Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus:Win32/Alureon.gen!d


  • Please log in to reply

#1
theskyishole

theskyishole

    New Member

  • Member
  • Pip
  • 6 posts
Hello all,
First off, thanks in advance for taking the time to take a look at this issue.

This is an older DELL System running Windows XP HOME Version 2002 Service Pack 3.
The machine is used at my families office primarily for managing documents associated with rental property.

The main symptoms are performance issues when multi-tasking. This climaxed in system memory errors stating there isn't enough memory to preform operations.
Reading into this virus it sounds like that is one of the main tells.

Microsoft Security Essentials which seems to be the only security software running, lists Virus:Win32/Alureon.gen!d - status: active - Alert Level: Severe.
I'm not sure how this virus got into the system - my guess is an email attachment or a dubious popup. They aren't the most advanced users and could have fallen for something like this.

I did run several common tools such as glary utilities and had attempted to run Combo-Fix before reading how 'intense', for lack of a better word, that program is. I cancelled it at that point.

Normally I would wipe the drive and re-install XP for them - but they have software on this system which is currently unavailable and they haven't completed duplicating the records into the new system - so reformatting isn't an option. I'm really hoping there may be a series of operations I can preform to effectively remove this virus from the system.

Please let me know if you need any additional information and thanks again!

OTL log below:


OTL logfile created on: 10/5/2013 8:55:55 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 644.98 Mb Available Physical Memory | 63.11% Memory free
1.91 Gb Paging File | 1.67 Gb Available in Paging File | 87.59% Paging File free
Paging file location(s): C:\pagefile.sys 1024 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 13.72 Gb Free Space | 40.30% Space Free | Partition Type: NTFS
Drive E: | 793.75 Mb Total Space | 793.17 Mb Free Space | 99.93% Space Free | Partition Type: FAT

Computer Name: DDNNH981 | User Name: douglas wenz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/10/04 19:38:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools\OTL.exe
PRC - [2013/06/20 18:05:14 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/05/30 16:07:08 | 000,030,096 | ---- | M] (VER_COMPANY_NAME) -- C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe
PRC - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/01 13:30:26 | 000,094,208 | ---- | M] () -- C:\Program Files\QUICKENW\qagent.exe
PRC - [2001/02/28 11:42:44 | 000,065,536 | ---- | M] (Marimba Inc.) -- C:\WINDOWS\system32\mrtMngr.exe


========== Modules (No Company Name) ==========

MOD - [2001/08/01 13:30:26 | 000,094,208 | ---- | M] () -- C:\Program Files\QUICKENW\qagent.exe


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/09/20 09:21:44 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/20 18:05:14 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/05/30 16:07:08 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) [Auto | Stopped] -- C:\Program Files\MapsGalaxy_39\bar\1.bin\39barsvc.exe -- (MapsGalaxy_39Service)
SRV - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/08/29 10:00:30 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wanatw4.sys -- (wanatw)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\BootDefragDriver.sys -- (BootDefragDriver)
DRV - [2013/10/04 19:25:31 | 000,040,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\MpKsl3ae81638.sys -- (MpKsl3ae81638)
DRV - [2013/09/18 08:08:09 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/01/31 12:08:54 | 000,028,005 | R--- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB)
DRV - [2001/02/28 11:42:44 | 000,034,712 | ---- | M] (Marimba, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\MrtRate.sys -- (mrtRate)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}: "URL" = http://search.tb.ask...r={searchTerms}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebs...r={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\..\URLSearchHook: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - No CLSID value found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}: "URL" = http://search.tb.ask...r={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7GGLL_en
IE - HKCU\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@MapsGalaxy_39.com/Plugin: C:\Program Files\MapsGalaxy_39\bar\1.bin\NP39Stub.dll (MindSpark)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/05/24 10:41:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\39ffxtbr@MapsGalaxy_39.com: C:\Program Files\MapsGalaxy_39\bar\1.bin [2013/05/30 16:07:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/05/24 10:41:30 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2008/08/26 16:20:20 | 000,000,025 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Toolbar BHO) - {1e91a655-bb4b-4693-a05e-2edebc4c9d89} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found.
O2 - BHO: (Search Assistant BHO) - {71c1d63a-c944-428a-a5bd-ba513190e5d2} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (MindSpark)
O3 - HKLM\..\Toolbar: (MapsGalaxy) - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (MapsGalaxy) - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [MapsGalaxy Search Scope Monitor] C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe (MindSpark)
O4 - HKLM..\Run: [MapsGalaxy_39 Browser Plugin Loader] C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe (VER_COMPANY_NAME)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QAGENT] C:\Program Files\QUICKENW\qagent.exe ()
O4 - Startup: C:\Documents and Settings\douglas wenz\Start Menu\Programs\Startup\RentRight Reminder System.lnk = C:\RentVer3\reminder.exe (RentRight)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Search - http://buttons.popul...16&n=2013071611 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 File not found
O15 - HKCU\..Trusted Domains: alltel.com ([care] http in Trusted sites)
O15 - HKCU\..Trusted Domains: alltel.com ([care] https in Trusted sites)
O15 - HKCU\..Trusted Domains: hrblock.com ([taxes] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://activation.a...aller_2-0-0.cab (Reg Error: Value error.)
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} https://care.alltel....aller_3-0-0.cab (McciUtilsSpecialFolder Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by109fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} https://care.alltel....aller_3-0-0.cab (McciSysSCM Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} https://care.alltel....aller_3-0-0.cab (McciSM Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} https://care.alltel....aller_3-0-0.cab (McciHTTPClient Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} https://care.alltel....aller_3-0-0.cab (SecurityManager Class)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://tdameritrade...nbr/ieatgpc.cab (GpcContainer Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{dab97c94-4c31-11e0-891f-0013a3309122}\Shell - "" = AutoRun
O33 - MountPoints2\{dab97c94-4c31-11e0-891f-0013a3309122}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dab97c94-4c31-11e0-891f-0013a3309122}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (BootDefrag.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/10/04 19:31:53 | 000,000,000 | --SD | C] -- C:\Combo-Fix
[2013/10/04 19:13:55 | 000,712,264 | ---- | C] (MindSpark) -- C:\Program Files\7iUninstall PopularScreensavers.dll
[2013/10/04 19:02:39 | 000,101,664 | ---- | C] (Glarysoft Ltd) -- C:\WINDOWS\System32\BootDefrag.exe
[2013/10/04 19:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\GlarySoft
[2013/10/04 19:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Glary Utilities 3
[2013/10/04 19:02:12 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities 3
[2013/10/04 18:53:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/10/04 18:53:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/10/04 18:53:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/10/04 18:53:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/10/04 18:50:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/10/04 18:50:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\douglas wenz\Start Menu\Programs\Administrative Tools
[2013/10/04 18:49:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/10/04 18:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\ParetoLogic
[2013/10/04 18:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\DriverCure
[2013/10/04 18:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2013/10/04 18:32:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools
[2013/10/01 08:30:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2013/09/23 15:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2013/09/23 15:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Windows Live Writer
[2013/09/18 08:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\Apple Computer
[2013/09/18 08:08:09 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/09/18 07:29:18 | 000,023,360 | ---- | C] (IObit) -- C:\WINDOWS\System32\RegistryDefragBootTime.exe
[2013/09/18 07:06:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2013/09/18 07:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\IObit
[2013/09/18 06:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
[2013/09/18 06:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2013/09/18 06:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2013/09/17 16:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/09/17 06:30:22 | 000,000,000 | -HSD | C] -- C:\found.001
[2013/09/13 13:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2013/09/13 13:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/10/05 08:57:21 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/10/05 08:39:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501UA.job
[2013/10/05 08:19:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/10/04 20:40:01 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/10/04 19:35:29 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/10/04 19:29:38 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/10/04 19:29:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/10/04 19:29:35 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize 3.job
[2013/10/04 19:25:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/10/04 19:25:22 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2013/10/04 19:24:26 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2013/10/04 19:02:41 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\douglas wenz\Application Data\Microsoft\Internet Explorer\Quick Launch\Glary Utilities 3.lnk
[2013/10/04 19:02:41 | 000,000,755 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Glary Utilities 3.lnk
[2013/10/04 18:56:39 | 000,000,000 | ---- | M] () -- C:\test0123
[2013/10/02 17:39:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501Core.job
[2013/10/02 15:25:51 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2013/10/02 15:07:33 | 000,000,978 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2013/10/02 14:00:09 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2013/10/02 10:51:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/10/02 10:22:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013/10/02 10:12:02 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/09/24 15:12:58 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/18 08:08:09 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/09/18 08:06:03 | 000,000,000 | ---- | M] () -- C:\asc_rdflag
[2013/09/18 08:05:02 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/09/13 03:32:30 | 000,101,664 | ---- | M] (Glarysoft Ltd) -- C:\WINDOWS\System32\BootDefrag.exe
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/10/04 19:13:55 | 000,194,960 | ---- | C] () -- C:\Program Files\7ires.dll
[2013/10/04 19:02:41 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\Microsoft\Internet Explorer\Quick Launch\Glary Utilities 3.lnk
[2013/10/04 19:02:41 | 000,000,755 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Glary Utilities 3.lnk
[2013/10/04 19:02:36 | 000,000,334 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize 3.job
[2013/10/04 19:02:33 | 000,000,811 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Glary Utilities 3.lnk
[2013/10/04 18:56:39 | 000,000,000 | ---- | C] () -- C:\test0123
[2013/10/04 18:53:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/10/04 18:53:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/10/04 18:53:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/10/04 18:53:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/10/04 18:53:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/09/29 17:34:49 | 000,000,978 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501UA.job
[2013/09/29 17:34:48 | 000,000,926 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501Core.job
[2013/09/20 14:54:29 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\WBPU-TTL.DAT
[2013/09/20 14:54:26 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\WB.CFG
[2013/09/18 12:46:24 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2013/09/18 08:06:03 | 000,000,000 | ---- | C] () -- C:\asc_rdflag
[2013/09/18 08:03:32 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/09/13 10:45:42 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2013/07/29 14:53:04 | 000,000,106 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\WB.CFG
[2013/06/27 14:53:10 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\WBPU-TTL.DAT
[2013/06/26 14:53:06 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\WBPU-TTL.DAT
[2013/06/10 10:18:28 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Ament.ini
[2012/02/16 15:16:22 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2006/09/06 16:59:28 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\PFP120JPR.{PB
[2006/09/06 16:59:28 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\PFP120JCM.{PB

