Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unable to remove malware registry entries.

Started by willmon2000 , Aug 01 2013 09:17 AM

Please log in to reply

#1
willmon2000

Posted 01 August 2013 - 09:17 AM

Member

Member
215 posts

I cleaned up my pc of Internet Security malware through Malwarebytes, and adwcleaner. However, malwarebytes keeps finding three remaining registry values and no matter how many time i clean them out with Malwarebytes they come back when i reboot.

OTL logfile created on: 8/1/2013 8:00:47 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\sfschultz\Downloads
Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 50.22% Memory free
6.33 Gb Paging File | 5.09 Gb Available in Paging File | 80.44% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.95 Gb Total Space | 93.06 Gb Free Space | 78.24% Space Free | Partition Type: NTFS

Computer Name: SCALAP0164 | User Name: TurnerAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/31 15:12:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\sfschultz\Downloads\OTL.exe
PRC - [2013/07/31 15:10:16 | 000,040,816 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\1132\g2mstart.exe
PRC - [2013/07/31 15:10:16 | 000,040,816 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\1132\g2mlauncher.exe
PRC - [2013/07/31 15:10:16 | 000,040,816 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\1132\g2mcomm.exe
PRC - [2013/07/08 04:16:49 | 010,171,744 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer.exe
PRC - [2013/07/08 04:16:49 | 004,157,280 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
PRC - [2013/07/08 03:59:02 | 000,195,936 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\tv_w32.exe
PRC - [2013/07/01 16:24:15 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2013/07/01 16:24:14 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2013/07/01 16:24:11 | 001,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2013/07/01 16:24:11 | 001,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2013/07/01 16:24:09 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2013/04/04 14:50:32 | 000,887,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/10/04 07:57:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/21 18:14:56 | 000,054,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2011/02/21 18:14:54 | 000,488,816 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2011/02/21 18:14:54 | 000,054,640 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2011/02/21 18:14:54 | 000,054,640 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2011/02/21 18:14:48 | 000,072,296 | ---- | M] (O2Micro International) -- C:\Windows\System32\drivers\o2flash.exe
PRC - [2010/11/20 14:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/02/25 06:04:40 | 000,263,536 | ---- | M] (SAP AG) -- C:\Program Files\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
PRC - [2010/02/25 06:04:40 | 000,226,672 | ---- | M] (SAP AG) -- C:\Program Files\SAP\SapSetup\setup\Updater\NwSapSetupUserNotificationTool.exe
PRC - [2009/11/17 10:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/09/18 02:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CCM\CcmExec.exe
PRC - [2009/09/18 02:00:00 | 000,367,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CCM\SMSCliUI.exe

========== Modules (No Company Name) ==========

MOD - [2011/04/10 08:40:40 | 000,094,208 | ---- | M] () -- C:\Windows\System32\IccLibDll.dll
MOD - [2011/03/16 22:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 13:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

========== Services (SafeList) ==========

SRV - [2013/07/31 15:01:08 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/07/08 04:16:49 | 004,157,280 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/07/01 16:24:15 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2013/07/01 16:24:15 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2013/07/01 16:24:11 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2013/07/01 16:24:11 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2013/07/01 16:24:09 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2012/09/20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2011/02/21 18:14:48 | 000,072,296 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Windows\System32\drivers\o2flash.exe -- (O2FLASH)
SRV - [2010/02/25 06:04:40 | 000,263,536 | ---- | M] (SAP AG) [Auto | Running] -- C:\Program Files\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe -- (NWSAPAutoWorkstationUpdateSvc)
SRV - [2009/11/17 10:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/09/18 02:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 02:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/07/13 18:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/06/30 14:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - [2013/07/31 13:40:15 | 000,031,560 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2013/07/01 16:24:39 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2013/07/01 16:24:16 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2013/07/01 16:24:16 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2013/07/01 16:24:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2013/07/01 16:24:01 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2013/06/17 09:23:20 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130730.032\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/06/17 09:23:20 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/06/17 09:23:20 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/06/17 09:23:20 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130730.032\NAVENG.SYS -- (NAVENG)
DRV - [2011/05/01 14:32:08 | 007,513,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwNs32.sys -- (NETwNs32)
DRV - [2011/02/21 18:15:06 | 000,132,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV - [2011/02/21 18:15:00 | 000,012,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tcm.sys -- (tcm)
DRV - [2011/02/21 18:14:54 | 000,284,792 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2011/02/21 18:14:54 | 000,033,832 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2011/02/21 18:14:52 | 000,396,872 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Mbm3DevMt.sys -- (Mbm3DevMt)
DRV - [2011/02/21 18:14:52 | 000,361,032 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Mbm3CBus.sys -- (Mbm3CBus)
DRV - [2011/02/21 18:14:52 | 000,176,384 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwdelser2.sys -- (NWDellPort2)
DRV - [2011/02/21 18:14:52 | 000,176,384 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwdelser.sys -- (NWDellPort)
DRV - [2011/02/21 18:14:52 | 000,026,152 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wwanussf.sys -- (ecnssndisfltr)
DRV - [2011/02/21 18:14:52 | 000,023,592 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wwanuss.sys -- (ecnssndis)
DRV - [2011/02/21 18:14:50 | 000,191,488 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwdelserial.sys -- (nwdelserial)
DRV - [2011/02/21 18:14:50 | 000,087,592 | ---- | M] (Ericsson AB) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\d554gps.sys -- (d554gps)
DRV - [2011/02/21 18:14:50 | 000,027,264 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwdelgobi3kfilter.sys -- (nwdelgobi3kfilter)
DRV - [2011/02/21 18:14:48 | 000,141,568 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV - [2011/02/21 18:14:48 | 000,063,848 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2sdjw7.sys -- (O2SDJRDR)
DRV - [2011/02/21 18:14:48 | 000,062,440 | ---- | M] (O2Micro ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\O2MDRw7.sys -- (O2MDRRDR)
DRV - [2011/02/21 18:14:48 | 000,062,208 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nusb3hub.sys -- (nusb3hub)
DRV - [2011/02/21 18:14:48 | 000,060,904 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2mdfw7.sys -- (O2MDFRDR)
DRV - [2011/02/21 18:14:48 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HECI.sys -- (MEI)
DRV - [2011/02/21 18:14:44 | 000,043,888 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/11/20 14:29:34 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 14:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 14:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 14:29:03 | 000,112,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - [2010/11/20 14:29:03 | 000,077,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV - [2010/11/20 14:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 14:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 14:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 14:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 14:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 14:29:03 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\terminpt.sys -- (terminpt)
DRV - [2010/11/20 14:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 14:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/10/28 05:41:02 | 000,238,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1c6232.sys -- (e1cexpress)
DRV - [2010/08/20 09:04:38 | 000,017,648 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\stdcfltn.sys -- (stdcfltn)
DRV - [2009/11/17 10:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/09/18 02:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/07/13 16:45:20 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\acpials.sys -- (acpials)
DRV - [2009/07/13 16:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2009/07/13 15:02:52 | 000,214,016 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1y6032.sys -- (e1yexpress)
DRV - [2008/11/16 16:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CC FE E4 A2 40 8E CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

