Belarc Advisor" = Belarc Advisor 8.2
"Branding" =
"Broadcom 802.11b Network Adapter" = BCM Wireless Network Adapter
"Canon MP490 series User Registration" = Canon MP490 series User Registration
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"CleanCache 3.0_is1" = CleanCache 3.5
"CleanUp!" = CleanUp!
"CoinWizard" = CoinWizard
"Connection Manager" =
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ERUNT_is1" = ERUNT 1.1j
"FileHippo.com" = FileHippo.com Update Checker
"Gateway Drivers and Applications Recovery" = Gateway Drivers and Applications Recovery
"HD Tune_is1" = HD Tune 2.55
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Interactive Training" =
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 16.0 (x86 en-US)" = Mozilla Firefox 16.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Ahead Nero BurnRights
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PCHealth" =
"Pdf995" = Pdf995
"PROSet" = Intel® PRO Network Adapters and Drivers
"Quicken Deluxe 98" = Quicken Deluxe 98
"Revo Uninstaller" = Revo Uninstaller 1.94
"Signature995" = Signature995
"Speccy" = Speccy
"SpeedFan" = SpeedFan (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.6
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Taskbar Shuffle_is1" = Taskbar Shuffle version 2.5
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax 2010" = TurboTax 2010
"TurboTax 2011" = TurboTax 2011
"TurboTax Home & Business 2006" = TurboTax Home & Business 2006
"TurboTax Home & Business 2007" = TurboTax Home & Business 2007
"TurboTax Premier 2005" = TurboTax Premier 2005
"Tweak UI 2.10" = Tweak UI
"TweakMP9" = Windows Media Player 9 Series TweakMP PowerToy
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPhlash" = WinPhlash
"WinPokerushr" = WinPoker 6 Shareware
"WMCSetup" =
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WinDirStat" = WinDirStat 1.1.2

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = Removed | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

Error - 1/11/2012 8:56:18 PM | Computer Name = | Source = ESENT | ID = 623
Description = Catalog Database (1344) The version store for this instance (0) has
reached its maximum size of 16Mb. It is likely that a long-running transaction
is preventing cleanup of the version store and causing it to build up in size. Updates
will be rejected until the long-running transaction has been completely committed
or rolled back. Possible long-running transaction: SessionId: 0x03C703C0 Session-context:
0x00000000 Session-context ThreadId: 0x000003B0

[ System Events ]
Error - 10/11/2012 7:42:09 PM | Computer Name = | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 10/12/2012 12:32:29 PM | Computer Name = | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.66 for the Network Card with network
address 00904B847847 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/15/2012 2:01:15 PM | Computer Name = | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/15/2012 6:49:39 PM | Computer Name = | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 10/15/2012 7:57:57 PM | Computer Name = | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/17/2012 7:43:20 PM | Computer Name = | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/17/2012 8:37:22 PM | Computer Name = | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 10/17/2012 9:49:44 PM | Computer Name = | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/18/2012 12:21:54 AM | Computer Name = | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/18/2012 12:38:24 AM | Computer Name = | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.


< End of report >

Edited by joseph456, 20 October 2012 - 10:08 PM.

[joseph456]

GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-19 20:36:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N040ATMR04-0 rev.MO2OAD4A
Running: b52kdtcy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwdiikow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtAddAtom + 6 7C90CEE4 4 Bytes CALL 7B918DED
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtAddAtom + B 7C90CEE9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateKey + 6 7C90D0F4 4 Bytes [68, 01, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateKey + B 7C90D0F9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateMutant + 6 7C90D114 4 Bytes [28, 02, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateMutant + B 7C90D119 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateSection + 6 7C90D184 4 Bytes [68, 02, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtCreateSection + B 7C90D189 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtDeleteAtom + 6 7C90D224 4 Bytes [68, 05, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtDeleteAtom + B 7C90D229 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtDeleteValueKey + 6 7C90D274 4 Bytes CALL 7B91917B
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtDeleteValueKey + B 7C90D279 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtFindAtom + 6 7C90D324 4 Bytes [28, 05, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtFindAtom + B 7C90D329 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes CALL 7B91942E
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenKey + 6 7C90D5D4 4 Bytes [A8, 01, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenKey + B 7C90D5D9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenMutant + 6 7C90D5E4 4 Bytes CALL 7B9194EA
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenMutant + B 7C90D5E9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcess + 6 7C90D604 1 Byte [68]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [68, 03, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcessToken + 6 7C90D614 1 Byte [A8]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes [A8, 03, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [68, 04, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenSection + 6 7C90D634 4 Bytes [A8, 02, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenSection + B 7C90D639 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThread + 6 7C90D664 1 Byte [28]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [28, 03, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [28, 04, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes [A8, 04, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9196B9
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryInformationAtom + 6 7C90D7C4 4 Bytes [A8, 05, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtQueryInformationAtom + B 7C90D7C9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 1 Byte [E8]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes CALL 7B919BBC
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [28, 06, BF, 00]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D500F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] kernel32.dll!CreateEventW 7C80A749 5 Bytes JMP 00D50030
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 00D50170
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] kernel32.dll!OpenEventW 7C8131E0 5 Bytes JMP 00D50070
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00E40430
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!ActivateKeyboardLayout 7E428673 5 Bytes JMP 00E403F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!IsClipboardFormatAvailable 7E42F166 5 Bytes JMP 00E400F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardSequenceNumber 7E42F17A 2 Bytes JMP 00E402B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardSequenceNumber + 3 7E42F17D 2 Bytes [A1, 82]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!CloseClipboard 7E430265 5 Bytes JMP 00E400B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!OpenClipboard 7E430277 5 Bytes JMP 00E40070
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!EmptyClipboard 7E430D96 5 Bytes JMP 00E40130
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardOwner 7E430DA8 5 Bytes JMP 00E402F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00E40030
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00E40170
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardFormatNameA 7E431290 5 Bytes JMP 00E40270
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!CountClipboardFormats 7E43167F 5 Bytes JMP 00E401F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetOpenClipboardWindow 7E431691 5 Bytes JMP 00E40370
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!EnumClipboardFormats 7E43E53D 5 Bytes JMP 00E401B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardFormatNameW 7E45957F 5 Bytes JMP 00E40230
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetClipboardViewer 7E46CB94 5 Bytes JMP 00E403B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] USER32.dll!GetPriorityClipboardFormat 7E46CC96 5 Bytes JMP 00E40330
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetDeviceCaps 77F15A71 5 Bytes JMP 00E50370
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SelectObject 77F15B70 5 Bytes JMP 00E505B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetTextColor 77F15D77 5 Bytes JMP 00E50970
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetBkMode 77F15EDB 5 Bytes JMP 00E50830
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!IntersectClipRect 77F16A56 5 Bytes JMP 00E503B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetClipBox 77F16AA1 5 Bytes JMP 00E50330
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!DeleteObject 77F16BFA 5 Bytes JMP 00E501B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00E50170
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!ExtSelectClipRgn 77F17874 5 Bytes JMP 00E502F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SelectClipRgn 77F17AA0 5 Bytes JMP 00E50570
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetTextMetricsW 77F17DB9 5 Bytes JMP 00E50D30
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00E508B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetStretchBltMode 77F18597 5 Bytes JMP 00E505F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!RestoreDC 77F18B28 5 Bytes JMP 00E504F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SaveDC 77F18BEE 5 Bytes JMP 00E50530
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetTextAlign 77F18C8B 5 Bytes JMP 00E50930
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!MoveToEx 77F1A21A 5 Bytes JMP 00E50430
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetTextFaceW 77F1A5CB 5 Bytes JMP 00E50C70
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!StretchDIBits 77F1B0AE 2 Bytes JMP 00E506B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!StretchDIBits + 3 77F1B0B1 2 Bytes [F3, 88]
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetWorldTransform 77F1B457 5 Bytes JMP 00E50630
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00E500B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00E500F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!ExtEscape 77F1C3CC 5 Bytes JMP 00E502B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00E50870
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!LineTo 77F1D997 5 Bytes JMP 00E503F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetTextMetricsA 77F1DF45 5 Bytes JMP 00E50CF0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetICMMode 77F1E868 5 Bytes JMP 00E50CB0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!Rectangle 77F1E9BE 5 Bytes JMP 00E508F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetFontData 77F1F314 5 Bytes JMP 00E50BB0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetTextFaceA 77F1F365 5 Bytes JMP 00E50C30
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetPolyFillMode 77F20817 5 Bytes JMP 00E50A70
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SetMiterLimit 77F20E8E 5 Bytes JMP 00E50AB0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 00E50270
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!ResetDCW 77F2B9AF 5 Bytes JMP 00E509F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!CreateICW 77F2C813 5 Bytes JMP 00E50130
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!BeginPath 77F2D4B0 5 Bytes JMP 00E50770
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!EndPath 77F2D530 5 Bytes JMP 00E509B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!SelectClipPath 77F2D5B7 5 Bytes JMP 00E50A30
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!EndPage 77F2DC61 5 Bytes JMP 00E50230
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!EndDoc 77F2DEF1 5 Bytes JMP 00E501F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!PolyBezierTo 77F2EBD1 5 Bytes JMP 00E50470
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!PolylineTo 77F2EC7E 5 Bytes JMP 00E504B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!CloseFigure 77F2ED1A 5 Bytes JMP 00E50070
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!StartPage 77F2F49E 5 Bytes JMP 00E50670
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!RemoveFontResourceW 77F3D07C 5 Bytes JMP 00E50B70
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!GetGlyphOutlineW 77F3E6D1 5 Bytes JMP 00E50BF0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!AddFontResourceW 77F3FFAB 5 Bytes JMP 00E50B30
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!CreateScalableFontResourceW 77F40160 5 Bytes JMP 00E50AF0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!AbortDoc 77F44CD2 5 Bytes JMP 00E50030
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00E50730
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!StrokePath 77F460B7 5 Bytes JMP 00E506F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!FillPath 77F46144 5 Bytes JMP 00E507B0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] GDI32.dll!PolyDraw 77F4667B 5 Bytes JMP 00E507F0
.text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] ole32.dll!OleSetClipboard 77547808 5 Bytes JMP 01540030