========== ZeroAccess Check ==========

[2004/08/10 13:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2005/10/22 09:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2013/06/25 14:54:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/03/08 14:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dIlNkDk08512
[2013/09/18 06:59:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2013/10/04 19:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/02/19 12:14:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/11/02 14:23:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2008/09/04 17:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2012/01/11 18:17:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2013/09/18 06:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
[2009/03/23 17:16:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2013/10/04 18:36:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\DriverCure
[2013/06/25 14:53:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\DSite
[2008/09/26 10:09:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
[2013/10/04 19:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\GlarySoft
[2013/09/18 07:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\IObit
[2012/12/26 11:50:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Landlord
[2010/11/02 14:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Leadertech
[2013/05/30 16:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\MapsGalaxy_39
[2011/03/11 18:22:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\OpenOffice.org
[2013/10/04 18:36:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\ParetoLogic
[2013/06/25 14:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\PDF Writer Packages
[2007/05/14 14:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Viewpoint

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c


:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}: "URL" = http://search.tb.ask...r={searchTerms}
IE - HKLM\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
IE - HKCU\..\URLSearchHook: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - No CLSID value found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\..\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}: "URL" = http://search.tb.ask...r={searchTerms}
IE - HKCU\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebs...r={searchTerms}
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@MapsGalaxy_39.com/Plugin: C:\Program Files\MapsGalaxy_39\bar\1.bin\NP39Stub.dll (MindSpark)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\39ffxtbr@MapsGalaxy_39.com: C:\Program Files\MapsGalaxy_39\bar\1.bin [2013/05/30 16:07:15 | 000,000,000 | ---D | M]
O2 - BHO: (Toolbar BHO) - {1e91a655-bb4b-4693-a05e-2edebc4c9d89} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found.
O2 - BHO: (Search Assistant BHO) - {71c1d63a-c944-428a-a5bd-ba513190e5d2} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (MindSpark)
O3 - HKLM\..\Toolbar: (MapsGalaxy) - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (MapsGalaxy) - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll (MindSpark)
O4 - HKLM..\Run: [MapsGalaxy Search Scope Monitor] C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe (MindSpark)
O4 - HKLM..\Run: [MapsGalaxy_39 Browser Plugin Loader] C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe (VER_COMPANY_NAME)
O8 - Extra context menu item: &Search - http://buttons.popul...16&n=2013071611 File not found
[2013/10/04 19:29:38 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/10/04 19:29:35 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize 3.job
[2013/10/02 17:39:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501Core.job
[2013/10/05 08:57:21 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/10/05 08:39:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501UA.job
[2013/10/05 08:19:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

:files
at /c
at*.job

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]


then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.


Download aswMBR.exe to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from:
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Posted Image

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.



Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site
  • Pause your anti-virus. Close all browsers.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.


Ron
  • 0

#3
theskyishole

theskyishole

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I'm hoping I did all of this correctly - if I had any issues I felt like it was using OTL. I'm not sure the correct log generated the first time and I only got one log the second time. Regardless here are the logs:

-----------------------------------------------------------------------------------

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46197f3d-30e7-4905-a14b-02bee3aaeb58}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{26842a09-ffa8-4e2c-ae12-0c80f01c3295} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26842a09-ffa8-4e2c-ae12-0c80f01c3295}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{26842a09-ffa8-4e2c-ae12-0c80f01c3295}\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46197f3d-30e7-4905-a14b-02bee3aaeb58}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/JavaPlugin\ deleted successfully.
C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@MapsGalaxy_39.com/Plugin\ deleted successfully.
C:\Program Files\MapsGalaxy_39\bar\1.bin\NP39Stub.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\39ffxtbr@MapsGalaxy_39.com deleted successfully.
C:\Program Files\MapsGalaxy_39\bar\1.bin\ThirdPartyInstallers folder moved successfully.
C:\Program Files\MapsGalaxy_39\bar\1.bin\chrome folder moved successfully.
C:\Program Files\MapsGalaxy_39\bar\1.bin folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1e91a655-bb4b-4693-a05e-2edebc4c9d89}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1e91a655-bb4b-4693-a05e-2edebc4c9d89}\ deleted successfully.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71c1d63a-c944-428a-a5bd-ba513190e5d2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71c1d63a-c944-428a-a5bd-ba513190e5d2}\ deleted successfully.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrcAs.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{364ea597-e728-4ce4-bb4a-ed846ef47970} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{364ea597-e728-4ce4-bb4a-ed846ef47970}\ deleted successfully.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\SITEguard deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{364EA597-E728-4CE4-BB4A-ED846EF47970} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{364EA597-E728-4CE4-BB4A-ED846EF47970}\ not found.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39bar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MapsGalaxy Search Scope Monitor deleted successfully.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MapsGalaxy_39 Browser Plugin Loader deleted successfully.
File C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ deleted successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\WINDOWS\tasks\GlaryInitialize 3.job moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501Core.job moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-716673963-3066783214-2359982156-501UA.job moved successfully.
C:\WINDOWS\tasks\Adobe Flash Player Updater.job moved successfully.
========== FILES ==========
< at /c >
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Each 1 2 3 4 5 6 7 8... 10:10 AM "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000"
2 Each 1 2 3 4 5 6 7 8... 8:40 PM "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000"
3 Each 1 2 3 4 5 6 7 8... 10:22 AM "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000"
4 Each 1 2 3 4 5 6 7 8... 2:00 PM "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000"
5 Each M T W Th F S Su 2:53 PM C:\DOCUME~1\DOUGLA~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE /Check
C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools\cmd.bat deleted successfully.
C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools\cmd.txt deleted successfully.
File\Folder at*.job not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 56974 bytes

User: All Users

User: Default User
->Flash cache emptied: 56468 bytes

User: douglas wenz
->Flash cache emptied: 913456 bytes

User: Guest
->Flash cache emptied: 6673 bytes

User: jeffrey wenz
->Flash cache emptied: 836574 bytes

User: LocalService
->Flash cache emptied: 88136 bytes

User: NetworkService
->Flash cache emptied: 72238 bytes

Total Flash Files Cleaned = 2.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: douglas wenz
->Java cache emptied: 0 bytes

User: Guest
->Java cache emptied: 1147754 bytes

User: jeffrey wenz
->Java cache emptied: 3637704 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 5.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10092013_185430


-------------------------------------------------------------------


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-09 19:00:08
-----------------------------
19:00:08.437 OS Version: Windows 5.1.2600 Service Pack 3
19:00:08.468 Number of processors: 1 586 0x401
19:00:08.468 ComputerName: DDNNH981 UserName:
19:00:09.203 Initialize success
19:00:21.156 AVAST engine download error: 0
19:00:30.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:00:30.468 Disk 0 Vendor: SAMSUNG_SP0401N TJ100-28 Size: 38146MB BusType: 3
19:00:30.484 Device \Driver\atapi -> MajorFunction 86799c10
19:00:30.515 Disk 0 MBR read successfully
19:00:30.531 Disk 0 MBR scan
19:00:30.531 Disk 0 unknown MBR code
19:00:30.546 Disk 0 MBR hidden
19:00:30.562 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:00:30.593 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34851 MB offset 80325
19:00:30.625 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3247 MB offset 71457120
19:00:30.671 Disk 0 scanning sectors +78108030
19:00:30.765 Disk 0 scanning C:\WINDOWS\system32\drivers
19:00:43.718 Service scanning
19:00:56.687 Service MpKsld4700aa2 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\MpKsld4700aa2.sys **LOCKED** 32
19:01:12.031 Modules scanning
19:01:26.531 Scan finished successfully
19:02:01.703 Disk 0 MBR has been saved successfully to "E:\reply\MBR.dat"
19:02:01.796 The log file has been saved successfully to "E:\reply\aswMBR.txt"


-----------------------------------------------------------------------


ComboFix 13-10-09.01 - douglas wenz 10/09/2013 19:30:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.608 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\douglas wenz\WINDOWS
C:\install.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d877e0b82221a07f.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f34d8db84131d925.fb
c:\windows\system32\SET46.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET54.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-09-10 to 2013-10-10 )))))))))))))))))))))))))))))))
.
.
2013-10-10 00:02 . 2013-10-10 00:02 60872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\offreg.dll
2013-10-09 23:57 . 2013-10-09 23:57 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\MpKsld4700aa2.sys
2013-10-09 23:54 . 2013-10-09 23:54 -------- d-----w- C:\_OTL
2013-10-08 22:21 . 2013-10-08 22:21 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\MpKsl470f76e0.sys
2013-10-05 00:02 . 2013-09-13 08:32 101664 ----a-w- c:\windows\system32\BootDefrag.exe
2013-10-05 00:02 . 2013-10-05 00:02 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\GlarySoft
2013-10-05 00:02 . 2013-10-05 00:02 -------- d-----w- c:\program files\Glary Utilities 3
2013-10-04 23:36 . 2013-10-04 23:36 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\ParetoLogic
2013-10-04 23:36 . 2013-10-04 23:36 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\DriverCure
2013-10-04 23:36 . 2013-10-05 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2013-10-02 15:22 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\mpengine.dll
2013-10-01 13:43 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-23 20:12 . 2013-09-23 20:12 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2013-09-23 20:12 . 2013-10-02 20:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2013-09-23 20:12 . 2013-09-23 20:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Live Writer
2013-09-18 13:08 . 2013-09-18 13:08 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\Apple Computer
2013-09-18 13:08 . 2013-09-18 13:08 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-09-18 12:29 . 2013-04-18 01:22 23360 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2013-09-18 12:04 . 2013-09-18 12:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2013-09-18 12:04 . 2013-09-18 12:04 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\IObit
2013-09-18 11:59 . 2013-09-18 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-09-18 11:59 . 2013-09-18 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2013-09-18 11:58 . 2013-09-18 11:58 -------- d-----w- c:\program files\IObit
2013-09-17 21:37 . 2013-09-17 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-09-17 11:30 . 2013-09-17 11:30 -------- d-----w- C:\found.001
2013-09-16 21:52 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2013-09-16 21:51 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-09-16 21:51 . 2013-09-18 13:17 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 14:21 . 2012-07-13 13:19 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-20 14:21 . 2011-11-02 13:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-09 01:56 . 2004-08-10 17:51 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-08-10 17:51 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-10 17:50 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2004-08-10 17:51 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-08-10 17:51 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 19:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QAGENT"="c:\program files\QUICKENW\QAGENT.EXE" [2001-08-01 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-25 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\douglas wenz\Start Menu\Programs\Startup\
RentRight Reminder System.lnk - c:\rentver3\reminder.exe [2009-1-15 113920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk * \0BootDefrag.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 16:24 197928 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-06-20 22:25 995176 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-25 07:28 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
R1 MpKsld4700aa2;MpKsld4700aa2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C0C0DB0-4A8E-4010-81D4-B02BE267E59D}\MpKsld4700aa2.sys [10/9/2013 6:57 PM 40392]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [1/4/2006 9:18 AM 34712]
S0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\BootDefragDriver.sys --> c:\windows\system32\drivers\BootDefragDriver.sys [?]
S2 MapsGalaxy_39Service;MapsGalaxyService;c:\progra~1\MAPSGA~2\bar\1.bin\39barsvc.exe --> c:\progra~1\MAPSGA~2\bar\1.bin\39barsvc.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/18/2013 8:08 AM 40776]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSLD4700AA2
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-09 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-09 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-09 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-09 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: alltel.com\care
Trusted Zone: hrblock.com\taxes
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
MSConfigStartUp-MapsGalaxy Search Scope Monitor - c:\progra~1\MAPSGA~2\bar\1.bin\39srchmn.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\douglas wenz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-09 19:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,24,89,9e,2c,25,09,40,9e,e4,f6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,24,89,9e,2c,25,09,40,9e,e4,f6,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-09 19:46:30
ComboFix-quarantined-files.txt 2013-10-10 00:46
.
Pre-Run: 14,663,675,904 bytes free
Post-Run: 16,033,640,448 bytes free
.
- - End Of File - - D973A21DBD8462452C3796CBE403F9F3
5FB38429D5D77768867C76DCBDB35194