O1 HOSTS File: ([2013/07/31 13:49:26 | 000,000,741 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [GoToMeetingInstall1132] C:\Program Files\Citrix\GoToMeeting\1132\G2MInstaller.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [SAP_WUS_UNT] C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe (SAP AG)
O4 - HKLM..\RunOnce: [ASYNCMAC] rundll32.exe streamci,StreamingDeviceSetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c},C:\WINDOWS\INF\netrasa.inf,Ndis-Mp-AsyncMac File not found
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [Report] \AdwCleaner[S2].txt ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 4
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Domains: 0.0.0.0 ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: finance.turner ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: finance.turner ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: hochtief.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: hochtief.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([turner] http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([turner] http in Trusted sites)
O15 - HKLM\..Trusted Domains: tcco.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: tcco.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: tcco.com ([netiq] http in Local intranet)
O15 - HKLM\..Trusted Domains: tcco.com ([tkn] http in Local intranet)
O15 - HKLM\..Trusted Domains: turnerbenefits.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: turnerbenefits.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: turnerconstruction.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: turnerknowledge.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: turnerknowledge.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: turneruniversity.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range1 ([https] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range20 ([https] in Trusted sites)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bit...m/qsax/qsax.cab (Bitdefender QuickScan Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} Reg Error: Value error. (JInitiator 1.3.1.26)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.18.90.13 172.18.2.74 172.18.2.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tcco.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D06E18B0-D264-4A56-8BF0-3CA1A204E072}: DhcpNameServer = 172.18.90.13 172.18.2.74 172.18.2.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF0BFF22-6A7C-4257-8585-5A3680612D8F}: DhcpNameServer = 172.18.90.13 172.18.2.74 172.18.2.75
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\WINDOWS\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/31 15:45:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/07/31 15:43:15 | 000,181,064 | ---- | C] (Sysinternals) -- C:\WINDOWS\PSEXESVC.EXE
[2013/07/31 15:40:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2013/07/31 15:40:31 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/07/31 15:17:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Registry Cleaner
[2013/07/31 15:17:06 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2013/07/31 15:10:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013/07/31 15:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013/07/31 15:06:25 | 000,000,000 | ---D | C] -- C:\ProgramData\webex
[2013/07/31 15:01:08 | 000,693,976 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/07/31 15:01:08 | 000,073,432 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/07/31 14:56:03 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\synceng.dll
[2013/07/31 14:55:59 | 000,826,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcore.dll
[2013/07/31 14:54:24 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3r.dll
[2013/07/31 14:54:17 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cdosys.dll
[2013/07/31 14:53:57 | 000,919,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcorets.dll
[2013/07/31 14:53:17 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/07/31 14:53:17 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/07/31 14:53:17 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2013/07/31 14:53:17 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-string-l1-1-0.dll
[2013/07/31 14:53:16 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-security-base-l1-1-0.dll
[2013/07/31 14:53:16 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-file-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-synch-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-misc-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2013/07/31 14:53:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-localization-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-xstate-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-memory-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-heap-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-util-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-profile-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-io-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-handle-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-fibers-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-delayload-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-debug-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-datetime-l1-1-0.dll
[2013/07/31 14:53:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\api-ms-win-core-console-l1-1-0.dll
[2013/07/31 14:53:15 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\conhost.exe
[2013/07/31 14:53:15 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winsrv.dll
[2013/07/31 14:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2013/07/31 14:51:56 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcorekmts.dll
[2013/07/31 14:51:56 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2013/07/31 14:51:56 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdrmemptylst.exe
[2013/07/31 14:51:41 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\%APPDATA%
[2013/07/31 14:20:54 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/07/31 13:40:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/07/31 13:07:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/07/31 13:07:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/07/31 13:07:06 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/07/31 13:07:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Templates
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Start Menu
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\SendTo
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Recent
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\PrintHood
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\NetHood
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\My Documents
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Local Settings
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Cookies
[2013/07/31 13:06:57 | 000,000,000 | -HSD | C] -- C:\Users\TurnerAdmin\Application Data
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Videos
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Searches
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Saved Games
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Pictures
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Music
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Links
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Favorites
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Downloads
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Documents
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Desktop
[2013/07/31 13:06:56 | 000,000,000 | R--D | C] -- C:\Users\TurnerAdmin\Contacts
[2013/07/31 13:06:56 | 000,000,000 | ---D | C] -- C:\Users\TurnerAdmin\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2013/07/31 13:06:56 | 000,000,000 | ---D | C] -- C:\Users\TurnerAdmin\AppData

========== Files - Modified Within 30 Days ==========

[2013/08/01 07:59:52 | 000,052,237 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/08/01 07:59:40 | 000,000,393 | ---- | M] () -- C:\WINDOWS\SMSCFG.INI
[2013/08/01 07:59:19 | 000,067,584 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/01 07:59:13 | 2548,776,960 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/31 15:53:31 | 000,661,540 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/31 15:53:31 | 000,121,290 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/31 15:52:26 | 000,019,120 | ---- | M] () -- C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/07/31 15:52:26 | 000,019,120 | ---- | M] () -- C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/07/31 15:45:22 | 000,348,288 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/31 15:44:31 | 000,181,064 | ---- | M] (Sysinternals) -- C:\WINDOWS\PSEXESVC.EXE
[2013/07/31 15:22:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/31 15:10:19 | 000,001,767 | ---- | M] () -- C:\WINDOWS\MSIOAXMG.mif
[2013/07/31 15:01:08 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/07/31 15:01:08 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/07/31 13:40:15 | 000,031,560 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys

========== Files Created - No Company Name ==========

[2013/07/31 15:10:19 | 000,001,767 | ---- | C] () -- C:\WINDOWS\MSIOAXMG.mif
[2013/07/31 15:01:08 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/31 13:40:15 | 000,031,560 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/07/31 13:06:56 | 000,000,444 | RHS- | C] () -- C:\Users\TurnerAdmin\ntuser.pol
[2013/07/31 13:06:56 | 000,000,290 | ---- | C] () -- C:\Users\TurnerAdmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2013/07/31 13:06:56 | 000,000,272 | ---- | C] () -- C:\Users\TurnerAdmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2013/07/01 18:51:21 | 000,000,393 | ---- | C] () -- C:\WINDOWS\SMSCFG.INI
[2013/07/01 18:47:42 | 2548,776,960 | -HS- | C] () -- \hiberfil.sys
[2013/07/01 18:42:03 | 000,012,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\tcm.sys
[2013/07/01 18:40:22 | 000,963,116 | ---- | C] () -- C:\WINDOWS\System32\igkrng600.bin
[2013/07/01 18:40:15 | 000,218,304 | ---- | C] () -- C:\WINDOWS\System32\igfcg600m.bin
[2013/07/01 18:40:15 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2013/07/01 18:40:11 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\igdde32.dll
[2013/07/01 18:40:09 | 000,145,804 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng600.bin
[2013/07/01 18:40:07 | 013,356,032 | ---- | C] () -- C:\WINDOWS\System32\ig4icd32.dll
[2013/07/01 18:40:06 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\IccLibDll.dll
[2013/07/01 16:41:02 | 000,000,827 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2013/07/01 16:41:01 | 000,206,848 | ---- | C] () -- C:\WINDOWS\System32\DBSETUP.EXE
[2013/07/01 16:41:01 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\DBU_UI.DLL
[2013/07/01 16:41:01 | 000,101,888 | ---- | C] () -- C:\WINDOWS\System32\BUTIL.DLL
[2013/07/01 16:41:01 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\WDBUUI32.DLL
[2013/07/01 16:41:01 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\NWLOCALE.DLL
[2013/07/01 16:41:01 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2013/07/01 16:38:59 | 000,320,512 | ---- | C] () -- C:\WINDOWS\System32\W32MKDE.EXE
[2013/07/01 16:38:59 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\W32MKRC.DLL
[2013/07/01 16:15:24 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2013/07/01 16:15:24 | 000,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2013/07/01 16:15:24 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2013/07/01 16:15:24 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2013/07/01 16:15:24 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2013/07/01 16:15:24 | 000,002,344 | ---- | C] () -- C:\WINDOWS\saplogon.ini
[2013/07/01 15:52:12 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2011/06/08 09:02:44 | 000,052,237 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/07/13 19:04:04 | 000,000,024 | ---- | C] () -- \autoexec.bat
[2009/07/13 19:04:04 | 000,000,010 | ---- | C] () -- \config.sys
[2002/01/05 01:40:20 | 000,487,424 | ---- | C] () -- \msvcp70.dll

========== ZeroAccess Check ==========

[2009/07/13 21:42:31 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 14:29:11 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 18:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Attached Files

MBAM-log-2013-08-01 (08-04-45).txt 2.53KB 91 downloads
OTL.Txt 79.95KB 127 downloads
Extras.Txt 47.21KB 142 downloads

#2
RKinner

Posted 01 August 2013 - 01:17 PM

Malware Expert

Expert
24,624 posts

If you look at your Extras log you will see that the malware is still active:

Error - 7/31/2013 3:58:58 PM | Computer Name = SCALAP0164.tcco.org | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\Users\sfschultz\AppData\Roaming\midefender.exe (PID 3996) Time: Wednesday,
July 31, 2013 12:58:58 PM

midefender.exe is a known variation of the Internet Security malware so let's try to remove it then run a few scans:

Copy the text in the code box by highlighting and Ctrl + c


:files
C:\Users\sfschultz\AppData\Roaming\midefender.exe
C:\Users\sfschultz\AppData\Roaming\*.exe

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\08012013-some number.log so look there if you don't see it.