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[260] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00D50110
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!CryptReleaseContext] 00E60090
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!CryptAcquireContextW] 00E60050
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!CryptAcquireContextW] 00E60050
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!CryptGenRandom] 00E601D0
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!CryptReleaseContext] 00E60090
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!CryptAcquireContextW] 00E60050
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!CryptGenRandom] 00E601D0
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!CryptReleaseContext] 00E60090
IAT C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[5068] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00D50110

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 2EF53D5B859C679B9AE88C7030EBBE0F76D7DD3098E5C76A783BE5A4ADFD5049AF5BFB39D61E4FA88C268FE3DC4DF5A1BD9EE6E837FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B98085D575E7D6A3B9808C038D530D6EB345209E47E705AA6FDF43AC3562B815135FA530646A7556FACB287B5BCF61378F7872D8872534A009E93DCF9270043F75D64A630DFF3FC44731054B744D3B6150117B88B0241899A751B16EBC2F8148810E50E88343A36E16B3627782089579A9E6D5B020C364489697B3C357ABC1C29F3AAA8502771C1A41EAF887C62FA70BCDA10A6D5F8A0D07525550D412669251773917B171F010300D4B6E79A267D9EC1033791C23064A39815FC2653200CA1223FAC6EC589C585F623BA94FD065AA504A6CFF759205758C1EB7D0C81C62B232F49424D95D31274A2595F44A7A3D1E8F01CF815FEBB45AD55A01325B37DBDE335C8CCC917F32921B2137B91EAA493F48CFB898E6CF5ED07496D31BD2AA9B0BE41387C78ABE0C680672A9B78EFAFC676EA2408E7AE4A816A2B4FFA047437E2337558B1518A15152B15BFFDDB3172843F37B4B18D25B62B831889CC8C799429E403AB84AF3F90B65EA5B71980011E5C44B014F7CD073C8221C3A1B14E73334B9C33F8BDD4A758407A96BA900F80E

---- EOF - GMER 1.0.15 ----

[joseph456]

Update - System was acting sluggish. Auslogics Disk Defrag would stop ever 10 seconds. Also took a long time to boot up - Usually XP Bar boots up in 15 - 23 passes. Then went up to about 60. Had to System Restore back to 10/18. All back to normal now as far as system speed. Still not sure about keylogger.

Edited by joseph456, 20 October 2012 - 09:53 PM.

[maliprog]

First we'll make sure there are no malware on system. Then we'll try to speed it up a little bit.

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

[joseph456]

Interesting the only problems it found were in a program I downloaded to work through a previous problem w/ GTG - probably a false positive? Rootkit Revealer in 2006

Status: Deleted (events: 2)
10/21/2012 11:52:00 AM Deleted Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\Administrator\My Documents\Geeks to Go\RootkitRevealer.exe High
10/21/2012 11:52:00 AM Deleted Trojan program Trojan.Win32.Scar.ekfy C:\Documents and Settings\Administrator\My Documents\Geeks to Go\RootkitRevealer.exe//# High

I just deleted the entire folder.

Edited by joseph456, 21 October 2012 - 08:40 PM.

[maliprog]

Hi joseph456,

That's probably false positive. Don't worry about it. I don't see any malware or problems on your system. If you don't have any questions I will remove my tools and clean your system. Let me know...

[joseph456]

Hi maliprog -

I do not see any other problems. How do I remove the tools and clean the system?

Thanks.

[maliprog]

Hi joseph456,

Your logs and system are clean now. I'm glad we fix up your computer.

Step 1

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [clearallrestorepoints]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Step 2

We need to clean up your PC from programs we used.

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Something to read

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

2. Make Backups of Important Files

Please read this article Home Computer Data Backup.

3. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[joseph456]

Thanks. When my computer was operating slow, I used one of the System Restore settings before OTL was installed and that fixed it. I also deleted OTL from the desktop. Questions:

• Should I download OTL again using the settings you mentioned?
• Is there any way to retain the System Restore settings in case OTL causes a problem? Can I just remove that line from the "Run Fix" command you have set up?
• Should I still use "Clean Up" if I have used System Restore setting prior to using OTL?

Thanks for your help!

Edited by joseph456, 22 October 2012 - 08:54 AM.

[maliprog]

I didn't think you did system restore in the middle of this fix. I taught you did it way back before this fix.

Next time please read my NOTES where it says:

Please DO NOT run any scans or fix on your own without my direction.

In this case just remove VRT tool from your system and that's it. You don't need to download OTL again. Glad your system is running fine now.

Goodbye and stay safe

[joseph456]

I just found out that another credit card # was used fraudulently. Can I be absolutely sure that I have no key logger installed? Happens to be a credit card I used last week to pay a bill online

[maliprog]

You should contact all you banks and tell them that your credit cards are stolen. They will help you and block that credit cards.

Happens to be a credit card I used last week to pay a bill online

That was last week when you PC was infected. Right now I don't see any infection. GMER and VRT logs are clean.

Do you see any problems on your PC right now?