-------------------------------------------------------


19:52:37.0765 0684 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
19:52:38.0921 0684 ============================================================
19:52:38.0921 0684 Current date / time: 2013/10/09 19:52:38.0921
19:52:38.0921 0684 SystemInfo:
19:52:38.0921 0684
19:52:38.0921 0684 OS Version: 5.1.2600 ServicePack: 3.0
19:52:38.0921 0684 Product type: Workstation
19:52:38.0921 0684 ComputerName: DDNNH981
19:52:38.0921 0684 UserName: douglas wenz
19:52:38.0921 0684 Windows directory: C:\WINDOWS
19:52:38.0921 0684 System windows directory: C:\WINDOWS
19:52:38.0921 0684 Processor architecture: Intel x86
19:52:38.0921 0684 Number of processors: 1
19:52:38.0921 0684 Page size: 0x1000
19:52:38.0921 0684 Boot type: Normal boot
19:52:38.0937 0684 ============================================================
19:52:43.0656 0684 BG loaded
19:52:44.0421 0684 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:52:44.0546 0684 Drive \Device\Harddisk1\DR4 - Size: 0xEA108000 (3.66 Gb), SectorSize: 0x200, Cylinders: 0x1DD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:52:44.0546 0684 ============================================================
19:52:44.0546 0684 \Device\Harddisk0\DR0:
19:52:44.0578 0684 MBR partitions:
19:52:44.0578 0684 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x4411F9B
19:52:44.0578 0684 \Device\Harddisk1\DR4:
19:52:44.0578 0684 MBR partitions:
19:52:44.0578 0684 \Device\Harddisk1\DR4\Partition1: MBR, Type 0x6, StartLBA 0x40, BlocksNum 0x18CFC0
19:52:44.0578 0684 ============================================================
19:52:44.0781 0684 C: <-> \Device\Harddisk0\DR0\Partition1
19:52:44.0937 0684 ============================================================
19:52:44.0937 0684 Initialize success
19:52:44.0937 0684 ============================================================
19:53:10.0875 3692 ============================================================
19:53:10.0875 3692 Scan started
19:53:10.0875 3692 Mode: Manual; SigCheck; TDLFS;
19:53:10.0875 3692 ============================================================
19:53:12.0656 3692 ================ Scan system memory ========================
19:53:12.0656 3692 System memory - ok
19:53:12.0671 3692 ================ Scan services =============================
19:53:14.0187 3692 Abiosdsk - ok
19:53:14.0531 3692 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
19:53:26.0671 3692 abp480n5 - ok
19:53:26.0796 3692 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:53:27.0484 3692 ACPI - ok
19:53:27.0578 3692 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
19:53:27.0750 3692 ACPIEC - ok
19:53:27.0843 3692 [ 24A0876D07EF356DCBC1D7A7929354AB ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:53:27.0921 3692 AdobeFlashPlayerUpdateSvc - ok
19:53:27.0984 3692 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
19:53:28.0187 3692 adpu160m - ok
19:53:28.0218 3692 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
19:53:28.0390 3692 aec - ok
19:53:28.0437 3692 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
19:53:28.0546 3692 AFD - ok
19:53:28.0640 3692 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
19:53:28.0921 3692 agp440 - ok
19:53:28.0953 3692 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
19:53:29.0156 3692 agpCPQ - ok
19:53:29.0234 3692 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
19:53:29.0328 3692 Aha154x - ok
19:53:29.0375 3692 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
19:53:29.0609 3692 aic78u2 - ok
19:53:29.0625 3692 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
19:53:29.0796 3692 aic78xx - ok
19:53:29.0859 3692 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
19:53:30.0046 3692 Alerter - ok
19:53:30.0078 3692 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
19:53:30.0265 3692 ALG - ok
19:53:30.0359 3692 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
19:53:30.0640 3692 AliIde - ok
19:53:30.0687 3692 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
19:53:30.0906 3692 alim1541 - ok
19:53:30.0968 3692 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
19:53:31.0203 3692 amdagp - ok
19:53:31.0343 3692 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
19:53:31.0468 3692 amsint - ok
19:53:31.0484 3692 AppMgmt - ok
19:53:31.0515 3692 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
19:53:31.0703 3692 asc - ok
19:53:31.0718 3692 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
19:53:31.0812 3692 asc3350p - ok
19:53:31.0828 3692 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
19:53:32.0000 3692 asc3550 - ok
19:53:32.0921 3692 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:53:33.0328 3692 aspnet_state - ok
19:53:33.0406 3692 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:53:33.0578 3692 AsyncMac - ok
19:53:33.0609 3692 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
19:53:33.0750 3692 atapi - ok
19:53:33.0765 3692 Atdisk - ok
19:53:33.0859 3692 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:53:34.0046 3692 Atmarpc - ok
19:53:34.0171 3692 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
19:53:34.0343 3692 AudioSrv - ok
19:53:34.0812 3692 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
19:53:35.0703 3692 audstub - ok
19:53:36.0171 3692 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
19:53:36.0359 3692 Beep - ok
19:53:37.0421 3692 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
19:53:37.0734 3692 BITS - ok
19:53:37.0750 3692 BootDefragDriver - ok
19:53:37.0812 3692 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
19:53:38.0000 3692 Browser - ok
19:53:38.0265 3692 catchme - ok
19:53:38.0328 3692 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:53:38.0515 3692 cbidf - ok
19:53:38.0578 3692 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
19:53:38.0718 3692 cbidf2k - ok
19:53:38.0812 3692 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:53:38.0953 3692 cd20xrnt - ok
19:53:38.0984 3692 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
19:53:39.0156 3692 Cdaudio - ok
19:53:39.0203 3692 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
19:53:39.0375 3692 Cdfs - ok
19:53:39.0468 3692 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:53:39.0640 3692 Cdrom - ok
19:53:39.0656 3692 Changer - ok
19:53:39.0718 3692 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
19:53:39.0906 3692 CiSvc - ok
19:53:40.0000 3692 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
19:53:40.0234 3692 ClipSrv - ok
19:53:40.0328 3692 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:53:41.0203 3692 clr_optimization_v2.0.50727_32 - ok
19:53:41.0312 3692 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:53:41.0859 3692 CmdIde - ok
19:53:41.0875 3692 COMSysApp - ok
19:53:42.0437 3692 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:53:42.0609 3692 Cpqarray - ok
19:53:42.0718 3692 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
19:53:43.0062 3692 CryptSvc - ok
19:53:43.0250 3692 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:53:43.0734 3692 dac2w2k - ok
19:53:43.0796 3692 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:53:44.0125 3692 dac960nt - ok
19:53:44.0421 3692 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
19:53:44.0781 3692 DcomLaunch - ok
19:53:44.0937 3692 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
19:53:45.0218 3692 Dhcp - ok
19:53:45.0265 3692 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
19:53:45.0453 3692 Disk - ok
19:53:45.0468 3692 dmadmin - ok
19:53:46.0140 3692 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
19:53:47.0234 3692 dmboot - ok
19:53:47.0562 3692 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
19:53:48.0000 3692 dmio - ok
19:53:48.0109 3692 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
19:53:48.0375 3692 dmload - ok
19:53:48.0546 3692 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
19:53:49.0078 3692 dmserver - ok
19:53:49.0140 3692 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
19:53:49.0453 3692 DMusic - ok
19:53:49.0562 3692 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
19:53:50.0015 3692 Dnscache - ok
19:53:50.0375 3692 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
19:53:50.0875 3692 Dot3svc - ok
19:53:51.0015 3692 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:53:51.0343 3692 dpti2o - ok
19:53:51.0375 3692 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
19:53:51.0625 3692 drmkaud - ok
19:53:51.0703 3692 [ 7D91DC6342248369F94D6EBA0CF42E99 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:53:51.0968 3692 E100B - ok
19:53:52.0093 3692 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
19:53:52.0484 3692 EapHost - ok
19:53:52.0562 3692 [ 8C3F3914F1C1E3E3FFE77190A4C9D735 ] ENETHUSB C:\WINDOWS\system32\DRIVERS\enethusb.sys
19:53:52.0640 3692 ENETHUSB ( UnsignedFile.Multi.Generic ) - warning
19:53:52.0640 3692 ENETHUSB - detected UnsignedFile.Multi.Generic (1)
19:53:53.0328 3692 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
19:53:53.0515 3692 ERSvc - ok
19:53:53.0968 3692 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
19:53:54.0109 3692 Eventlog - ok
19:53:54.0437 3692 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
19:53:54.0593 3692 EventSystem - ok
19:53:55.0093 3692 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
19:53:55.0250 3692 Fastfat - ok
19:53:55.0328 3692 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
19:53:55.0484 3692 FastUserSwitchingCompatibility - ok
19:53:57.0015 3692 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
19:53:57.0218 3692 Fax - ok
19:53:57.0250 3692 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
19:53:57.0437 3692 Fdc - ok
19:53:58.0734 3692 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
19:53:58.0890 3692 Fips - ok
19:53:58.0968 3692 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:53:59.0140 3692 Flpydisk - ok
19:53:59.0234 3692 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
19:53:59.0468 3692 FltMgr - ok
19:53:59.0734 3692 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:53:59.0781 3692 FontCache3.0.0.0 - ok
19:54:00.0265 3692 [ 81B4A2C6C9BD17FFB6031A0A61C09764 ] FreeAgentGoNext Service C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
19:54:00.0296 3692 FreeAgentGoNext Service - ok
19:54:00.0359 3692 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:54:00.0546 3692 Fs_Rec - ok
19:54:00.0703 3692 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:54:00.0921 3692 Ftdisk - ok
19:54:01.0218 3692 [ 78494AE0F93358179B97571B9E76997C ] getPlus® Helper C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
19:54:01.0265 3692 getPlus® Helper - ok
19:54:01.0421 3692 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:54:01.0593 3692 Gpc - ok
19:54:01.0812 3692 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
19:54:01.0843 3692 gupdate - ok
19:54:01.0937 3692 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
19:54:01.0953 3692 gupdatem - ok
19:54:02.0140 3692 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:54:02.0328 3692 helpsvc - ok
19:54:02.0421 3692 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
19:54:02.0609 3692 HidServ - ok
19:54:02.0625 3692 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:54:02.0796 3692 HidUsb - ok
19:54:02.0890 3692 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
19:54:03.0093 3692 hkmsvc - ok
19:54:03.0109 3692 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
19:54:03.0281 3692 hpn - ok
19:54:03.0843 3692 [ 0A3C6AA4A9FC38C20BA4EAC2C3351C05 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
19:54:03.0875 3692 hpqcxs08 ( UnsignedFile.Multi.Generic ) - warning
19:54:03.0875 3692 hpqcxs08 - detected UnsignedFile.Multi.Generic (1)
19:54:03.0953 3692 [ 7DA3211AC63EDD90B8ECA1CA1ABFD43B ] hpqddsvc C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
19:54:03.0968 3692 hpqddsvc ( UnsignedFile.Multi.Generic ) - warning
19:54:03.0968 3692 hpqddsvc - detected UnsignedFile.Multi.Generic (1)
19:54:04.0078 3692 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
19:54:04.0625 3692 HPZid412 - ok
19:54:04.0671 3692 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
19:54:04.0734 3692 HPZipr12 - ok
19:54:04.0765 3692 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
19:54:04.0828 3692 HPZius12 - ok
19:54:04.0890 3692 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
19:54:04.0968 3692 HTTP - ok
19:54:05.0015 3692 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
19:54:05.0203 3692 HTTPFilter - ok
19:54:05.0234 3692 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
19:54:05.0406 3692 i2omgmt - ok
19:54:05.0437 3692 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:54:05.0609 3692 i2omp - ok
19:54:05.0640 3692 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:54:05.0796 3692 i8042prt - ok
19:54:06.0171 3692 [ 9A883C3C4D91292C0D09DE7C728E781C ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:54:06.0406 3692 ialm - ok
19:54:06.0734 3692 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:54:07.0312 3692 idsvc - ok
19:54:07.0375 3692 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
19:54:07.0546 3692 Imapi - ok
19:54:07.0593 3692 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
19:54:07.0796 3692 ImapiService - ok
19:54:07.0859 3692 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:54:08.0031 3692 ini910u - ok
19:54:08.0125 3692 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
19:54:08.0281 3692 IntelIde - ok
19:54:08.0312 3692 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:54:08.0453 3692 intelppm - ok
19:54:08.0484 3692 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
19:54:08.0656 3692 Ip6Fw - ok
19:54:08.0718 3692 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:54:08.0890 3692 IpFilterDriver - ok
19:54:08.0937 3692 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:54:09.0078 3692 IpInIp - ok
19:54:09.0109 3692 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:54:09.0281 3692 IpNat - ok
19:54:09.0296 3692 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:54:09.0484 3692 IPSec - ok
19:54:09.0531 3692 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
19:54:09.0703 3692 IRENUM - ok
19:54:09.0750 3692 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:54:09.0921 3692 isapnp - ok
19:54:10.0046 3692 [ 5E06A9D23727DAF96FAA796F1135FDCD ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
19:54:10.0078 3692 JavaQuickStarterService - ok
19:54:10.0109 3692 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:54:10.0281 3692 Kbdclass - ok
19:54:10.0343 3692 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:54:10.0484 3692 kbdhid - ok
19:54:10.0546 3692 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
19:54:10.0718 3692 kmixer - ok
19:54:10.0765 3692 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
19:54:10.0984 3692 KSecDD - ok
19:54:11.0046 3692 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
19:54:11.0187 3692 lanmanserver - ok
19:54:11.0265 3692 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
19:54:11.0375 3692 lanmanworkstation - ok
19:54:11.0375 3692 lbrtfdc - ok
19:54:11.0453 3692 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
19:54:11.0609 3692 LmHosts - ok
19:54:11.0640 3692 MapsGalaxy_39Service - ok
19:54:11.0718 3692 [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy C:\WINDOWS\system32\drivers\mbamswissarmy.sys
19:54:12.0078 3692 MBAMSwissArmy - ok
19:54:12.0125 3692 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
19:54:12.0296 3692 Messenger - ok
19:54:12.0343 3692 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
19:54:12.0515 3692 mnmdd - ok
19:54:12.0578 3692 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
19:54:12.0750 3692 mnmsrvc - ok
19:54:12.0812 3692 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
19:54:12.0984 3692 Modem - ok
19:54:13.0062 3692 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:54:13.0218 3692 Mouclass - ok
19:54:13.0281 3692 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:54:13.0453 3692 mouhid - ok
19:54:13.0484 3692 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
19:54:13.0640 3692 MountMgr - ok
19:54:13.0796 3692 [ 24406D75B40F0F6B3C1AC7031D734565 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
19:54:13.0890 3692 MpFilter - ok
19:54:13.0937 3692 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:54:14.0109 3692 mraid35x - ok
19:54:14.0140 3692 [ A7566DA7AA8B74F1CEBC18AFD6B6CFA0 ] mrtRate C:\WINDOWS\system32\drivers\mrtRate.sys
19:54:14.0187 3692 mrtRate ( UnsignedFile.Multi.Generic ) - warning
19:54:14.0187 3692 mrtRate - detected UnsignedFile.Multi.Generic (1)
19:54:14.0234 3692 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:54:14.0421 3692 MRxDAV - ok
19:54:14.0578 3692 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:54:14.0750 3692 MRxSmb - ok
19:54:14.0812 3692 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
19:54:14.0984 3692 MSDTC - ok
19:54:15.0062 3692 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
19:54:15.0218 3692 Msfs - ok
19:54:15.0234 3692 MSIServer - ok
19:54:15.0281 3692 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:54:15.0437 3692 MSKSSRV - ok
19:54:15.0546 3692 [ 37F77AEBFF23A99D1BFB4F34CD2D07F2 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