Download aswMBR.exe to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it by right clicking and Run As Admin.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', Make sure it updates before running it. :!:
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Right-click mbam-setup.exe and select Run As Administrator to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Download the adwCleaner

Run the Tool
Windows Vista and Windows 7 users:
Right click in the adwCleaner.exe and select the option
Select the Delete button.
When the scan completes, it will open a notepad windows.
Please, copy the content of this file in your next reply.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc  /scannow

(Does this complain that it could not fix all of your files?)

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application. VEW will overwrite the log at C:\vew.txt each time it runs so either post your System results before running VEW for Applications or copy the file c:\vew.txt to a new location.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

#3
willmon2000

Posted 01 August 2013 - 03:00 PM

Member

Topic Starter
Member
215 posts

All cans ran succesfuly!

Attached Files

08012013_130123.log 1.36KB 113 downloads
AdwCleanerR1.txt 14.16KB 126 downloads
AdwCleanerR4.txt 945bytes 100 downloads
mbam-log-2013-08-01 (13-35-48).txt 2.9KB 119 downloads
TDSSKiller.2.8.16.0_01.08.2013_13.34.23_log.txt 139.66KB 139 downloads
VEW.txt 10.94KB 236 downloads
xxxxxxxxx.txt 434bytes 108 downloads

#4
RKinner

Posted 01 August 2013 - 03:16 PM

Malware Expert

Expert
24,624 posts

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

#5
willmon2000

Posted 01 August 2013 - 03:19 PM

Member

Topic Starter
Member
215 posts

OTL Extras logfile created on: 8/1/2013 1:52:21 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\sfschultz\Desktop
Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 1.86 Gb Available Physical Memory | 58.92% Memory free
6.33 Gb Paging File | 5.34 Gb Available in Paging File | 84.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.95 Gb Total Space | 92.83 Gb Free Space | 78.04% Space Free | Partition Type: NTFS

Computer Name: SCALAP0164 | User Name: TurnerAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- C:\WINDOWS\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.scr [@ = DWGTrueViewScriptFile] -- "" "%1"

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\System32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"%programfiles%\Altiris\Aclient\AClntusr.exe" = %programfiles%\Altiris\Aclient\AClntusr.exe
"%programfiles%\Microsoft ActiveSync\WCESCOMM.EXE:*:enabled:Connection Manager" = %programfiles%\Microsoft ActiveSync\WCESCOMM.EXE:*:enabled:Connection Manager
"%programfiles%\Microsoft Office\Office11\OUTLOOK.EXE:*:enabled:Outlook" = %programfiles%\Microsoft Office\Office11\OUTLOOK.EXE:*:enabled:Outlook
"%programfiles%\neoteris\secure application manager\gapsvc.exe:*:enabled:ASM Proxy" = %programfiles%\neoteris\secure application manager\gapsvc.exe:*:enabled:ASM Proxy

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"2000:TCP:*:enabled:DA Remote Management" = 2000:TCP:*:enabled:DA Remote Management
"2701:TCP:*:enabled:SCCM Remote Control" = 2701:TCP:*:enabled:SCCM Remote Control
"2702:TCP:*:enabled:SCCM Remote Control" = 2702:TCP:*:enabled:SCCM Remote Control
"2967:TCP:*:enabled:SAV" = 2967:TCP:*:enabled:SAV
"33345:UDP:*:Symantec AntiVirus Corporate Edition" = 33345:UDP:*:Symantec AntiVirus Corporate Edition

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
"%programfiles%\Altiris\Aclient\AClntusr.exe" = %programfiles%\Altiris\Aclient\AClntusr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
"2000:TCP:*:enabled:DA Remote Management" = 2000:TCP:*:enabled:DA Remote Management
"2967:TCP:*:enabled:SAV" = 2967:TCP:*:enabled:SAV

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{4F67668A-914D-4319-90CD-B05C5280F67F}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{88D9F294-8ACF-4874-9036-ABB71134AE2B}" = lport=3389 | protocol=6 | dir=in | svc=termservice | app=%systemroot%\system32\svchost.exe |
"{F682C3E4-27C6-428A-BDC1-3E7F254F08C3}" = lport=3389 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{14DCBF9E-00F8-4284-AFAA-C54547A6F1FB}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version8\teamviewer_service.exe |
"{259B91CE-D2CD-4B4A-9E88-0CC46FE5762B}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version8\teamviewer_service.exe |
"{318794BB-F280-41AF-B99F-3DAF70E7E40E}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version8\teamviewer_service.exe |
"{427ECFE5-07E0-4911-80F9-45562ADA2F67}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{4852D815-643C-420A-9D8A-720D65264BD5}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{77EF1C81-CE32-461D-80BA-F6E22516CF37}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{96C2C765-DAD4-4673-9600-3C87194CEB9C}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version8\teamviewer_service.exe |
"{AB4D3BC4-C0ED-4899-A592-C80871A2C2B9}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version8\teamviewer.exe |
"{B9A2FD32-15B9-4F6A-B2CD-E50FDBB6F2C1}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version8\teamviewer.exe |
"{BDC6E43F-2B2C-42FC-BEB2-E1EBC669BE1E}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{CAF93DBC-A79E-4177-8DC6-CA163C04E457}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{CCA4A05B-9989-445D-94D3-F6C494888449}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{CCDB71C5-1EE2-4720-B6B6-995BEBFF2ED6}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{CD4C2DFC-0BA3-4CB3-A87A-F51318F3A3AC}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version8\teamviewer.exe |
"{DFEC45F6-D99F-4430-8295-F808B0208F5D}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{E06B9599-2837-4283-BB18-BBFAB9B4916E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{F0B4AEC3-E477-404E-BE0F-472E0077D658}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version8\teamviewer.exe |
"{FCD7EBCB-E945-44B9-B06A-C39D987554C2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B713FB6-CB84-48C0-88B9-3C839F4AF967}" = GoToMeeting 5.5.1132 IT Installer
"{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}" = Turner VPN Client June 2010
"{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{27EFA494-3C6A-4DC1-A3C0-B2A4A9B6B6ED}" = BPC
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EFE837C-A05E-49EA-81D7-3A167FA8858F}" = Cisco WebEx Meeting Center for Internet Explorer
"{41A01180-D9FD-3428-9FD6-749F4C637CBF}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{41E8192A-115B-473E-8FAA-336F8BC85874}" = RxFilters3D
"{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}" = MSXML4.0 redistributable
"{4E2FDB44-2840-4B09-BAD4-827C465B8226}" = Swiss Fonts
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BF1A952-17D0-4C3A-910D-03C7E13ACEDF}" = Meridian Systems Prolog WebSite 2007 R2 Client
"{6C64AB8C-F78B-45C0-98E3-6DE9702E0225}" = Microsoft Office Live Meeting 2007
"{73A98F4D-0234-4897-A9AE-5AF58950A5C1}" = SAP
"{82965C3C-43ED-4A69-B1D2-FC118197195B}" = Planning and Consolidation Client version for SAP Netweaver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9CC6F291-506D-450F-9895-93C05142DD27}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2010 Primary Interop Assemblies
"{90140000-1146-0000-0000-0000000FF1CE}" = Microsoft Office 2010 Primary Interop Assemblies
"{9223BBDE-693D-4B5F-A1DE-C40C7D2E4C89}" = Adobe Flash Player 11 ActiveX
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A47A9101-6EB5-4314-BDA1-297880FBB908}" = Microsoft redistributable runtime DLLs VS2008 SP1(x86)
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B4157DE8-01D8-485E-9EE0-FFB021CA76BA}" = Meridian Systems Prolog Website 2007 R2 File Management Control
"{B85C9AAB-3F14-4012-82D5-D58E31C3B022}" = Turner Application Updates Dec 2010
"{BEF5B614-5652-49B5-90A0-7F47DABA0E9F}" = LEGATO EmailXtender Shortcut Addin 4.81
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CAFECAFE-0013-0001-0126-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.26
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CDAA8E70-36AB-451E-9A6C-23118B5185BD}" = SAPLogon.ini 3_14_12
"{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}" = vcredist_x86
"{E293D740-690F-4451-A536-F09AEB78B7D1}" = Prolog Submittal Registers
"{E42BDBF9-6466-41F5-BD88-E1401DE992C5}" = Turner DeepLinks
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"ESET Online Scanner" = ESET Online Scanner v3
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"InstallShield_{82965C3C-43ED-4A69-B1D2-FC118197195B}" = Planning and Consolidation Client version for SAP Netweaver
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"RWD Info Pak - Help Launchpad ActiveX" = RWD Info Pak - Help Launchpad ActiveX
"SAP_ECL" = ECL Viewer
"SAP_JNet" = SAP JNet
"SAP_WUS" = SAPSetup Automatic Workstation Update Service
"SAPBI" = SAP Business Explorer
"SAPGUI710" = SAP GUI for Windows 7.20
"SureTrak 3.0" = SureTrak 3.0
"TeamViewer 8 Host" = TeamViewer 8 Host
"Turner Screen Saver 2009" = Turner Screen Saver 2009
"Tweaking.com - Windows Repair (All in One)" = Tweaking.com - Windows Repair (All in One)