19:54:15.0578 3692 MsMpSvc - ok
19:54:15.0593 3692 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:54:15.0765 3692 MSPCLOCK - ok
19:54:15.0812 3692 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
19:54:16.0046 3692 MSPQM - ok
19:54:16.0093 3692 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:54:16.0265 3692 mssmbios - ok
19:54:16.0296 3692 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
19:54:16.0390 3692 Mup - ok
19:54:16.0593 3692 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
19:54:16.0875 3692 napagent - ok
19:54:16.0906 3692 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
19:54:17.0109 3692 NDIS - ok
19:54:17.0140 3692 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:54:17.0265 3692 NdisTapi - ok
19:54:17.0312 3692 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:54:17.0468 3692 Ndisuio - ok
19:54:17.0515 3692 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:54:17.0671 3692 NdisWan - ok
19:54:17.0718 3692 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
19:54:17.0843 3692 NDProxy - ok
19:54:17.0890 3692 [ A081CB6FB9A12668F233EB5414BE3A0E ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
19:54:17.0890 3692 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
19:54:17.0890 3692 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
19:54:17.0921 3692 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
19:54:18.0093 3692 NetBIOS - ok
19:54:18.0187 3692 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
19:54:18.0359 3692 NetBT - ok
19:54:18.0406 3692 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
19:54:18.0593 3692 NetDDE - ok
19:54:18.0609 3692 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
19:54:18.0750 3692 NetDDEdsdm - ok
19:54:18.0796 3692 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
19:54:18.0953 3692 Netlogon - ok
19:54:19.0015 3692 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
19:54:19.0187 3692 Netman - ok
19:54:19.0421 3692 [ 02D0798F376FCBD0210EDA58476D0B1B ] NetSvc C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
19:54:19.0468 3692 NetSvc ( UnsignedFile.Multi.Generic ) - warning
19:54:19.0468 3692 NetSvc - detected UnsignedFile.Multi.Generic (1)
19:54:19.0562 3692 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:54:19.0609 3692 NetTcpPortSharing - ok
19:54:19.0687 3692 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
19:54:19.0734 3692 Nla - ok
19:54:19.0781 3692 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
19:54:19.0937 3692 Npfs - ok
19:54:20.0046 3692 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
19:54:20.0375 3692 Ntfs - ok
19:54:20.0406 3692 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
19:54:20.0546 3692 NtLmSsp - ok
19:54:20.0687 3692 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
19:54:20.0984 3692 NtmsSvc - ok
19:54:21.0015 3692 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
19:54:21.0187 3692 Null - ok
19:54:21.0437 3692 [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:54:21.0812 3692 nv - ok
19:54:21.0890 3692 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:54:22.0171 3692 NwlnkFlt - ok
19:54:22.0203 3692 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:54:22.0453 3692 NwlnkFwd - ok
19:54:22.0484 3692 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
19:54:22.0640 3692 Parport - ok
19:54:22.0656 3692 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
19:54:23.0046 3692 PartMgr - ok
19:54:23.0062 3692 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
19:54:23.0500 3692 ParVdm - ok
19:54:23.0515 3692 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
19:54:23.0796 3692 PCI - ok
19:54:23.0812 3692 PCIDump - ok
19:54:23.0859 3692 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
19:54:24.0125 3692 PCIIde - ok
19:54:24.0187 3692 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
19:54:24.0390 3692 Pcmcia - ok
19:54:24.0390 3692 PDCOMP - ok
19:54:24.0406 3692 PDFRAME - ok
19:54:24.0421 3692 PDRELI - ok
19:54:24.0421 3692 PDRFRAME - ok
19:54:24.0468 3692 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
19:54:24.0656 3692 perc2 - ok
19:54:24.0687 3692 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:54:24.0875 3692 perc2hib - ok
19:54:24.0921 3692 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
19:54:24.0953 3692 PlugPlay - ok
19:54:24.0984 3692 [ 65BC271F337637731D3C71455AE1F476 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
19:54:25.0015 3692 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
19:54:25.0015 3692 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
19:54:25.0046 3692 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
19:54:25.0187 3692 PolicyAgent - ok
19:54:25.0218 3692 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:54:25.0390 3692 PptpMiniport - ok
19:54:25.0406 3692 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
19:54:25.0531 3692 ProtectedStorage - ok
19:54:25.0562 3692 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
19:54:25.0718 3692 PSched - ok
19:54:25.0734 3692 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:54:25.0921 3692 Ptilink - ok
19:54:25.0984 3692 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:54:26.0187 3692 ql1080 - ok
19:54:26.0218 3692 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:54:26.0421 3692 Ql10wnt - ok
19:54:26.0468 3692 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:54:26.0812 3692 ql12160 - ok
19:54:26.0843 3692 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:54:27.0015 3692 ql1240 - ok
19:54:27.0046 3692 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:54:27.0234 3692 ql1280 - ok
19:54:27.0312 3692 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:54:27.0468 3692 RasAcd - ok
19:54:27.0531 3692 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
19:54:27.0718 3692 RasAuto - ok
19:54:27.0734 3692 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:54:27.0890 3692 Rasl2tp - ok
19:54:27.0953 3692 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
19:54:28.0109 3692 RasMan - ok
19:54:28.0125 3692 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:54:28.0312 3692 RasPppoe - ok
19:54:28.0343 3692 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
19:54:28.0500 3692 Raspti - ok
19:54:28.0546 3692 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:54:28.0703 3692 Rdbss - ok
19:54:28.0718 3692 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:54:28.0890 3692 RDPCDD - ok
19:54:28.0984 3692 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:54:29.0218 3692 rdpdr - ok
19:54:29.0281 3692 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
19:54:29.0484 3692 RDPWD - ok
19:54:29.0593 3692 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
19:54:29.0765 3692 RDSessMgr - ok
19:54:29.0781 3692 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
19:54:29.0937 3692 redbook - ok
19:54:30.0000 3692 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
19:54:30.0171 3692 RemoteAccess - ok
19:54:30.0203 3692 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
19:54:30.0343 3692 RpcLocator - ok
19:54:30.0468 3692 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
19:54:30.0500 3692 RpcSs - ok
19:54:30.0562 3692 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
19:54:30.0734 3692 RSVP - ok
19:54:30.0750 3692 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
19:54:30.0906 3692 SamSs - ok
19:54:30.0937 3692 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
19:54:31.0125 3692 SCardSvr - ok
19:54:31.0203 3692 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
19:54:31.0421 3692 Schedule - ok
19:54:31.0484 3692 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:54:31.0671 3692 Secdrv - ok
19:54:31.0718 3692 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
19:54:31.0875 3692 seclogon - ok
19:54:31.0953 3692 [ B9C7617C1E8AB6FDFF75D3C8DAFCB4C8 ] senfilt C:\WINDOWS\system32\drivers\senfilt.sys
19:54:32.0125 3692 senfilt - ok
19:54:32.0218 3692 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
19:54:32.0390 3692 SENS - ok
19:54:32.0437 3692 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
19:54:32.0593 3692 serenum - ok
19:54:32.0625 3692 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
19:54:32.0796 3692 Serial - ok
19:54:32.0859 3692 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
19:54:33.0031 3692 Sfloppy - ok
19:54:33.0093 3692 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
19:54:33.0328 3692 SharedAccess - ok
19:54:33.0359 3692 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
19:54:33.0390 3692 ShellHWDetection - ok
19:54:33.0406 3692 Simbad - ok
19:54:33.0468 3692 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:54:33.0656 3692 sisagp - ok
19:54:33.0781 3692 [ C6D9959E493682F872A639B6EC1B4A08 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
19:54:33.0812 3692 smwdm - ok
19:54:33.0843 3692 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:54:34.0000 3692 Sparrow - ok
19:54:34.0015 3692 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
19:54:34.0171 3692 splitter - ok
19:54:34.0218 3692 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
19:54:34.0343 3692 Spooler - ok
19:54:34.0375 3692 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
19:54:34.0578 3692 sr - ok
19:54:34.0640 3692 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
19:54:34.0812 3692 srservice - ok
19:54:34.0906 3692 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
19:54:35.0078 3692 Srv - ok
19:54:35.0156 3692 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
19:54:35.0312 3692 SSDPSRV - ok
19:54:35.0437 3692 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
19:54:35.0687 3692 stisvc - ok
19:54:35.0750 3692 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
19:54:35.0937 3692 swenum - ok
19:54:35.0953 3692 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
19:54:36.0125 3692 swmidi - ok
19:54:36.0140 3692 SwPrv - ok
19:54:36.0187 3692 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
19:54:36.0343 3692 symc810 - ok
19:54:36.0390 3692 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:54:36.0593 3692 symc8xx - ok
19:54:36.0625 3692 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:54:36.0843 3692 sym_hi - ok
19:54:36.0875 3692 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:54:37.0046 3692 sym_u3 - ok
19:54:37.0078 3692 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
19:54:37.0250 3692 sysaudio - ok
19:54:37.0296 3692 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
19:54:37.0500 3692 SysmonLog - ok
19:54:37.0562 3692 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
19:54:37.0734 3692 TapiSrv - ok
19:54:37.0796 3692 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:54:37.0859 3692 Tcpip - ok
19:54:37.0906 3692 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
19:54:38.0093 3692 TDPIPE - ok
19:54:38.0125 3692 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
19:54:38.0328 3692 TDTCP - ok
19:54:38.0359 3692 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
19:54:38.0531 3692 TermDD - ok
19:54:38.0625 3692 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
19:54:38.0828 3692 TermService - ok
19:54:38.0875 3692 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
19:54:38.0890 3692 Themes - ok
19:54:38.0921 3692 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
19:54:39.0125 3692 TosIde - ok
19:54:39.0203 3692 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
19:54:39.0375 3692 TrkWks - ok
19:54:39.0453 3692 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
19:54:39.0656 3692 Udfs - ok
19:54:39.0687 3692 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
19:54:39.0796 3692 ultra - ok
19:54:39.0906 3692 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
19:54:40.0109 3692 Update - ok
19:54:40.0203 3692 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
19:54:40.0406 3692 upnphost - ok
19:54:40.0468 3692 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
19:54:40.0625 3692 UPS - ok
19:54:40.0671 3692 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:54:40.0859 3692 usbccgp - ok
19:54:40.0890 3692 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:54:41.0062 3692 usbehci - ok
19:54:41.0078 3692 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:54:41.0234 3692 usbhub - ok
19:54:41.0328 3692 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:54:41.0484 3692 usbprint - ok
19:54:41.0531 3692 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:54:41.0687 3692 usbscan - ok
19:54:41.0750 3692 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:54:41.0906 3692 USBSTOR - ok
19:54:41.0984 3692 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:54:42.0140 3692 usbuhci - ok
19:54:42.0187 3692 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
19:54:42.0343 3692 VgaSave - ok
19:54:42.0406 3692 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:54:42.0593 3692 viaagp - ok
19:54:42.0625 3692 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
19:54:42.0796 3692 ViaIde - ok
19:54:42.0890 3692 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
19:54:43.0078 3692 VolSnap - ok
19:54:43.0343 3692 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
19:54:43.0578 3692 VSS - ok
19:54:43.0750 3692 [ 54AF4B1D5459500EF0937F6D33B1914F ] w32time C:\WINDOWS\system32\w32time.dll
19:54:43.0921 3692 w32time - ok
19:54:43.0953 3692 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:54:44.0109 3692 Wanarp - ok
19:54:44.0125 3692 wanatw - ok
19:54:44.0140 3692 WDICA - ok
19:54:44.0171 3692 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
19:54:44.0343 3692 wdmaud - ok
19:54:44.0375 3692 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
19:54:44.0546 3692 WebClient - ok
19:54:44.0906 3692 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
19:54:45.0078 3692 winmgmt - ok
19:54:45.0234 3692 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
19:54:45.0421 3692 WmdmPmSN - ok
19:54:45.0500 3692 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:54:45.0687 3692 WmiApSrv - ok
19:54:46.0078 3692 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
19:54:46.0546 3692 WMPNetworkSvc - ok
19:54:46.0593 3692 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:54:46.0796 3692 WS2IFSL - ok
19:54:46.0937 3692 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
19:54:47.0109 3692 wscsvc - ok
19:54:47.0156 3692 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
19:54:47.0343 3692 wuauserv - ok
19:54:47.0437 3692 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:54:47.0515 3692 WudfPf - ok
19:54:47.0562 3692 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
19:54:47.0609 3692 WudfSvc - ok
19:54:47.0703 3692 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
19:54:47.0890 3692 WZCSVC - ok
19:54:47.0953 3692 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
19:54:48.0156 3692 xmlprov - ok
19:54:48.0171 3692 ================ Scan global ===============================
19:54:48.0234 3692 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
19:54:48.0359 3692 [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
19:54:48.0484 3692 [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
19:54:48.0546 3692 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
19:54:48.0546 3692 [Global] - ok
19:54:48.0546 3692 ================ Scan MBR ==================================
19:54:48.0593 3692 [ B16A2359F4962B0C622D81A1C1F4B703 ] \Device\Harddisk0\DR0
19:54:53.0593 3692 \Device\Harddisk0\DR0 - ok
19:54:53.0609 3692 [ 24BEFCB10664FC4406BFE82D40B517A3 ] \Device\Harddisk1\DR4
19:54:53.0734 3692 \Device\Harddisk1\DR4 - ok
19:54:53.0750 3692 ================ Scan VBR ==================================
19:54:53.0765 3692 [ 665619F6F31D71F9140990BFD4A3C509 ] \Device\Harddisk0\DR0\Partition1
19:54:53.0796 3692 \Device\Harddisk0\DR0\Partition1 - ok
19:54:53.0796 3692 [ 8E44273A46D011E0567294802CD11B8A ] \Device\Harddisk1\DR4\Partition1
19:54:53.0796 3692 \Device\Harddisk1\DR4\Partition1 - ok
19:54:53.0812 3692 ============================================================
19:54:53.0812 3692 Scan finished
19:54:53.0812 3692 ============================================================
19:54:53.0968 3684 Detected object count: 7
19:54:53.0968 3684 Actual detected object count: 7
19:55:04.0406 3684 ENETHUSB ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0406 3684 ENETHUSB ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0406 3684 hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0406 3684 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0406 3684 hpqddsvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0406 3684 hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0437 3684 mrtRate ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0437 3684 mrtRate ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0437 3684 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0437 3684 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0468 3684 NetSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0468 3684 NetSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:04.0500 3684 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
19:55:04.0500 3684 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:55:12.0015 0312 Deinitialize success


-----------------------------------------------------------------


Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.09.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
douglas wenz :: DDNNH981 [administrator]

Protection: Enabled

10/9/2013 8:27:08 PM
mbam-log-2013-10-09 (20-27-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 264592
Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0F -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


------------------------------------------------------------------------


# AdwCleaner v3.007 - Report created 09/10/2013 at 23:09:10
# Updated 09/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : douglas wenz - DDNNH981
# Running from : C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : MapsGalaxy_39Service

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\mapsgalaxy_39
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\iac
Folder Deleted : C:\Documents and Settings\douglas wenz\Local Settings\Application Data\iac
Folder Deleted : C:\Documents and Settings\douglas wenz\Application Data\DriverCure
Folder Deleted : C:\Documents and Settings\douglas wenz\Application Data\DSite
Folder Deleted : C:\Documents and Settings\douglas wenz\Application Data\mapsgalaxy_39
Folder Deleted : C:\Documents and Settings\douglas wenz\Application Data\ParetoLogic
Folder Deleted : C:\Documents and Settings\douglas wenz\Application Data\Viewpoint
File Deleted : C:\WINDOWS\system32\p5PSSavr.scr

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C39937A9-C59D-4506-A9FC-0A0138192287}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\MapsGalaxy_39
Key Deleted : HKCU\Software\MyWaySA
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\MapsGalaxy_39
Key Deleted : HKLM\Software\MyWaySA
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7559288-223B-453C-9F06-340E3BE21E39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MapsGalaxy_39bar Uninstall
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{E7559288-223B-453C-9F06-340E3BE21E39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MapsGalaxy_39bar Uninstall
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Google Chrome v