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/31/2013 5:04:48 PM | Computer Name = SCALAP0164.tcco.org | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Users\sfschultz\AppData\Local\Temp\2045.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 7/31/2013 5:05:02 PM | Computer Name = SCALAP0164.tcco.org | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Maljava in File: C:\Users\sfschultz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\71bc70d3-3993b5bc
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/31/2013 5:32:49 PM | Computer Name = SCALAP0164.tcco.org | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2013 5:33:38 PM | Computer Name = SCALAP0164.tcco.org | Source = CertEnroll | ID = 39452685
Description =

Error - 7/31/2013 5:33:38 PM | Computer Name = SCALAP0164.tcco.org | Source = AutoEnrollment | ID = 6
Description =

Error - 7/31/2013 5:35:59 PM | Computer Name = SCALAP0164.tcco.org | Source = CertEnroll | ID = 39452685
Description =

Error - 7/31/2013 5:35:59 PM | Computer Name = SCALAP0164.tcco.org | Source = AutoEnrollment | ID = 6
Description =

Error - 7/31/2013 5:59:29 PM | Computer Name = SCALAP0164.tcco.org | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2013 6:00:15 PM | Computer Name = SCALAP0164.tcco.org | Source = CertEnroll | ID = 39452685
Description =

Error - 7/31/2013 6:00:15 PM | Computer Name = SCALAP0164.tcco.org | Source = AutoEnrollment | ID = 6
Description =

[ System Events ]
Error - 7/31/2013 4:57:14 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10005
Description =

Error - 7/31/2013 4:57:55 PM | Computer Name = SCALAP0164.tcco.org | Source = Microsoft-Windows-GroupPolicy | ID = 1065
Description = The processing of Group Policy failed. Windows could not evaluate
the Windows Management Instrumentation (WMI) filter for the Group Policy object
cn={0C7F96F8-BC70-4584-AB5D-1CE43BB7C930},cn=policies,cn=system,DC=tcco,DC=org.
This could be caused by RSOP being disabled or Windows Management Instrumentation
(WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service
is started and the startup type is set to automatic. New Group Policy objects or
settings will not process until this event has been resolved.

Error - 7/31/2013 4:58:43 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

Error - 7/31/2013 4:58:44 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

Error - 7/31/2013 5:00:02 PM | Computer Name = SCALAP0164.tcco.org | Source = Microsoft-Windows-GroupPolicy | ID = 1065
Description = The processing of Group Policy failed. Windows could not evaluate
the Windows Management Instrumentation (WMI) filter for the Group Policy object
cn={0C7F96F8-BC70-4584-AB5D-1CE43BB7C930},cn=policies,cn=system,DC=tcco,DC=org.
This could be caused by RSOP being disabled or Windows Management Instrumentation
(WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service
is started and the startup type is set to automatic. New Group Policy objects or
settings will not process until this event has been resolved.

Error - 7/31/2013 5:33:36 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

Error - 7/31/2013 5:33:37 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

Error - 7/31/2013 5:35:18 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10016
Description =

Error - 7/31/2013 5:35:38 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

Error - 7/31/2013 5:35:59 PM | Computer Name = SCALAP0164.tcco.org | Source = DCOM | ID = 10009
Description =

< End of report >

Error: Unable to interpret <DRIVES> in the current context!
Error: Unable to interpret <nnetsvcs> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe> in the current context!
Error: Unable to interpret <%systemroot%\assembly\GAC_32\*.ini> in the current context!
Error: Unable to interpret <%systemroot%\assembly\GAC_64\*.ini> in the current context!
Error: Unable to interpret <msconfig> in the current context!
Error: Unable to interpret <safebootminimal> in the current context!
Error: Unable to interpret <safebootnetwork> in the current context!
Error: Unable to interpret <activex> in the current context!
Error: Unable to interpret <drivers32> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe> in the current context!
Error: Unable to interpret <%ALLUSERSPROFILE%\Application Data\*.exe> in the current context!
Error: Unable to interpret <%APPDATA%\*.> in the current context!
Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <pnrpnsp.dll > in the current context!
Error: Unable to interpret <nwprovau.dll> in the current context!
Error: Unable to interpret <nlaapi.dll> in the current context!
Error: Unable to interpret <napinsp.dll> in the current context!
Error: Unable to interpret <mswsock.dll> in the current context!
Error: Unable to interpret <winrnr.dll> in the current context!
Error: Unable to interpret <wshelper.dll> in the current context!
Error: Unable to interpret <services.exe> in the current context!
Error: Unable to interpret <atapi.sys> in the current context!
Error: Unable to interpret <explorer.exe> in the current context!
Error: Unable to interpret <winlogon.exe> in the current context!
Error: Unable to interpret <Userinit.exe> in the current context!
Error: Unable to interpret <svchost.exe> in the current context!
Error: Unable to interpret <csrss.exe> in the current context!
Error: Unable to interpret <PrintIsolationHost.exe> in the current context!
Error: Unable to interpret <consrv.dll> in the current context!
Error: Unable to interpret </md5stop> in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /rs> in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /64 /rs> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\Tasks\*.job /lockedfiles> in the current context!
Error: Unable to interpret <%systemdrive%\$Recycle.Bin|@;true;true;true /fp> in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles> in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 08012013_141754

#6
RKinner

Posted 01 August 2013 - 03:51 PM

Malware Expert

Expert
24,624 posts

Error - 7/31/2013 5:05:02 PM | Computer Name = SCALAP0164.tcco.org | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Maljava in File: C:\Users\sfschultz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\71bc70d3-3993b5bc
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

You do not have the latest Java so may be getting reinfected that way.

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 14

Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.

If you feel you must have Java:
Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.
Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.

(If you also want the 64 bit version then use the 64 bit version of IE to get it.)

Also your Adobe Reader is way out of date and very vulnerable and may be helping with the reinfection:

Uninstall

Adobe Reader 9.2

Download the latest Reader from Adobe.com. Be sure to uncheck the foistware before downloading. We don't need an ask toolbar or McAfee Security Scan or similar.

Once you get Adobe Reader, then run it and Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program.

You are getting errors from Cvusbdrv.sys which is part of something called Broadcom Credential Vault USBdriver. Not sure what this is or why it is running as it is not in the install list.

Get autoruns from
http://live.sysinter...om/autoruns.exe

Download Save and Run the program by right clicking and Run As Admin. File, Save, to your desktop, autoruns.arn, OK

Either zip up the file if you have the ability (7-zip works nicely) or just rename it from autoruns.arn to autoruns.txt then ATTACH it. Do not copy and paste.

Something went wrong with the OTL scan last time. It's like you hit the wrong button (Run Fix instead of Run Scan)

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

then Run Scan.

You should get one log. Please copy and paste

#7
willmon2000

Posted 01 August 2013 - 04:47 PM

Member

Topic Starter
Member
215 posts

Error: Unable to interpret <DRIVES > in the current context!
Error: Unable to interpret <nnetsvcs > in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe > in the current context!
Error: Unable to interpret <%systemroot%\assembly\GAC_32\*.ini > in the current context!
Error: Unable to interpret <%systemroot%\assembly\GAC_64\*.ini > in the current context!
Error: Unable to interpret <msconfig > in the current context!
Error: Unable to interpret <safebootminimal > in the current context!
Error: Unable to interpret <safebootnetwork > in the current context!
Error: Unable to interpret <activex > in the current context!
Error: Unable to interpret <drivers32 > in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe > in the current context!
Error: Unable to interpret <%ALLUSERSPROFILE%\Application Data\*.exe > in the current context!
Error: Unable to interpret <%APPDATA%\*. > in the current context!
Error: Unable to interpret </md5start > in the current context!
Error: Unable to interpret <pnrpnsp.dll > in the current context!
Error: Unable to interpret <nwprovau.dll > in the current context!
Error: Unable to interpret <nlaapi.dll > in the current context!
Error: Unable to interpret <napinsp.dll > in the current context!
Error: Unable to interpret <mswsock.dll > in the current context!
Error: Unable to interpret <winrnr.dll > in the current context!
Error: Unable to interpret <wshelper.dll > in the current context!
Error: Unable to interpret <services.exe > in the current context!
Error: Unable to interpret <atapi.sys > in the current context!
Error: Unable to interpret <explorer.exe > in the current context!
Error: Unable to interpret <winlogon.exe > in the current context!
Error: Unable to interpret <Userinit.exe > in the current context!
Error: Unable to interpret <svchost.exe > in the current context!
Error: Unable to interpret <csrss.exe > in the current context!
Error: Unable to interpret <PrintIsolationHost.exe > in the current context!
Error: Unable to interpret <consrv.dll > in the current context!
Error: Unable to interpret </md5stop > in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s > in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /rs > in the current context!
Error: Unable to interpret <hklm\software\clients\startmenuinternet|command /64 /rs > in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles > in the current context!
Error: Unable to interpret <%systemroot%\Tasks\*.job /lockedfiles > in the current context!
Error: Unable to interpret <%systemdrive%\$Recycle.Bin|@;true;true;true /fp > in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles > in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 08012013_154621