[ File : C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url

*************************

AdwCleaner[R0].txt - [5583 octets] - [09/10/2013 23:07:10]
AdwCleaner[S0].txt - [5412 octets] - [09/10/2013 23:09:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5472 octets] ##########


-------------------------------------------------------------------------


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.4 (10.06.2013:1)
OS: Microsoft Windows XP x86
Ran by douglas wenz on Wed 10/09/2013 at 23:13:13.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.dynamicbarbutton
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.dynamicbarbutton.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.feedmanager
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.feedmanager.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.htmlmenu
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.htmlmenu.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.htmlpanel
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.htmlpanel.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.multiplebutton
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.multiplebutton.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radiosettings
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radiosettings.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.scriptbutton
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.scriptbutton.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.skinlauncher
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.skinlauncher.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.skinlaunchersettings
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.skinlaunchersettings.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.thirdpartyinstaller
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.thirdpartyinstaller.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.urlalertbutton
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.urlalertbutton.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.xmlsessionplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.xmlsessionplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1241CEBD-9777-4BC6-AAE5-2A77E25DB246}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{173A5778-34BF-48A2-8A5E-6963CE922FED}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1796EC91-D094-4A5F-B681-E16015D1CEAC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{37ED966D-4D0E-4D66-9633-BEA542C92860}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3ED5E5EC-0965-4DD3-B7D8-DBC48A1172B9}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4B7D0B0C-CFF3-49C5-9BC3-FFABC031C822}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4F28FA5F-7D15-4753-B4FC-D548A0F02BFB}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{5E1BDCF6-DD5F-4DD3-8783-B1454AEF1830}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7D4DFAF7-F2CE-4C91-91A4-514C9612914D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9B58A6CE-B337-43D5-9C2F-8C6D92FBA094}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A083C35D-61A9-4625-BBB6-FB54E71B8527}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A35FF019-6DBE-4044-B080-6F3FA78A947F}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{B70E008C-967B-4104-BC7B-6F7C77DBC38D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{C4A25B73-8EF5-4282-9D21-C8920DD577A1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{CAE88E60-CEA5-4FCB-B611-54EA6305D8AB}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DB1384D8-1BDA-4C8D-A743-E9CA671FEB00}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E045DF14-BF1D-405C-A37B-A75C1551AD17}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{F3477E9D-D2F6-49F0-9B23-854D7958D07E}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 10/09/2013 at 23:25:52.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


------------------------------------------------------------------------


Vino's Event Viewer v01c run on Windows XP in English
Report run at 09/10/2013 11:37:31 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


----------------------


Vino's Event Viewer v01c run on Windows XP in English
Report run at 09/10/2013 11:38:23 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 09/10/2013 11:31:47 PM
Type: warning Category: 1
Event: 32068 Source: Microsoft Fax
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '*' Area code: '*'

Log: 'Application' Date/Time: 09/10/2013 11:31:47 PM
Type: warning Category: 1
Event: 32026 Source: Microsoft Fax
Fax Service failed to initialize any assigned fax devices (virtual or TAPI). No faxes can be sent or received until a fax device is installed.


----------------------------------------------------------------------


OTL logfile created on: 10/9/2013 11:47:40 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 572.74 Mb Available Physical Memory | 56.04% Memory free
1.91 Gb Paging File | 1.55 Gb Available in Paging File | 81.59% Paging File free
Paging file location(s): C:\pagefile.sys 1024 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 14.82 Gb Free Space | 43.55% Space Free | Partition Type: NTFS
Drive E: | 793.75 Mb Total Space | 766.78 Mb Free Space | 96.60% Space Free | Partition Type: FAT

Computer Name: DDNNH981 | User Name: douglas wenz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/10/04 19:38:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools\OTL.exe
PRC - [2013/06/20 18:05:14 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2008/04/13 19:12:30 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/01 13:30:26 | 000,094,208 | ---- | M] () -- C:\Program Files\QUICKENW\qagent.exe
PRC - [2001/02/28 11:42:44 | 000,065,536 | ---- | M] (Marimba Inc.) -- C:\WINDOWS\system32\mrtMngr.exe


========== Modules (No Company Name) ==========

MOD - [2001/08/01 13:30:26 | 000,094,208 | ---- | M] () -- C:\Program Files\QUICKENW\qagent.exe


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/09/20 09:21:44 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/20 18:05:14 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/08/29 10:00:30 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wanatw4.sys -- (wanatw)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\DOUGLA~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\BootDefragDriver.sys -- (BootDefragDriver)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/01/31 12:08:54 | 000,028,005 | R--- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB)
DRV - [2001/02/28 11:42:44 | 000,034,712 | ---- | M] (Marimba, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\MrtRate.sys -- (mrtRate)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/05/24 10:41:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/05/24 10:41:30 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: No name found = C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/10/09 19:43:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [QAGENT] C:\Program Files\QUICKENW\qagent.exe ()
O4 - Startup: C:\Documents and Settings\douglas wenz\Start Menu\Programs\Startup\RentRight Reminder System.lnk = C:\RentVer3\reminder.exe (RentRight)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 File not found
O15 - HKCU\..Trusted Domains: alltel.com ([care] http in Trusted sites)
O15 - HKCU\..Trusted Domains: alltel.com ([care] https in Trusted sites)
O15 - HKCU\..Trusted Domains: hrblock.com ([taxes] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://activation.a...aller_2-0-0.cab (Reg Error: Value error.)
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} https://care.alltel....aller_3-0-0.cab (McciUtilsSpecialFolder Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by109fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} https://care.alltel....aller_3-0-0.cab (McciSysSCM Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} https://care.alltel....aller_3-0-0.cab (McciSM Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} https://care.alltel....aller_3-0-0.cab (McciHTTPClient Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} https://care.alltel....aller_3-0-0.cab (SecurityManager Class)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://tdameritrade...nbr/ieatgpc.cab (GpcContainer Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D5922D2B-C2AE-4214-B494-E1A6D222D00A}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\douglas wenz\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (BootDefrag.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: MaxMenuMgr - hkey= - key= - C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
MsConfig - StartUpReg: MSC - hkey= - key= - c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: 25169304.sys - Driver
SafeBootMin: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: 25169304.sys - Driver
SafeBootNet: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MsMpSvc - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {8F736E10-8E5C-4399-A532-D0C00A406227} - Microsoft .NET Framework 1.1 Security Update (KB2698023)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C0F0DCDC-99EA-4405-BDAE-CACABD3D2DF0} - Microsoft .NET Framework 1.1 Security Update (KB2833941)
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/10/09 23:13:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/10/09 23:07:04 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/10/09 19:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/10/09 19:59:46 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/10/09 19:59:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/10/09 19:50:38 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013/10/09 19:18:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/10/09 18:54:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/10/04 19:02:39 | 000,101,664 | ---- | C] (Glarysoft Ltd) -- C:\WINDOWS\System32\BootDefrag.exe
[2013/10/04 19:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\GlarySoft
[2013/10/04 19:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Glary Utilities 3
[2013/10/04 19:02:12 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities 3
[2013/10/04 18:53:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/10/04 18:53:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/10/04 18:53:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/10/04 18:53:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/10/04 18:50:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/10/04 18:50:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\douglas wenz\Start Menu\Programs\Administrative Tools
[2013/10/04 18:49:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/10/04 18:32:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools
[2013/10/01 08:30:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2013/09/23 15:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2013/09/23 15:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Windows Live Writer
[2013/09/18 08:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\Apple Computer
[2013/09/18 07:29:18 | 000,023,360 | ---- | C] (IObit) -- C:\WINDOWS\System32\RegistryDefragBootTime.exe
[2013/09/18 07:06:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2013/09/18 07:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\douglas wenz\Application Data\IObit
[2013/09/18 06:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
[2013/09/18 06:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2013/09/18 06:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2013/09/17 16:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/09/17 06:30:22 | 000,000,000 | ---D | C] -- C:\found.001
[2013/09/13 13:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2013/09/13 13:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/10/09 23:41:38 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/10/09 23:31:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/10/09 23:31:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/10/09 23:31:29 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2013/10/09 20:40:02 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/10/09 19:43:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/10/09 19:18:41 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/10/09 18:57:47 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2013/10/09 14:00:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2013/10/09 10:22:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013/10/09 10:10:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/10/08 17:35:35 | 000,000,978 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2013/10/04 19:02:41 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\douglas wenz\Application Data\Microsoft\Internet Explorer\Quick Launch\Glary Utilities 3.lnk
[2013/10/04 19:02:41 | 000,000,755 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Glary Utilities 3.lnk
[2013/10/02 10:51:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/09/24 15:12:58 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/20 09:21:10 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/09/20 09:21:07 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/09/18 08:06:03 | 000,000,000 | ---- | M] () -- C:\asc_rdflag
[2013/09/18 08:05:02 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/09/13 03:32:30 | 000,101,664 | ---- | M] (Glarysoft Ltd) -- C:\WINDOWS\System32\BootDefrag.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/10/09 19:18:41 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/10/09 19:18:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/10/04 19:02:41 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\Microsoft\Internet Explorer\Quick Launch\Glary Utilities 3.lnk
[2013/10/04 19:02:41 | 000,000,755 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Glary Utilities 3.lnk
[2013/10/04 19:02:33 | 000,000,811 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Glary Utilities 3.lnk
[2013/10/04 18:53:53 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/10/04 18:53:53 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/10/04 18:53:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/10/04 18:53:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/10/04 18:53:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/09/20 14:54:29 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\WBPU-TTL.DAT
[2013/09/20 14:54:26 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\WB.CFG
[2013/09/18 12:46:24 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2013/09/18 08:06:03 | 000,000,000 | ---- | C] () -- C:\asc_rdflag
[2013/09/18 08:03:32 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/09/13 10:45:42 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2013/07/29 14:53:04 | 000,000,106 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\WB.CFG
[2013/06/27 14:53:10 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\WBPU-TTL.DAT
[2013/06/26 14:53:06 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\WBPU-TTL.DAT
[2013/06/10 10:18:28 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Ament.ini
[2012/02/16 15:16:22 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2006/09/06 16:59:28 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\PFP120JPR.{PB
[2006/09/06 16:59:28 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\douglas wenz\Application Data\PFP120JCM.{PB

========== ZeroAccess Check ==========

[2004/08/10 13:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: SAMSUNG SP0401N
Partitions: 3
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Removable media other than\tfloppy
Interface type: USB
Media Type: Removable media other than\tfloppy
Model: Kingston DT 101 G2 USB Device
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 39.00MB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 34.00GB
Starting Offset: 41126400
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 3.00GB
Starting Offset: 36586045440
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: MS-DOS V4 Huge
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 794.00MB
Starting Offset: 32768
Hidden sectors: 0


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2011/10/28 10:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Adobe
[2008/09/06 17:53:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\AdobeUM
[2013/09/18 08:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Apple Computer
[2009/03/23 17:16:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2006/09/06 16:59:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Corel
[2008/09/26 10:09:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
[2013/10/04 19:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\GlarySoft
[2006/12/14 18:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Google
[2005/08/25 02:37:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Gtek
[2006/01/04 09:27:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Help
[2010/05/24 10:43:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\HP
[2013/10/09 23:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\HPAppData
[2013/06/19 08:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\HpUpdate
[2004/08/10 13:08:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Identities
[2013/09/18 07:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\IObit
[2005/08/25 02:24:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Jasc Software Inc
[2012/12/26 11:50:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Landlord
[2010/11/02 14:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Leadertech
[2005/09/16 10:03:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Macromedia
[2011/03/08 14:19:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Malwarebytes
[2011/12/27 13:46:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\douglas wenz\Application Data\Microsoft
[2005/10/14 16:10:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Motive
[2011/03/11 18:22:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\OpenOffice.org
[2013/06/25 14:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\PDF Writer Packages
[2005/08/25 02:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Sun
[2010/02/19 12:16:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\Symantec
[2011/03/11 17:54:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\douglas wenz\Application Data\U3
[2013/09/24 15:50:14 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\douglas wenz\Application Data\yahoo!