#8
willmon2000

Posted 01 August 2013 - 04:48 PM

Member

Topic Starter
Member
215 posts

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" "" "8/1/2013 1:31 PM"
+ "Adobe ARM" "Adobe Reader and Acrobat Manager" "Adobe Systems Incorporated" "c:\program files\common files\adobe\arm\1.0\adobearm.exe" "9/4/2009 12:05 PM"
+ "Adobe Reader Speed Launcher" "Adobe Acrobat SpeedLauncher" "Adobe Systems Incorporated" "c:\program files\adobe\reader 9.0\reader\reader_sl.exe" "10/3/2009 4:08 AM"
+ "Apoint" "Alps Pointing-device Driver" "Alps Electric Co., Ltd." "c:\program files\delltpad\apoint.exe" "1/4/2011 4:48 PM"
+ "BCSSync" "Microsoft Office 2010 component" "Microsoft Corporation" "c:\program files\microsoft office\office14\bcssync.exe" "3/13/2010 2:54 PM"
+ "ccApp" "Symantec User Session" "Symantec Corporation" "c:\program files\common files\symantec shared\ccapp.exe" "7/8/2009 6:57 PM"
+ "GoToMeetingInstall1132" "GoToMeeting" "Citrix Online, a division of Citrix Systems, Inc." "c:\program files\citrix\gotomeeting\1132\g2minstaller.exe" "2/12/2013 2:33 PM"
+ "HotKeysCmds" "hkcmd Module" "Intel Corporation" "c:\windows\system32\hkcmd.exe" "4/10/2011 11:07 AM"
+ "IgfxTray" "igfxTray Module" "Intel Corporation" "c:\windows\system32\igfxtray.exe" "4/10/2011 11:07 AM"
+ "Persistence" "persistence Module" "Intel Corporation" "c:\windows\system32\igfxpers.exe" "4/10/2011 11:07 AM"
+ "SAP_WUS_UNT" "Sap Frontend Software Installation SAPSetup Automatic Workstation Update Tool" "SAP AG" "c:\program files\sap\sapsetup\setup\updater\nwsapsetupusernotificationtool.exe" "2/25/2010 12:00 AM"
+ "SunJavaUpdateSched" "Java™ Update Scheduler" "Oracle Corporation" "c:\program files\common files\java\java update\jusched.exe" "3/12/2013 8:32 AM"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "" "" "" "8/1/2013 1:31 PM"
+ "iessetup" "" "Microsoft Corporation" "c:\program files\internet explorer\iessetup.dll" "7/13/2009 4:21 PM"
+ "Malwarebytes Anti-Malware" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamgui.exe" "2/28/2013 1:39 PM"
+ "wmssetup" "" "Microsoft Corporation" "c:\program files\windows media player\wmssetup.dll" "7/13/2009 4:21 PM"
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" "" "" "" "7/1/2013 4:19 PM"
+ "VPN Client.lnk" "" "" "c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\icon3e5562ed7.ico" "8/22/1997 8:56 AM"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" "" "7/1/2013 4:48 PM"
+ "GoToMeeting" "GoToMeeting" "Citrix Online, a division of Citrix Systems, Inc." "c:\program files\citrix\gotomeeting\1132\g2mstart.exe" "2/12/2013 2:33 PM"
"HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" "" "7/31/2013 3:44 PM"
+ "text/xml" "Microsoft Office XML MIME Filter" "Microsoft Corporation" "c:\program files\common files\microsoft shared\office14\msoxmlmf.dll" "2/28/2010 2:13 AM"
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" "" "7/31/2013 3:44 PM"
+ "ms-help" "Microsoft® Help Data Services Module" "Microsoft Corporation" "c:\program files\common files\microsoft shared\help\hxds.dll" "5/23/2009 1:43 AM"
+ "saphtmlp" "SAP HTML Pluggable Protocol" "SAP, Walldorf" "c:\program files\sap\frontend\sapgui\saphtmlp.dll" "2/25/2010 9:02 PM"
+ "sapr3" "SAP HTML Pluggable Protocol" "SAP, Walldorf" "c:\program files\sap\frontend\sapgui\saphtmlp.dll" "2/25/2010 9:02 PM"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" "" "8/1/2013 3:44 PM"
+ "Groove GFS Stub Execution Hook" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" "" "7/13/2009 9:41 PM"
+ "LDVPMenu" "Symantec AntiVirus" "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\vpshell2.dll" "9/17/2009 6:47 PM"
+ "XXX Groove GFS Context Menu Handler XXX" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "LDVPMenu" "Symantec AntiVirus" "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\vpshell2.dll" "9/17/2009 6:47 PM"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" "2/28/2013 1:39 PM"
+ "XXX Groove GFS Context Menu Handler XXX" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "XXX Groove GFS Context Menu Handler XXX" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "Gadgets" "Sidebar droptarget" "Microsoft Corporation" "c:\program files\windows sidebar\sbdrop.dll" "7/13/2009 6:09 PM"
+ "igfxcui" "igfxpph Module" "Intel Corporation" "c:\windows\system32\igfxpph.dll" "4/10/2011 11:07 AM"
+ "XXX Groove GFS Context Menu Handler XXX" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "PDF Shell Extension" "PDF Shell Extension" "Adobe Systems, Inc." "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll" "2/27/2009 1:16 PM"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" "" "7/31/2013 3:43 PM"
+ "LDVPMenu" "Symantec AntiVirus" "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\vpshell2.dll" "9/17/2009 6:47 PM"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" "2/28/2013 1:39 PM"
+ "XXX Groove GFS Context Menu Handler XXX" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" "" "8/1/2013 3:44 PM"
+ "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
+ "Groove Explorer Icon Overlay 2 (GFS Stub)" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
+ "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
+ "Groove Explorer Icon Overlay 3 (GFS Folder)" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
+ "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" "" "8/1/2013 3:44 PM"
+ "Adobe PDF Link Helper" "Adobe PDF Helper for Internet Explorer" "Adobe Systems Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll" "2/27/2009 1:07 PM"
+ "Groove GFS Browser Helper" "Microsoft SharePoint Workspace Extensions" "Microsoft Corporation" "c:\program files\microsoft office\office14\grooveex.dll" "8/15/2012 10:39 PM"
+ "Java™ Plug-In 2 SSV Helper" "Java™ Platform SE binary" "Oracle Corporation" "c:\program files\java\jre7\bin\jp2ssv.dll" "6/21/2013 1:51 PM"
+ "Java™ Plug-In SSV Helper" "Java™ Platform SE binary" "Oracle Corporation" "c:\program files\java\jre7\bin\ssv.dll" "6/21/2013 1:50 PM"
+ "Office Document Cache Handler" "Microsoft Office Document Cache Handler" "Microsoft Corporation" "c:\program files\microsoft office\office14\urlredir.dll" "12/20/2010 6:04 PM"
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" "" "8/1/2013 1:30 PM"
+ "OneNote Lin&ked Notes" "Microsoft OneNote Internet Explorer Add-in" "Microsoft Corporation" "c:\program files\microsoft office\office14\onbttnielinkednotes.dll" "12/20/2010 8:05 PM"
+ "Se&nd to OneNote" "Microsoft OneNote Internet Explorer Add-in" "Microsoft Corporation" "c:\program files\microsoft office\office14\onbttnie.dll" "6/8/2011 2:10 PM"
"Task Scheduler" "" "" "" ""
+ "\Microsoft\Windows\NetTrace\GatherNetworkInfo" "" "" "c:\windows\system32\gathernetworkinfo.vbs" "6/10/2009 2:19 PM"
+ "\Microsoft\Windows\Windows Media Sharing\UpdateLibrary" "Windows Media Player Network Sharing Service Configuration Application" "Microsoft Corporation" "c:\program files\windows media player\wmpnscfg.exe" "7/13/2009 5:09 PM"
"HKLM\System\CurrentControlSet\Services" "" "" "" "7/31/2013 3:43 PM"
+ "AdobeFlashPlayerUpdateSvc" "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes." "Adobe Systems Incorporated" "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe" "2/28/2013 7:40 PM"
+ "ccEvtMgr" "Event propagation and logging service" "Symantec Corporation" "c:\program files\common files\symantec shared\ccsvchst.exe" "7/8/2009 6:54 PM"
+ "ccSetMgr" "Settings storage and management service" "Symantec Corporation" "c:\program files\common files\symantec shared\ccsvchst.exe" "7/8/2009 6:54 PM"
+ "CVPND" "Cisco Systems VPN Client" "Cisco Systems, Inc." "c:\program files\cisco systems\vpn client\cvpnd.exe" "11/17/2009 12:06 PM"
+ "LiveUpdate" "LiveUpdate Core Engine" "Symantec Corporation" "c:\program files\symantec\liveupdate\lucomserver_3_3.exe" "6/30/2008 4:32 PM"
+ "Microsoft SharePoint Workspace Audit Service" "Microsoft SharePoint Workspace" "Microsoft Corporation" "c:\program files\microsoft office\office14\groove.exe" "9/20/2012 6:18 AM"
+ "NWSAPAutoWorkstationUpdateSvc" "SAPSetup Automatic Workstation Update Service" "SAP AG" "c:\program files\sap\sapsetup\setup\updater\nwsapautoworkstationupdateservice.exe" "2/25/2010 12:00 AM"
+ "O2FLASH" "O2 Flash Memory Service" "O2Micro International" "c:\windows\system32\drivers\o2flash.exe" "10/18/2006 11:41 PM"
+ "ose" "Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports." "Microsoft Corporation" "c:\program files\common files\microsoft shared\source engine\ose.exe" "1/9/2010 9:16 PM"
+ "osppsvc" "Office Software Protection Platform Service (unlocalized description)" "Microsoft Corporation" "c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe" "8/11/2009 6:49 PM"
+ "SmcService" "Provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client." "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\smc.exe" "9/17/2009 5:42 PM"
+ "smstsmgr" "SMS client agent for task sequence execution" "" "c:\windows\system32\ccm\tsmanager.exe" ""
+ "Symantec AntiVirus" "Provides virus-scanning for Symantec Endpoint Protection." "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\rtvscan.exe" "9/17/2009 5:55 PM"
+ "TeamViewer8" "TeamViewer Remote Software" "TeamViewer GmbH" "c:\program files\teamviewer\version8\teamviewer_service.exe" "7/8/2013 4:15 AM"
+ "WinDefend" "Protection against spyware and potentially unwanted software" "Microsoft Corporation" "c:\program files\windows defender\mpsvc.dll" "7/13/2009 6:07 PM"
+ "WMPNetworkSvc" "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play" "Microsoft Corporation" "c:\program files\windows media player\wmpnetwk.exe" "11/20/2010 3:36 AM"
"HKLM\System\CurrentControlSet\Services" "" "" "" "7/31/2013 3:43 PM"
+ "Acceler" "Accelerometer Port I/O" "ST Microelectronics" "c:\windows\system32\drivers\accelern.sys" "12/13/2010 10:33 AM"
+ "adp94xx" "Adaptec Windows SAS/SATA Storport Driver" "Adaptec, Inc." "c:\windows\system32\drivers\adp94xx.sys" "12/5/2008 4:59 PM"
+ "adpahci" "Adaptec Windows SATA Storport Driver" "Adaptec, Inc." "c:\windows\system32\drivers\adpahci.sys" "5/1/2007 10:29 AM"
+ "adpu320" "Adaptec StorPort Ultra320 SCSI Driver" "Adaptec, Inc." "c:\windows\system32\drivers\adpu320.sys" "2/27/2007 5:03 PM"
+ "aic78xx" "Adaptec Ultra SCSI miniport" "Adaptec, Inc." "c:\windows\system32\drivers\djsvs.sys" "4/11/2006 5:20 PM"
+ "aliide" "ALi mini IDE Driver" "Acer Laboratories Inc." "c:\windows\system32\drivers\aliide.sys" "7/13/2009 4:11 PM"
+ "amdsata" "AHCI 1.2 Device Driver" "Advanced Micro Devices" "c:\windows\system32\drivers\amdsata.sys" "3/18/2010 6:08 PM"
+ "amdsbs" "AMD Technology AHCI Compatible Controller Driver for Windows family" "AMD Technologies Inc." "c:\windows\system32\drivers\amdsbs.sys" "3/20/2009 11:35 AM"
+ "amdxata" "Storage Filter Driver" "Advanced Micro Devices" "c:\windows\system32\drivers\amdxata.sys" "3/19/2010 9:19 AM"
+ "ApfiltrService" "Alps Touch Pad Driver" "Alps Electric Co., Ltd." "c:\windows\system32\drivers\apfiltr.sys" "1/5/2011 7:41 PM"
+ "arc" "Adaptec RAID Storport Driver" "Adaptec, Inc." "c:\windows\system32\drivers\arc.sys" "5/24/2007 2:31 PM"
+ "arcsas" "Adaptec SAS RAID WS03 Driver" "Adaptec, Inc." "c:\windows\system32\drivers\arcsas.sys" "1/14/2009 12:26 PM"
+ "b06bdrv" "Broadcom NetXtreme II GigE VBD" "Broadcom Corporation" "c:\windows\system32\drivers\bxvbdx.sys" "2/13/2009 3:10 PM"
+ "b57nd60x" "Broadcom NetXtreme Gigabit Ethernet NDIS6.x Unified Driver." "Broadcom Corporation" "c:\windows\system32\drivers\b57nd60x.sys" "4/26/2009 4:15 AM"
+ "BCM43XX" "Broadcom 802.11 Network Adapter wireless driver" "Broadcom Corporation" "c:\windows\system32\drivers\bcmwl6.sys" "3/26/2009 5:58 PM"
+ "BrFiltLo" "Windows ME USB Mass-Storage Bulk-Only Lower Filter Driver" "Brother Industries, Ltd." "c:\windows\system32\drivers\brfiltlo.sys" "8/6/2006 2:33 PM"
+ "BrFiltUp" "Windows ME USB Mass-Storage Bulk-Only Upper Filter Driver" "Brother Industries, Ltd." "c:\windows\system32\drivers\brfiltup.sys" "8/6/2006 2:33 PM"
+ "Brserid" "Brotehr Serial I/F Driver (WDM)" "Brother Industries Ltd." "c:\windows\system32\drivers\brserid.sys" "8/6/2006 2:33 PM"
+ "BrSerWdm" "Brother Serial driver (WDM version)" "Brother Industries Ltd." "c:\windows\system32\drivers\brserwdm.sys" "8/6/2006 2:33 PM"
+ "BrUsbMdm" "Brother USB MDM Driver " "Brother Industries Ltd." "c:\windows\system32\drivers\brusbmdm.sys" "8/6/2006 2:33 PM"
+ "BrUsbSer" "Brother USB Serial Driver" "Brother Industries Ltd." "c:\windows\system32\drivers\brusbser.sys" "8/9/2006 5:02 AM"
+ "catchme" "" "" "File not found: C:\Users\TURNER~1\AppData\Local\Temp\catchme.sys" ""
+ "cmdide" "CMD PCI IDE Bus Driver" "CMD Technology, Inc." "c:\windows\system32\drivers\cmdide.sys" "7/13/2009 4:11 PM"
+ "CVirtA" "Cisco Systems VPN Adapter" "Cisco Systems, Inc." "c:\windows\system32\drivers\cvirta.sys" "1/18/2007 1:28 PM"
+ "CVPNDRVA" "Cisco Systems VPN Client IPSec Driver" "Cisco Systems, Inc." "c:\windows\system32\drivers\cvpndrva.sys" "11/17/2009 12:07 PM"
+ "cvusbdrv" "Broadcom Credential Vault USB Driver" "Broadcom Corporation" "c:\windows\system32\drivers\cvusbdrv.sys" "10/29/2009 11:37 AM"
+ "d554gps" "Dell Wireless HSPA Mini-Card GPS Port" "Ericsson AB" "c:\windows\system32\drivers\d554gps.sys" "12/1/2010 7:55 AM"
+ "DNE" "Deterministic Network Enhancer" "Deterministic Networks, Inc." "c:\windows\system32\drivers\dne2000.sys" "11/10/2008 5:59 PM"
+ "e1cexpress" "Intel® Gigabit Adapter NDIS 6.x driver" "Intel Corporation" "c:\windows\system32\drivers\e1c6232.sys" "10/28/2010 8:40 AM"
+ "e1yexpress" "Intel® Gigabit Network Connection NDIS 6 deserialized driver" "Intel Corporation" "c:\windows\system32\drivers\e1y6032.sys" "8/18/2008 2:44 PM"
+ "ebdrv" "Broadcom NetXtreme II 10 GigE VBD" "Broadcom Corporation" "c:\windows\system32\drivers\evbdx.sys" "12/31/2008 9:06 AM"
+ "ecnssndis" "Ericsson WWAN Selective suspend Device Driver" "Ericsson AB" "c:\windows\system32\drivers\wwanuss.sys" "11/19/2009 1:39 AM"
+ "ecnssndisfltr" "Ericsson WWAN Selective suspend Filter Driver" "Ericsson AB" "c:\windows\system32\drivers\wwanussf.sys" "11/19/2009 1:39 AM"
+ "eeCtrl" "Symantec Eraser Control Driver" "Symantec Corporation" "c:\program files\common files\symantec shared\eengine\eectrl.sys" "7/31/2012 4:33 PM"
+ "elxstor" "Storport Miniport Driver for LightPulse HBAs" "Emulex" "c:\windows\system32\drivers\elxstor.sys" "2/3/2009 3:09 PM"
+ "EraserUtilRebootDrv" "Symantec Eraser Utility Driver" "Symantec Corporation" "c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys" "7/31/2012 4:33 PM"
+ "hcw85cir" "Hauppauge WinTV 885 Consumer IR Driver for eHome" "Hauppauge Computer Works, Inc." "c:\windows\system32\drivers\hcw85cir.sys" "5/11/2009 12:22 AM"
+ "HpSAMD" "Smart Array SAS/SATA Controller Media Driver" "Hewlett-Packard Company" "c:\windows\system32\drivers\hpsamd.sys" "5/18/2009 4:42 PM"
+ "iaStorV" "Intel Matrix Storage Manager driver - ia32" "Intel Corporation" "c:\windows\system32\drivers\iastorv.sys" "6/10/2010 5:45 PM"
+ "igfx" "Intel Graphics Kernel Mode Driver" "Intel Corporation" "c:\windows\system32\drivers\igdkmd32.sys" "4/10/2011 11:44 AM"
+ "iirsp" "Intel/ICP Raid Storport Driver" "Intel Corp./ICP vortex GmbH" "c:\windows\system32\drivers\iirsp.sys" "12/13/2005 2:48 PM"
+ "Impcd" "Intel® Turbo Boost Technology Driver" "Intel Corporation" "c:\windows\system32\drivers\impcd.sys" "2/26/2010 4:31 PM"
+ "LSI_FC" "LSI Fusion-MPT FC Driver (StorPort)" "LSI Corporation" "c:\windows\system32\drivers\lsi_fc.sys" "12/9/2008 3:28 PM"
+ "LSI_SAS" "LSI Fusion-MPT SAS Driver (StorPort)" "LSI Corporation" "c:\windows\system32\drivers\lsi_sas.sys" "5/18/2009 5:19 PM"
+ "LSI_SAS2" "LSI SAS Gen2 Driver (StorPort)" "LSI Corporation" "c:\windows\system32\drivers\lsi_sas2.sys" "5/18/2009 5:31 PM"
+ "LSI_SCSI" "LSI Fusion-MPT SCSI Driver (StorPort)" "LSI Corporation" "c:\windows\system32\drivers\lsi_scsi.sys" "4/16/2009 3:14 PM"
+ "mbamchameleon" "" "" "c:\windows\system32\drivers\mbamchameleon.sys" "10/22/2012 3:41 PM"
+ "Mbm3CBus" "F3607gw Mobile Broadband Device Driver" "MCCI Corporation" "c:\windows\system32\drivers\mbm3cbus.sys" "10/31/2010 1:06 PM"
+ "Mbm3DevMt" "Dell Wireless HSPA Mini-Card Device Management Driver (WDM)" "MCCI Corporation" "c:\windows\system32\drivers\mbm3devmt.sys" "10/31/2010 1:15 PM"
+ "megasas" "MEGASAS RAID Controller Driver for Windows 7 for x86" "LSI Corporation" "c:\windows\system32\drivers\megasas.sys" "5/18/2009 6:09 PM"
+ "MegaSR" "LSI MegaRAID Software RAID Driver" "LSI Corporation, Inc." "c:\windows\system32\drivers\megasr.sys" "5/18/2009 6:25 PM"
+ "MEI" "Intel® Management Engine Interface" "Intel Corporation" "c:\windows\system32\drivers\heci.sys" "10/19/2010 4:33 PM"
+ "NAVENG" "AV Engine" "Symantec Corporation" "c:\programdata\symantec\definitions\virusdefs\20130801.004\naveng.sys" "4/25/2013 10:27 PM"
+ "NAVEX15" "AV Engine" "Symantec Corporation" "c:\programdata\symantec\definitions\virusdefs\20130801.004\navex15.sys" "4/25/2013 10:25 PM"
+ "NETwNs32" "Intel® Wireless WiFi Link Driver" "Intel Corporation" "c:\windows\system32\drivers\netwns32.sys" "5/1/2011 2:31 PM"
+ "nfrd960" "IBM ServeRAID Controller Driver" "IBM Corporation" "c:\windows\system32\drivers\nfrd960.sys" "6/6/2006 2:12 PM"
+ "nusb3hub" "USB 3.0 Hub Driver" "Renesas Electronics Corporation" "c:\windows\system32\drivers\nusb3hub.sys" "11/18/2010 6:34 PM"
+ "nusb3xhc" "USB 3.0 Host Controller Driver" "Renesas Electronics Corporation" "c:\windows\system32\drivers\nusb3xhc.sys" "11/18/2010 6:34 PM"
+ "nvraid" "NVIDIA® nForce™ RAID Driver" "NVIDIA Corporation" "c:\windows\system32\drivers\nvraid.sys" "3/19/2010 2:00 PM"
+ "nvstor" "NVIDIA® nForce™ Sata Performance Driver" "NVIDIA Corporation" "c:\windows\system32\drivers\nvstor.sys" "3/19/2010 1:51 PM"
+ "nwdelgobi3kfilter" "Filter Driver for the Novatel Wireless USB Driver Stack" "Novatel Wireless Inc" "c:\windows\system32\drivers\nwdelgobi3kfilter.sys" "11/12/2010 6:25 PM"
+ "NWDellPort" "Novatel Wireless USB Modem/Serial Device Driver" "Novatel Wireless Inc." "c:\windows\system32\drivers\nwdelser.sys" "4/22/2010 4:02 PM"
+ "NWDellPort2" "Novatel Wireless USB Modem/Serial Device Driver" "Novatel Wireless Inc." "c:\windows\system32\drivers\nwdelser2.sys" "4/22/2010 4:02 PM"
+ "nwdelserial" "Novatel Wireless USB Modem/Serial Device Driver" "Novatel Wireless Inc." "c:\windows\system32\drivers\nwdelserial.sys" "12/14/2010 3:55 PM"
+ "O2MDFRDR" "O2Micro Media Reader Driver" "O2Micro " "c:\windows\system32\drivers\o2mdfw7.sys" "1/2/2011 8:52 PM"
+ "O2MDRRDR" "O2Micro Media Reader Driver" "O2Micro " "c:\windows\system32\drivers\o2mdrw7.sys" "1/2/2011 11:14 PM"
+ "O2SDJRDR" "O2Micro SD Reader Driver" "O2Micro " "c:\windows\system32\drivers\o2sdjw7.sys" "1/2/2011 8:46 PM"
+ "prepdrvr" "" "" "c:\windows\system32\ccm\prepdrv.sys" ""
+ "ql2300" "QLogic Fibre Channel Stor Miniport Driver" "QLogic Corporation" "c:\windows\system32\drivers\ql2300.sys" "1/22/2009 4:28 PM"
+ "ql40xx" "QLogic iSCSI Storport Miniport Driver" "QLogic Corporation" "c:\windows\system32\drivers\ql40xx.sys" "5/18/2009 6:17 PM"
+ "secdrv" "Macrovision SECURITY Driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys" "9/13/2006 6:18 AM"
+ "SiSRaid2" "SiS RAID Stor Miniport Driver" "Silicon Integrated Systems Corp." "c:\windows\system32\drivers\sisraid2.sys" "9/24/2008 11:19 AM"
+ "SiSRaid4" "SiS AHCI Stor-Miniport Driver" "Silicon Integrated Systems" "c:\windows\system32\drivers\sisraid4.sys" "10/1/2008 2:52 PM"
+ "SPBBCDrv" "SPBBC Driver" "Symantec Corporation" "c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys" "8/8/2009 6:37 PM"
+ "SRTSP" "Symantec AutoProtect" "Symantec Corporation" "c:\windows\system32\drivers\srtsp.sys" "8/10/2009 8:20 PM"
+ "SRTSPL" "Symantec AutoProtect" "Symantec Corporation" "c:\windows\system32\drivers\srtspl.sys" "8/10/2009 8:19 PM"
+ "SRTSPX" "Symantec AutoProtect" "Symantec Corporation" "c:\windows\system32\drivers\srtspx.sys" "8/10/2009 8:20 PM"
+ "stdcfltn" "Disk Class Filter Driver for Accelerometer" "ST Microelectronics" "c:\windows\system32\drivers\stdcfltn.sys" "8/20/2010 11:04 AM"
+ "stexstor" "Promise SuperTrak EX Series Driver for Windows " "Promise Technology" "c:\windows\system32\drivers\stexstor.sys" "2/17/2009 4:03 PM"
+ "SymEvent" "Symantec Event Library" "Symantec Corporation" "c:\windows\system32\drivers\symevent.sys" "6/24/2009 1:14 PM"
+ "tcm" "" "" "c:\windows\system32\drivers\tcm.sys" "4/16/2009 12:42 AM"
+ "VGPU" "" "" "File not found: System32\drivers\rdvgkmd.sys" ""
+ "viaide" "VIA Generic PCI IDE Bus Driver" "VIA Technologies, Inc." "c:\windows\system32\drivers\viaide.sys" "7/13/2009 4:11 PM"
+ "vsmraid" "VIA RAID DRIVER FOR AMD-X86-64" "VIA Technologies Inc.,Ltd" "c:\windows\system32\drivers\vsmraid.sys" "1/30/2009 6:13 PM"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" "" "8/1/2013 1:31 PM"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm" "7/13/2009 6:06 PM"
+ "vidc.cvid" "Cinepak® Codec" "Radius Inc." "c:\windows\system32\iccvid.dll" "11/20/2010 4:59 AM"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" "" "8/1/2013 1:48 PM"
+ "igfxcui" "igfxdev Module" "Intel Corporation" "c:\windows\system32\igfxdev.dll" "4/10/2011 11:06 AM"
"HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe" "" "" "" "7/31/2013 2:32 PM"
+ "%systemroot%\system32\Turner Screen Saver 2009.scr" "ScreenTime Screensaver Engine" "ScreenTime Media" "c:\windows\system32\turner screen saver 2009.scr" "5/27/2009 2:32 PM"
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" "" "7/31/2013 3:43 PM"
+ "SnacNp" "Symantec SNAC Network Provider" "Symantec Corporation" "c:\program files\symantec\symantec endpoint protection\snacnp.dll" "9/17/2009 5:20 PM"