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/06 16:41:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/06 16:41:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\erdnt\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: CSRSS.EXE >
[2008/04/13 19:12:15 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=44F275C64738EA2056E3D9580C23B60F -- C:\WINDOWS\ServicePackFiles\i386\csrss.exe
[2008/04/13 19:12:15 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=44F275C64738EA2056E3D9580C23B60F -- C:\WINDOWS\system32\csrss.exe
[2004/08/04 05:00:00 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=F12B178B1678D778CFD3FF1FC38C71FB -- C:\i386\csrss.exe
[2004/08/04 05:00:00 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=F12B178B1678D778CFD3FF1FC38C71FB -- C:\WINDOWS\$NtServicePackUninstall$\csrss.exe

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2008/06/20 12:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll
[2008/06/20 12:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/04 05:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\i386\mswsock.dll
[2004/08/04 05:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748_0$\mswsock.dll
[2008/06/20 12:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/06/20 12:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\erdnt\cache\mswsock.dll
[2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/13 19:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/04/13 19:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
[2008/06/20 12:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[2008/06/20 12:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NWPROVAU.DLL >
[2008/04/13 19:12:02 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=06E587F41466569F32BEAAC7260E8AEC -- C:\WINDOWS\ServicePackFiles\i386\nwprovau.dll
[2008/04/13 19:12:02 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=06E587F41466569F32BEAAC7260E8AEC -- C:\WINDOWS\system32\nwprovau.dll
[2006/10/13 07:41:38 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=808CB47D7F6BE51B0354CD628CF45978 -- C:\WINDOWS\$hf_mig$\KB923980\SP2QFE\nwprovau.dll
[2006/10/13 07:35:12 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=AEEB687B865E1BAB04BB9C3604F92CEF -- C:\WINDOWS\$NtServicePackUninstall$\nwprovau.dll
[2004/08/04 05:00:00 | 000,144,384 | ---- | M] (Microsoft Corporation) MD5=F01D97A8E0380BA52F58249A7B3BD7F1 -- C:\i386\nwprovau.dll
[2004/08/04 05:00:00 | 000,144,384 | ---- | M] (Microsoft Corporation) MD5=F01D97A8E0380BA52F58249A7B3BD7F1 -- C:\WINDOWS\$NtUninstallKB923980$\nwprovau.dll

< MD5 for: PNRPNSP.DLL >
[2004/08/04 05:00:00 | 000,048,640 | ---- | M] (Microsoft Corporation) MD5=74D3620D2E63489975E3956A40DDD35F -- C:\i386\pnrpnsp.dll
[2004/08/04 05:00:00 | 000,048,640 | ---- | M] (Microsoft Corporation) MD5=74D3620D2E63489975E3956A40DDD35F -- C:\WINDOWS\$NtServicePackUninstall$\pnrpnsp.dll
[2008/04/13 19:12:02 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=AF1449AC1D79D37C7026C1D8912DDA8E -- C:\WINDOWS\ServicePackFiles\i386\pnrpnsp.dll
[2008/04/13 19:12:02 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=AF1449AC1D79D37C7026C1D8912DDA8E -- C:\WINDOWS\system32\pnrpnsp.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 05:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\i386\services.exe
[2004/08/04 05:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\erdnt\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINRNR.DLL >
[2004/08/04 05:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=2C8FDB176F22629EA5342DB474FAC391 -- C:\i386\winrnr.dll
[2004/08/04 05:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=2C8FDB176F22629EA5342DB474FAC391 -- C:\WINDOWS\$NtServicePackUninstall$\winrnr.dll
[2008/04/13 19:12:09 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=D72B9EC3337B247A666F098F3D6B43DE -- C:\WINDOWS\ServicePackFiles\i386\winrnr.dll
[2008/04/13 19:12:09 | 000,016,896 | ---- | M] (Microsoft Corporation) MD5=D72B9EC3337B247A666F098F3D6B43DE -- C:\WINDOWS\system32\winrnr.dll

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2013/08/08 05:32:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >


-----------------------------------------------------------------------


Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
System Idle Process 95.31 0 K 16 K 0
procexp.exe 3.13 17,448 K 24,656 K 2616 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
Interrupts 1.56 0 K 0 K n/a Hardware Interrupts and DPCs
wmiprvse.exe 1,844 K 5,036 K 2836 WMI Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
winlogon.exe 6,300 K 3,880 K 712 Windows NT Logon Application Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
System 0 K 212 K 4
svchost.exe 2,568 K 4,456 K 652 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,932 K 4,592 K 1000 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 3,136 K 5,132 K 924 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 14,948 K 26,580 K 1132 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,436 K 3,728 K 1204 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,536 K 3,968 K 1304 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 2,656 K 4,656 K 1484 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 5,432 K 7,480 K 2032 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,724 K 5,536 K 944 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,120 K 3,084 K 384 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
svchost.exe 1,120 K 3,068 K 468 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
spoolsv.exe 4,580 K 7,208 K 1520 Spooler SubSystem App Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
smss.exe 168 K 416 K 616 Windows NT Session Manager Microsoft Corporation (Verified) Microsoft Windows Component Publisher
smax4pnp.exe 2,688 K 4,780 K 1936 SMax4PNP MFC Application Analog Devices, Inc. (No signature was present in the subject) Analog Devices, Inc.
services.exe 1,924 K 4,224 K 756 Services and Controller app Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
qagent.exe 1,764 K 4,888 K 2000 Agent Module (No signature was present in the subject)
ntvdm.exe 2,256 K 1,112 K 300 NTVDM.EXE Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
notepad.exe 1,156 K 3,600 K 3848 Notepad Microsoft Corporation (Verified) Microsoft Windows Component Publisher
MsMpEng.exe 53,016 K 31,204 K 1092 Antimalware Service Executable Microsoft Corporation (Verified) Microsoft Corporation
mrtMngr.exe 1,004 K 3,368 K 460 Rate Sensing Manager Marimba Inc. (No signature was present in the subject) Marimba Inc.
mbamservice.exe 129,196 K 126,048 K 1712 Malwarebytes Anti-Malware Malwarebytes Corporation (Verified) Malwarebytes Corporation
mbamscheduler.exe 3,332 K 5,804 K 1084 Malwarebytes Anti-Malware Malwarebytes Corporation (Verified) Malwarebytes Corporation
mbamgui.exe 3,656 K 6,712 K 2896 Malwarebytes Anti-Malware Malwarebytes Corporation (Verified) Malwarebytes Corporation
lsass.exe 3,896 K 1,280 K 768 LSA Shell (Export Version) Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
jusched.exe 904 K 3,000 K 2016 Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems
jqs.exe 2,308 K 1,400 K 988 Java™ Quick Starter Service Sun Microsystems, Inc. (Verified) Sun Microsystems
issch.exe 448 K 1,440 K 1952 InstallShield Update Service Scheduler InstallShield Software Corporation (No signature was present in the subject) InstallShield Software Corporation
igfxpers.exe 788 K 3,036 K 1976 persistence Module Intel Corporation (No signature was present in the subject) Intel Corporation
hpwuschd2.exe 708 K 2,452 K 2008 hpwuSchd Application Hewlett-Packard (Verified) Hewlett-Packard Company
hkcmd.exe 812 K 3,044 K 1968 hkcmd Module Intel Corporation (No signature was present in the subject) Intel Corporation
GoogleUpdate.exe 3,672 K 1,812 K 956 Google Installer Google Inc. (Verified) Google Inc
FreeAgentService.exe 4,112 K 4,812 K 360 Sync Windows Services Seagate Technology LLC (Verified) Seagate Technology
explorer.exe 20,124 K 28,436 K 1848 Windows Explorer Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
ctfmon.exe 1,040 K 3,912 K 204 CTF Loader Microsoft Corporation (Verified) Microsoft Windows Component Publisher
csrss.exe 1,884 K 4,568 K 688 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
alg.exe 1,256 K 3,720 K 2656 Application Layer Gateway Service Microsoft Corporation (No signature was present in the subject) Microsoft Corporation



------------------------------------------------------------------



Let me know if you need anything else. I should be able to respond promptly over the next few days.