#9
RKinner

Posted 01 August 2013 - 05:01 PM

Malware Expert

Expert
24,624 posts

Go into Autoruns and uncheck this one:

+ "cvusbdrv" "Broadcom Credential Vault USB Driver" "Broadcom Corporation" "c:\windows\system32\drivers\cvusbdrv.sys" "10/29/2009 11:37 AM"

I think it must be left over from an old program.

Doesn't look like you have updated Adobe Reader yet. It really needs to be 11. something to be safe.

Don't know what's wrong with OTL. Can you just run a quick scan and post the log?

If you run MBAM again does it still find something?

#10
willmon2000

Posted 01 August 2013 - 05:14 PM

Member

Topic Starter
Member
215 posts

Malwarebytes is actually not showing anything else at this point. It seems to be clean! Thanks a lot RKinner!!

#11
RKinner

Posted 01 August 2013 - 05:37 PM

Malware Expert

Expert
24,624 posts

Unless you see other problems I think we are done and can clean up

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab but DO NOT USE IT!. There are reports that it leaves the PC unbootable. Instead just delete OTL.exe and the folder c:\_OTL.

To hide hidden files again:

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Special note on Java. Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 9 or better. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE. Get the latest version from Java.com. They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download. Just uncheck the garbage before the download (or install) starts. If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it. IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level. OK.

Make sure Windows Updates is turned and that it works. Go to Control panel, Windows Updates and see if it works.

If you are feeling especially paranoid you can install the free firewall called Online Armor:
http://www.online-armor.com/

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)

Ron