Thanks for your help Ron!!
  • 0

#4
theskyishole

theskyishole

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Actually, I apologize - I missed the extras.txt file. Here is the log:


OTL Extras logfile created on: 10/9/2013 11:47:40 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\douglas wenz\Desktop\Jared G Tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 572.74 Mb Available Physical Memory | 56.04% Memory free
1.91 Gb Paging File | 1.55 Gb Available in Paging File | 81.59% Paging File free
Paging file location(s): C:\pagefile.sys 1024 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 14.82 Gb Free Space | 43.55% Space Free | Partition Type: NTFS
Drive E: | 793.75 Mb Total Space | 766.78 Mb Free Space | 96.60% Space Free | Partition Type: FAT

Computer Name: DDNNH981 | User Name: douglas wenz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\FaxApplications.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\FaxApplications.exe:LocalSubNet:Enabled:HP Officejet Pro 8600 FaxApplications -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\DigitalWizards.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\DigitalWizards.exe:LocalSubNet:Enabled:HP Officejet Pro 8600 DigitalWizards -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\SendAFax.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\SendAFax.exe:LocalSubNet:Enabled:HP Officejet Pro 8600 SendFaxAppExe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\DeviceSetup.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\DeviceSetup.exe:LocalSubNet:Enabled:HP Device Setup (HP Officejet Pro 8600) -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe:LocalSubNet:Enabled:HP Network Communicator (HP Officejet Pro 8600) -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe" = C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe:LocalSubNet:Enabled:HP Network Communicator COM (HP Officejet Pro 8600) -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{3477DA1A-4105-4305-A3D5-84D852334B96}" = Microsoft Equipt Additional Components
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{3DADB23F-94E6-4E4D-AFE8-15DE4395E8F3}" = Microsoft Security Client
"{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"{415FA9AD-DA10-4ABE-97B6-5051D4795C90}" = HP FWUpdateEDO2
"{46235FF7-2CBE-4A84-BEDA-87348D1F7850}" = HP Officejet Pro 8600 Help
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}" = HP Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79ACC31A-87EA-472A-853E-5AC6A97CE569}" = HP Officejet Pro 8600 Product Improvement Study
"{800E784D-53E3-4948-B491-9E7FA5EACBDC}" = SmartWebPrinting
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8EAB4100-B343-41AE-A880-418746998209}" = HP Officejet Pro 8600 Basic Device Software
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9176251A-4CC1-4DDB-B343-B487195EB397}" = Windows Live Writer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C29C1940-CB85-4F3B-906C-33FEE0E67103}" = DocMgr
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D3CE8F84-5A14-4DCD-8530-FDCFE3CAC8C9}" = Microsoft Equipt Prerequisite
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF9E56EE-0243-4BAD-88F4-5E7508AA7D96}" = Destination Component
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Glary Utilities 3" = Glary Utilities 3.9.2
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 12.0
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 12.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Equipt" = Microsoft Equipt
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"Quicken 2002 New User Edition" = Quicken 2002 New User Edition
"QuickTime" = QuickTime
"RentRight Ver 3_is1" = RentRight Ver 3
"Savings Bond Wizard" = Savings Bond Wizard
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"DSite" = Update for PDF Writer
"PDF Writer Packages" = PDF Writer Packages

< End of report >
  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 24
Java™ 6 Update 22
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_03

Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.

If you feel you must have Java:
Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.
Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.


Also uninstall:

getPlus® for Adobe



Adobe Reader X (10.1.8) needs to be updated to 11. something. Go to Adobe.com and download the latest reader. Before you hit the download button, wait about 5 seconds for the foistware (Ask toolbar, McAfee Security Scan or whatever) to appear and uncheck them before hitting the download button.


Adobe Acrobat 4.0 is terribly out of date. Do you use it? If not, uninstall it.


Copy the next line:

sc config fax start= Disabled

Start, All Programs, Accessories, Command Prompt. Right click and select Paste (or Edit then Paste) and the copied line should appear. Hit Enter. Close the command line.


How is it running now? Any problems?
  • 0

#6
theskyishole

theskyishole

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Ron,

Granted I've had limited experience using this machine - I think it's running much more smoothly. Operations are much more snappy and I'm no longer returning threats in their Security Essentials scan.
I followed your above recommendations and uninstalled all. I've also written those recommendations in a .txt and left it on the desktop.

I think you can close this one - let me know if you'd like to see anything further from the machine.

Thanks so much for your help!

Edited by theskyishole, 10 October 2013 - 09:46 AM.

  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Got one more thing to do:


Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************


Driver::
BootDefragDriver
MapsGalaxy_39Service



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

If that goes well then I think we can clean up:


We need to clean up System Restore.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Special note on Java. Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE. Get the latest version from Java.com. They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download. Just uncheck the garbage before the download (or install) starts. If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it. If that is the case then you should go in to Control panels, Java, Security and set the slider to the highest level.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.


XP does not automatically run defrag so it needs to be done manually every couple of months or it will slow down. http://support.microsoft.com/kb/314848


XP has been out a long time so most XP computers are starting to get clogged with dust. This makes them overheat which will also slow them down. To clean a desktop, shut it down but leave it plugged in. Remove the lid or open it up and use a vacuum cleaner hose and a small brush to clean the air vents in the front and back and the fins of the heatsink and of the fans - including the fan of the power supply. You may need to unscrew the four screws that hold the fan to the heatsink and lift the fan off to really clean the heatsink. Start it up while the lid is off and watch the fan (after screwing it back down again if you removed it). It should start up right away and be at full speed in no time (it may stop running shortly after starting - this is normal). A fan that is slow starting or which makes noise is worn out and needs to be replaced. Cleaning a laptop is unfortunately major surgery for most brands. Make sure the vents are clear and that it is run on a hard surface. Never on a bed or your lap as that blocks the air vents. Propping up the back with a book without blocking the air vents will make it run a bit cooler. If you think it might be running hot you can get speedfan

http://www.almico.com/sfdownload.php

Download, save and Install it then run it.

It will tell you your temps. If they seem hot (over 50) then check Automatic Fan Speed.
Leave it running and see if the temps drop. If temps are over 80, the CPU will slow down to protect itself. Disassembling a laptop to clean it isn't that hard. There are usually YouTube videos for most brands that show you how to do it if you search for them. Most times you just need some small screwdrivers and maybe a long nose pliers. The hardest part is reassembling it and getting all of the screws in the right places so takes notes or lots of pictures. If you take it apart then you should also pull the heatsink and clean it and replace the old thermal pads with Arctic Silver Thermal compound. Amazon has a kit of cleaner and compound http://www.amazon.co...n/dp/B001FVI91U which I have used.

Make sure you have Windows update working and preferably on Automatic download and install. Go to Internet Explorer, Tools, (or Safety), Windows Updates, Express and see if it has any updates for you.
  • 0

#8
theskyishole

theskyishole

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the Combofix log:

ComboFix 13-10-09.01 - douglas wenz 10/10/2013 12:03:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.654 [GMT -5:00]
Running from: c:\documents and settings\douglas wenz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\douglas wenz\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BOOTDEFRAGDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2013-09-10 to 2013-10-10 )))))))))))))))))))))))))))))))
.
.
2013-10-10 17:13 . 2013-10-10 17:13 60872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3FD1DD1-87C9-4D50-8779-3B52E4E922E8}\offreg.dll
2013-10-10 16:36 . 2013-10-10 16:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\Foxit Software
2013-10-10 16:35 . 2013-06-10 02:59 216064 ----a-w- c:\windows\system32\gcapi_dll.dll
2013-10-10 16:35 . 2013-10-10 16:35 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\Foxit Software
2013-10-10 16:35 . 2013-10-10 16:35 -------- d-----w- c:\program files\Foxit Software
2013-10-10 16:12 . 2013-10-10 16:12 -------- d-----w- c:\program files\7-Zip
2013-10-10 07:55 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3FD1DD1-87C9-4D50-8779-3B52E4E922E8}\mpengine.dll
2013-10-10 04:13 . 2013-10-10 04:13 -------- d-----w- c:\windows\ERUNT
2013-10-10 04:07 . 2013-10-10 04:09 -------- d-----w- C:\AdwCleaner
2013-10-10 01:09 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2013-10-10 01:09 . 2013-07-17 00:58 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2013-10-10 01:09 . 2013-07-17 00:58 60160 ------w- c:\windows\system32\dllcache\usbaudio.sys
2013-10-10 01:07 . 2013-08-09 00:55 144128 ------w- c:\windows\system32\dllcache\usbport.sys
2013-10-10 01:07 . 2013-08-09 00:55 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2013-10-10 01:07 . 2013-08-09 00:55 5376 ------w- c:\windows\system32\dllcache\usbd.sys
2013-10-10 01:07 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2013-10-10 00:50 . 2013-10-10 00:50 -------- d-----w- C:\TDSSKiller_Quarantine
2013-10-09 23:54 . 2013-10-09 23:54 -------- d-----w- C:\_OTL
2013-10-05 00:02 . 2013-10-10 08:06 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\GlarySoft
2013-10-02 15:22 . 2013-09-05 05:02 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-23 20:12 . 2013-09-23 20:12 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2013-09-23 20:12 . 2013-10-02 20:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2013-09-23 20:12 . 2013-09-23 20:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Live Writer
2013-09-18 13:08 . 2013-09-18 13:08 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\Apple Computer
2013-09-18 12:29 . 2013-04-18 01:22 23360 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2013-09-18 12:04 . 2013-09-18 12:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2013-09-18 12:04 . 2013-09-18 12:04 -------- d-----w- c:\documents and settings\douglas wenz\Application Data\IObit
2013-09-18 11:59 . 2013-09-18 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-09-18 11:59 . 2013-09-18 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2013-09-18 11:58 . 2013-09-18 11:58 -------- d-----w- c:\program files\IObit
2013-09-17 21:37 . 2013-09-17 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-09-17 11:30 . 2013-09-17 11:30 -------- d-----w- C:\found.001
2013-09-16 21:52 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2013-09-16 21:51 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-09-16 21:51 . 2013-09-18 13:17 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 14:21 . 2012-07-13 13:19 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-20 14:21 . 2011-11-02 13:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-29 01:31 . 2004-08-10 17:51 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56 . 2004-08-10 17:51 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55 . 2004-08-04 04:08 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55 . 2005-10-22 14:39 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-08-09 00:55 . 2001-08-17 19:03 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30 . 2004-08-10 17:51 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-07-19 06:18 . 2013-07-19 06:18 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-07-17 00:58 . 2008-09-06 21:28 123008 ------w- c:\windows\system32\drivers\usbvideo.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QAGENT"="c:\program files\QUICKENW\QAGENT.EXE" [2001-08-01 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-25 98304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\douglas wenz\Start Menu\Programs\Startup\
RentRight Reminder System.lnk - c:\rentver3\reminder.exe [2009-1-15 113920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [1/4/2006 9:18 AM 34712]
S1 MpKsld7992d26;MpKsld7992d26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3FD1DD1-87C9-4D50-8779-3B52E4E922E8}\MpKsld7992d26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3FD1DD1-87C9-4D50-8779-3B52E4E922E8}\MpKsld7992d26.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-10 15:04 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-10 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-10 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-10 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-09 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17 09:15]
.
2013-10-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: alltel.com\care
Trusted Zone: hrblock.com\taxes
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
SafeBoot-25169304.sys
AddRemove-DSite - c:\documents and settings\douglas wenz\Application Data\DSite\UpdateProc\UpdateTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-10 12:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,24,89,9e,2c,25,09,40,9e,e4,f6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,24,89,9e,2c,25,09,40,9e,e4,f6,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3520)
c:\program files\Windows Media Player\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Google\Update\GoogleUpdate.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mrtMngr.EXE
.
**************************************************************************
.
Completion time: 2013-10-10 12:18:50 - machine was rebooted
ComboFix-quarantined-files.txt 2013-10-10 17:18
ComboFix2.txt 2013-10-10 00:46
.
Pre-Run: 17,552,281,600 bytes free
Post-Run: 17,463,742,464 bytes free
.
- - End Of File - - E9CF0CA68FDA74B7B76346ABBD3E57E9
B16A2359F4962B0C622D81A1C1F4B703


I won't proceed with any of the cleanup until I hear back.

Thanks!
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Looks good. Go ahead and clean up.
  • 0

#10
theskyishole

theskyishole

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks so much for your help.

This has been a great experience and I really appreciate it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP