Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

NT AUTHORITY\SYSTEM attempted to execute the new application

Started by drlnb , May 14 2014 12:28 AM

Please log in to reply

#1 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #1$
drlnb

Posted 14 May 2014 - 12:28 AM

Member

Member
26 posts

Hello,

I hope that someone can help me here. My problem started with me not being able to print to my wireless printer. Everytime we tried to print this message was generated:

The process 'C:\WINDOWS\system32\spoolsv.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data [binary-data]. The operation was denied. [123]

After this I noticed some other interesting messages being generated???

The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\ipconfig.exe'. The operation was denied. [2564]

and

The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\arp.exe'. The operation was denied. [2564]

I've run both Norton Anti Virus and SmartPCFixer with no luck. The PC is running Windows XP

Please help!

Thanks

p.s Here is what was generated today in the event log. I still can't print. Thanks for looking.

5/14/2014 1:39:12 PM: The current application 'C:\Program Files\VERIZONDM\bin\sprtcmd.exe' (as user xxxx\xxxx) attempted to execute the new application 'C:\Program Files\Common Files\SupportSoft\bin\bcont_nm.exe'. The operation was denied. [2580]

5/14/2014 1:40:48 PM: The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\ipconfig.exe'. The operation was denied. [2564]

5/14/2014 1:40:49 PM: The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\arp.exe'. The operation was denied. [2564]

5/14/2014 1:56:17 PM: The process 'C:\WINDOWS\explorer.exe' (as user xxxx\xxxx) attempted to initiate a connection as a client on TCP port 80 to 137.117.86.84 using interface Wifi\infra\enc:aes\WDK99. The operation was denied. [2681]

5/14/2014 2:06:43 PM: The process 'C:\WINDOWS\system32\spoolsv.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data [binary-data]. The operation was denied. [123]

Edited by drlnb, 14 May 2014 - 12:29 PM.

#2 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #2$
drlnb

Posted 14 May 2014 - 12:30 PM

Member

Topic Starter
Member
26 posts

Here is the OTL report

OTL logfile created on: 5/14/2014 1:50:54 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\wjabs\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.60% Memory free
4.76 Gb Paging File | 3.72 Gb Available in Paging File | 78.08% Paging File free
Paging file location(s): C:\pagefile.sys 3021 3021 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 51.93 Gb Free Space | 55.74% Space Free | Partition Type: NTFS

Computer Name: WJABS-WXP01 | User Name: wjabs | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/05/14 13:48:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\wjabs\Desktop\OTL.exe
PRC - [2014/05/12 15:55:33 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2014/03/12 03:47:21 | 000,262,968 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\21.2.0.38\nav.exe
PRC - [2013/10/05 23:27:28 | 000,129,424 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
PRC - [2012/07/18 14:14:29 | 000,159,608 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2012/06/02 06:35:02 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe
PRC - [2012/06/02 06:34:58 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe
PRC - [2012/06/02 06:34:46 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtcmd.exe
PRC - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
PRC - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/04/29 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/04/29 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/04/08 10:11:34 | 002,057,576 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldSvc.exe
PRC - [2009/04/08 10:09:22 | 000,247,144 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldUI.exe
PRC - [2009/04/08 10:08:20 | 001,967,464 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\EMSServiceHelper.exe
PRC - [2009/04/08 10:08:12 | 000,709,992 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\EmsService.exe
PRC - [2009/02/02 16:27:42 | 000,774,144 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
PRC - [2009/02/02 16:26:08 | 000,356,352 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\CSAgent\bin\dcgate.exe
PRC - [2009/02/02 16:24:18 | 000,643,072 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
PRC - [2009/02/02 16:22:52 | 000,344,064 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\CSAgent\bin\csacontrol.exe
PRC - [2009/01/22 23:20:56 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
PRC - [2009/01/22 23:20:50 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2009/01/22 23:20:44 | 000,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\Mctray.exe
PRC - [2009/01/22 23:20:40 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2008/10/13 18:48:52 | 001,282,048 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
PRC - [2008/10/13 18:47:13 | 000,163,840 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
PRC - [2008/02/25 21:23:34 | 000,443,968 | ---- | M] (Google Inc.) -- C:\Program Files\Picasa2\PicasaMediaDetector.exe
PRC - [2007/09/28 14:30:48 | 000,936,960 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Verizon\McciTrayApp.exe
PRC - [2007/08/11 01:30:40 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2007/04/10 09:10:20 | 001,489,688 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/04/10 09:10:16 | 000,183,064 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/04/10 09:10:06 | 000,121,624 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/04/09 23:03:00 | 000,058,416 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
PRC - [2007/03/09 10:49:42 | 000,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/03/08 09:16:48 | 000,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007/01/02 11:47:46 | 000,913,408 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/09/06 12:39:10 | 000,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2006/08/17 14:07:12 | 000,249,856 | ---- | M] (Funk Software, Inc.) -- C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
PRC - [2006/08/17 14:06:36 | 001,052,735 | ---- | M] (Funk Software, Inc.) -- C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
PRC - [2006/06/30 01:57:50 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2005/09/06 22:40:02 | 000,679,424 | ---- | M] (CREDANT Technologies) -- C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
PRC - [2005/09/06 22:39:56 | 000,708,608 | ---- | M] (CREDANT Technologies) -- C:\Program Files\Credant\Gatekeeper\GKProbe.exe
PRC - [2005/06/06 23:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/08/03 19:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/03/05 04:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2002/03/19 21:30:00 | 000,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe

========== Modules (No Company Name) ==========

MOD - [2014/05/12 15:55:30 | 003,839,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/10/11 22:56:46 | 000,087,952 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/10/11 22:56:22 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/04/29 20:07:00 | 000,148,816 | ---- | M] () -- C:\Program Files\McAfee\VirusScan Enterprise\vsevntui.dll
MOD - [2009/01/22 23:20:52 | 000,120,128 | ---- | M] () -- C:\Program Files\Network Associates\Common Framework\naXML2_71.dll
MOD - [2009/01/22 23:20:48 | 000,156,992 | ---- | M] () -- C:\Program Files\Network Associates\Common Framework\naisign2.dll
MOD - [2008/04/18 15:10:47 | 001,003,520 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\859612686049bd074cc606e87c8510a6\System.Configuration.ni.dll
MOD - [2008/04/18 15:09:09 | 005,623,808 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\97fb60a006014c35f1192d0fdc9fec66\System.Xml.ni.dll
MOD - [2008/04/18 15:08:16 | 008,130,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\3b67f8273313bddb6d11e03086b4fd05\System.ni.dll
MOD - [2008/04/18 15:08:02 | 011,304,960 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ef0f4b9e842bec0e27be037ee8142beb\mscorlib.ni.dll
MOD - [2008/04/18 15:07:20 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2008/04/18 15:07:15 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2008/03/26 17:58:52 | 000,917,504 | ---- | M] () -- C:\Program Files\Cisco Systems\CSAgent\bin\libeay32.dll
MOD - [2008/03/26 17:58:52 | 000,155,648 | ---- | M] () -- C:\Program Files\Cisco Systems\CSAgent\bin\ssleay32.dll
MOD - [2008/03/26 17:58:46 | 000,155,648 | ---- | M] () -- C:\Program Files\Cisco Systems\CSAgent\bin\libcurl.dll
MOD - [2007/09/05 21:18:00 | 000,073,728 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2007/09/05 21:18:00 | 000,040,960 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2007/06/01 14:44:36 | 000,118,784 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2007/05/17 20:53:00 | 001,474,560 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2007/05/17 20:53:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2007/01/25 11:25:52 | 000,069,720 | ---- | M] () -- C:\Program Files\Lenovo\HOTKEY\HKVOLKEY.dll
MOD - [2006/12/14 07:06:42 | 000,028,672 | ---- | M] () -- C:\Program Files\Lenovo\HOTKEY\tphklock.dll
MOD - [2006/11/10 09:26:02 | 000,030,256 | ---- | M] () -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.dll
MOD - [2006/06/30 01:57:50 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
MOD - [2002/03/19 21:30:00 | 000,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2014/05/12 15:55:32 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/03/12 03:47:21 | 000,262,968 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\Engine\21.2.0.38\NAV.exe -- (NAV)
SRV - [2014/03/11 16:44:58 | 000,130,104 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Identity Safe\Engine\2014.7.0.43\NST.exe -- (NCO)
SRV - [2013/05/28 19:56:54 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/18 14:14:29 | 000,159,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2012/06/02 06:35:02 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- (tgsrvc_verizondm)
SRV - [2012/06/02 06:34:58 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe -- (sprtsvc_verizondm)
SRV - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) [Auto | Running] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)
SRV - [2010/02/19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/04/08 10:11:34 | 002,057,576 | ---- | M] (CREDANT Technologies, Inc.) [Auto | Running] -- C:\WINDOWS\system32\CmgShieldSvc.exe -- (CMGShield)
SRV - [2009/04/08 10:08:12 | 000,709,992 | ---- | M] (CREDANT Technologies, Inc.) [Auto | Running] -- C:\WINDOWS\system32\EmsService.exe -- (EMS)
SRV - [2009/02/02 16:22:52 | 000,344,064 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\CSAgent\bin\csacontrol.exe -- (CSAgent)
SRV - [2009/01/22 23:20:40 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/10/13 18:48:52 | 001,282,048 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe -- (AeXNSClient)
SRV - [2007/04/10 09:10:20 | 001,489,688 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS)
SRV - [2007/04/10 09:10:16 | 000,183,064 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv)
SRV - [2007/04/10 09:10:06 | 000,121,624 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS)
SRV - [2007/01/02 11:47:46 | 000,913,408 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/08/17 14:07:12 | 000,249,856 | ---- | M] (Funk Software, Inc.) [Auto | Running] -- C:\Program Files\Funk Software\Odyssey Client\odClientService.exe -- (odClientService)
SRV - [2006/06/30 01:57:50 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2005/09/06 22:40:02 | 000,679,424 | ---- | M] (CREDANT Technologies) [Auto | Running] -- C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe -- (guardian)
SRV - [2004/03/05 04:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\wjabs\LOCALS~1\Temp\mfe_rr.sys -- (MFE_RR)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Unavailable | Unknown] -- system32\DRIVERS\CdpPacket.sys -- (CdpPacket)
DRV - File not found [Kernel | System | Stopped] -- -- (CCDevice)
DRV - [2014/05/13 19:21:01 | 000,142,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2014/05/13 11:55:01 | 001,612,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton AntiVirus\NortonData\21.1.0.18\Definitions\VirusDefs\20140514.001\NAVEX15.SYS -- (NAVEX15)
DRV - [2014/05/13 11:55:01 | 000,376,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2014/05/13 11:55:01 | 000,108,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2014/05/13 11:55:01 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton AntiVirus\NortonData\21.1.0.18\Definitions\VirusDefs\20140514.001\NAVENG.SYS -- (NAVENG)
DRV - [2014/05/12 01:49:42 | 000,383,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton AntiVirus\NortonData\21.1.0.18\Definitions\IPSDefs\20140513.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2014/04/09 20:31:18 | 001,098,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton AntiVirus\NortonData\21.1.0.18\Definitions\BASHDefs\20140409.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2014/03/04 00:18:12 | 000,936,152 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\symefa.sys -- (SymEFA)
DRV - [2014/02/17 21:32:41 | 000,423,256 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\symtdi.sys -- (SYMTDI)
DRV - [2014/02/12 21:59:49 | 000,664,280 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\srtsp.sys -- (SRTSP)
DRV - [2013/09/27 15:23:30 | 000,127,064 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NST\7DE07000.02B\ccsetx86.sys -- (ccSet_NST)
DRV - [2013/09/26 22:45:56 | 000,206,936 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\ironx86.sys -- (SymIRON)
DRV - [2013/09/25 22:50:25 | 000,127,064 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\ccsetx86.sys -- (ccSet_NAV)
DRV - [2013/09/09 22:47:26 | 000,367,704 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\symds.sys -- (SymDS)
DRV - [2013/09/09 21:49:48 | 000,032,344 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1502000.026\srtspx.sys -- (SRTSPX)
DRV - [2012/07/18 14:14:29 | 000,475,704 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/07/18 14:14:29 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/12/03 05:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
DRV - [2009/04/29 20:07:00 | 000,091,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/04/29 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/04/29 20:07:00 | 000,063,696 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/04/08 10:14:52 | 000,404,592 | ---- | M] (CREDANT Technologies, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\CMGShCEF.sys -- (CmgShieldCEF)
DRV - [2009/04/08 10:13:22 | 000,161,128 | ---- | M] (CREDANT Technologies, Inc.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\CmgShieldNP.dll -- (CMGShieldNP)
DRV - [2009/02/02 16:28:16 | 000,307,200 | ---- | M] (Cisco Systems, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\csanet.sys -- (csanet)
DRV - [2009/02/02 16:27:56 | 000,455,296 | ---- | M] (Cisco Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\csatdi.sys -- (csatdi)
DRV - [2009/02/02 16:27:34 | 000,052,736 | ---- | M] (Cisco Systems, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\csareg.sys -- (csareg)
DRV - [2009/02/02 16:27:30 | 000,134,656 | ---- | M] (Cisco Systems, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\csafile.sys -- (csafile)
DRV - [2009/02/02 16:27:06 | 000,365,568 | ---- | M] (Cisco Systems, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\csacentr.sys -- (csacenter)
DRV - [2008/01/09 04:01:56 | 002,529,280 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32)
DRV - [2007/11/27 19:40:00 | 000,074,688 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/09/28 14:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 14:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2007/09/05 21:18:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007/05/29 19:29:30 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/04/09 23:03:00 | 000,012,848 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2007/03/22 02:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/03/02 21:49:00 | 000,100,656 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf)
DRV - [2007/03/02 21:47:00 | 000,019,760 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/02/24 18:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 20:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/12/22 07:56:00 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 07:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 07:55:00 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/08/17 12:58:20 | 000,254,208 | ---- | M] (Funk Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\odFIPS.sys -- (odFips)
DRV - [2006/08/17 12:51:04 | 000,217,216 | ---- | M] (Funk Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\odysseyIM4.sys -- (odysseyIM4)
DRV - [2004/08/19 11:53:48 | 000,047,496 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\aac.sys -- (aac)
DRV - [2004/08/03 19:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 18:03:36 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2003/05/01 17:26:34 | 000,005,220 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/03/31 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/03/31 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2002/08/14 06:41:14 | 000,030,848 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi)
DRV - [2001/08/17 08:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {CB59DDF8-2D50-4521-80A8-0398C2640266}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...soft:{language}
IE - HKCU\..\SearchScopes\{CB59DDF8-2D50-4521-80A8-0398C2640266}: "URL" = http://www.infospace...w={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ""

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:29.0.1
FF - prefs.js..network.proxy.ftp: "\"\""
FF - prefs.js..network.proxy.gopher: "\"\""
FF - prefs.js..network.proxy.http: "\"\""
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "\"\""
FF - prefs.js..network.proxy.ssl: "\"\""
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=5.0: C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\Firefox [2013/03/13 19:20:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2013/03/13 19:20:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_21.1.0.18\IPSFF [2014/05/13 19:22:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{F04D2D30-776C-4d02-8627-8E4385ECA58D}: C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn\ [2014/05/14 13:32:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2014/05/12 15:54:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2014/05/12 15:55:09 | 000,000,000 | ---D | M]

[2009/12/04 10:08:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wjabs\Application Data\Mozilla\Extensions
[2014/03/22 10:35:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wjabs\Application Data\Mozilla\Firefox\Profiles\tp6ueysr.default\extensions
[2014/05/13 22:54:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2014/05/12 15:54:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/05/12 15:55:37 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/29 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2009/11/06 11:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2009/11/06 11:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.215\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.215\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\8.0.552.215\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2003/03/31 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\21.2.0.38\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (Norton Identity Protection) - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7} - No CLSID value found.
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton Identity Safe Toolbar) - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe (Altiris, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [CmgShieldUI] C:\WINDOWS\system32\CmgShieldUI.exe (CREDANT Technologies, Inc.)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [EmsService] C:\WINDOWS\System32\EMSServiceHelper.exe (CREDANT Technologies, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OdTray.exe] C:\Program Files\Funk Software\Odyssey Client\OdTray.exe (Funk Software, Inc.)
O4 - HKLM..\Run: [PtiuPbmd] C:\WINDOWS\System32\ptipbm.dll (Promise Technology,Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe (CREDANT Technologies)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: UseDesktopIniCache = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteChangeNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartRunNoHOMEPATH = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDetailsThumbnailOnNetwork = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: cisco.com ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: cisco.com ([]https in Local intranet)
O15 - HKCU\..Trusted Domains: cisco.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin] http in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin] https in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin-asiapac] http in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin-asiapac] https in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin-emea] http in Trusted sites)
O15 - HKCU\..Trusted Domains: cisco.com ([wwwin-emea] https in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1232054686273 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1367514307265 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2D905D8D-A982-4E35-9663-BFA06479745E}: Domain = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{504C773F-8A41-4EDA-B24E-BFF18CC3D28E}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{504C773F-8A41-4EDA-B24E-BFF18CC3D28E}: Domain = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{675EB5FF-E334-4A52-BD2F-007D61CD851B}: Domain = cisco.com
O20 - AppInit_DLLs: (AMINIT.dll) - C:\WINDOWS\System32\AMInit.dll (Altiris, Inc.)
O20 - AppInit_DLLs: (csauser.dll) - C:\WINDOWS\System32\csauser.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\CMGShieldNP: DllName - (CmgShieldNP.dll) - C:\WINDOWS\System32\CmgShieldNP.dll (CREDANT Technologies, Inc.)
O20 - Winlogon\Notify\OdysseyClient: DllName - (odyEvent.dll) - C:\WINDOWS\System32\odyEvent.dll (Funk Software, Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - (C:\Program Files\Lenovo\HOTKEY\notifyf2.dll) - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - (C:\Program Files\Lenovo\HOTKEY\tphklock.dll) - C:\Program Files\Lenovo\HOTKEY\tphklock.dll ()
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{224214c4-21dd-11e2-a90c-00215c7f2ae3}\Shell\AutoRun\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{224214c4-21dd-11e2-a90c-00215c7f2ae3}\Shell\Setup FlipShare\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{b4706a10-fcf4-11dd-8273-001de06d6eab}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{b671866c-3687-11e3-97e7-00215c7f2ae3}\Shell - "" = AutoRun
O33 - MountPoints2\{b671866c-3687-11e3-97e7-00215c7f2ae3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b671866c-3687-11e3-97e7-00215c7f2ae3}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ActionSportDrives.html
O33 - MountPoints2\{b7d099f3-1ca1-11e2-ac0e-00215c7f2ae3}\Shell - "" = AutoRun
O33 - MountPoints2\{b7d099f3-1ca1-11e2-ac0e-00215c7f2ae3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7d099f3-1ca1-11e2-ac0e-00215c7f2ae3}\Shell\AutoRun\command - "" = F:\TLBootstrap_WPP.exe
O33 - MountPoints2\{c03e7d44-cd89-11e3-9a2b-00215c7f2ae3}\Shell - "" = AutoRun
O33 - MountPoints2\{c03e7d44-cd89-11e3-9a2b-00215c7f2ae3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c03e7d44-cd89-11e3-9a2b-00215c7f2ae3}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ActionSportDrives.html
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014/05/14 13:53:25 | 000,127,064 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NST\7DE07000.02B\ccsetx86.sys
[2014/05/14 13:53:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NST\7DE07000.02B
[2014/05/14 13:48:39 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\wjabs\Desktop\OTL.exe
[2014/05/13 22:17:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wjabs\Local Settings\Application Data\NPE
[2014/05/13 21:54:42 | 000,384,728 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symtdiv.sys
[2014/05/13 21:54:40 | 000,423,256 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symtdi.sys
[2014/05/13 21:54:39 | 000,447,704 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symnets.sys
[2014/05/13 21:54:37 | 000,021,520 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symelam.sys
[2014/05/13 21:54:36 | 000,936,152 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symefa.sys
[2014/05/13 21:54:35 | 000,367,704 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symds.sys
[2014/05/13 21:54:34 | 000,032,344 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtspx.sys
[2014/05/13 21:54:32 | 000,664,280 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtsp.sys
[2014/05/13 21:54:31 | 000,206,936 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\ironx86.sys
[2014/05/13 21:54:30 | 000,127,064 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1502000.026\ccsetx86.sys
[2014/05/13 21:52:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1502000.026
[2014/05/13 20:50:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wjabs\Desktop\CLICKBANK SECURE ORDER FORM_files
[2014/05/13 20:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SmartPCFixer
[2014/05/13 20:18:33 | 000,000,000 | ---D | C] -- C:\Program Files\SmartPCFixer
[2014/05/13 19:21:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NCOTEMP
[2014/05/13 19:21:22 | 000,127,064 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NST\7DE06000.01B\ccSetx86.sys
[2014/05/13 19:21:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NST
[2014/05/13 19:21:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NST\7DE06000.01B
[2014/05/13 19:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Identity Safe
[2014/05/13 19:21:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Identity Safe
[2014/05/13 19:21:02 | 000,142,936 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2014/05/13 19:21:01 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2014/05/13 19:15:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2014/05/13 19:15:23 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2014/05/13 19:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton AntiVirus
[2014/05/13 19:15:08 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2014/05/12 15:54:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2014/04/29 21:21:32 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[6 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/05/14 14:00:03 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2014/05/14 13:48:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\wjabs\Desktop\OTL.exe
[2014/05/14 13:32:11 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2014/05/14 13:31:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/05/14 13:31:20 | 2112,139,264 | -HS- | M] () -- C:\hiberfil.sys
[2014/05/14 02:27:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2014/05/14 02:19:01 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/05/14 02:00:11 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-CISCO-wjabs.job
[2014/05/14 00:01:24 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Manage Printers.lnk
[2014/05/13 23:47:04 | 000,000,682 | ---- | M] () -- C:\WINDOWS\tasks\hpwebreg_CN0AS2M16M05J9.job
[2014/05/13 23:45:17 | 000,002,017 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:17 | 000,000,960 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shop for Supplies - HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:16 | 000,001,731 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP ePrintCenter - HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:16 | 000,000,955 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Plus B210 series Scan.lnk
[2014/05/13 22:40:02 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2014/05/13 22:22:19 | 000,001,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2014/05/13 22:20:37 | 000,560,682 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\Cat.DB
[2014/05/13 22:20:24 | 000,035,791 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\VT20140430.005
[2014/05/13 20:50:17 | 000,016,421 | ---- | M] () -- C:\Documents and Settings\wjabs\Desktop\CLICKBANK SECURE ORDER FORM.htm
[2014/05/13 20:40:01 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2014/05/13 20:18:58 | 000,000,748 | ---- | M] () -- C:\Documents and Settings\wjabs\Application Data\Microsoft\Internet Explorer\Quick Launch\SmartPCFixer.lnk
[2014/05/13 20:18:57 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SmartPCFixer.lnk
[2014/05/13 19:21:01 | 000,142,936 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2014/05/13 19:21:01 | 000,008,194 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2014/05/13 19:21:01 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2014/05/13 19:12:00 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2014/05/13 18:08:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/05/10 09:24:30 | 000,000,229 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LionSea Software.url
[6 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/05/14 13:53:13 | 000,008,194 | ---- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE07000.02B\ccsetx86.cat
[2014/05/14 13:53:13 | 000,000,829 | ---- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE07000.02B\ccsetx86.inf
[2014/05/14 13:53:13 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE07000.02B\isolate.ini
[2014/05/13 23:47:04 | 000,000,682 | ---- | C] () -- C:\WINDOWS\tasks\hpwebreg_CN0AS2M16M05J9.job
[2014/05/13 23:45:17 | 000,002,017 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:17 | 000,000,960 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shop for Supplies - HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:16 | 000,001,731 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP ePrintCenter - HP Photosmart Plus B210 series.lnk
[2014/05/13 23:45:16 | 000,000,955 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Plus B210 series Scan.lnk
[2014/05/13 22:20:24 | 000,560,682 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\Cat.DB
[2014/05/13 22:20:24 | 000,035,791 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\VT20140430.005
[2014/05/13 21:54:37 | 000,008,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symnet.cat
[2014/05/13 21:54:37 | 000,001,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symnet.inf
[2014/05/13 21:54:36 | 000,009,931 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symelam.cat
[2014/05/13 21:54:36 | 000,001,098 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symelam.inf
[2014/05/13 21:54:35 | 000,008,182 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symefa.cat
[2014/05/13 21:54:35 | 000,003,433 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symefa.inf
[2014/05/13 21:54:34 | 000,008,176 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symds.cat
[2014/05/13 21:54:34 | 000,002,852 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symds.inf
[2014/05/13 21:54:33 | 000,008,180 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtspx.cat
[2014/05/13 21:54:33 | 000,001,389 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtspx.inf
[2014/05/13 21:54:32 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtsp.inf
[2014/05/13 21:54:31 | 000,008,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\srtsp.cat
[2014/05/13 21:54:31 | 000,000,737 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\iron.inf
[2014/05/13 21:54:30 | 000,008,176 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\iron.cat
[2014/05/13 21:54:29 | 000,008,194 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\ccsetx86.cat
[2014/05/13 21:54:29 | 000,000,829 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\ccsetx86.inf
[2014/05/13 21:52:18 | 000,030,068 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\symvtcer.dat
[2014/05/13 21:52:17 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1502000.026\isolate.ini
[2014/05/13 20:50:15 | 000,016,421 | ---- | C] () -- C:\Documents and Settings\wjabs\Desktop\CLICKBANK SECURE ORDER FORM.htm
[2014/05/13 20:18:58 | 000,000,748 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\Microsoft\Internet Explorer\Quick Launch\SmartPCFixer.lnk
[2014/05/13 20:18:57 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SmartPCFixer.lnk
[2014/05/13 20:18:55 | 000,000,229 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LionSea Software.url
[2014/05/13 19:21:14 | 000,000,829 | R--- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE06000.01B\ccSetx86.inf
[2014/05/13 19:21:12 | 000,008,194 | R--- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE06000.01B\ccSetx86.cat
[2014/05/13 19:21:12 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NST\7DE06000.01B\isolate.ini
[2014/05/13 19:21:02 | 000,008,194 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2014/05/13 19:21:02 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2014/05/13 19:16:23 | 000,001,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2013/07/22 20:12:40 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2013/07/22 20:12:40 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2011/12/21 13:16:12 | 000,103,720 | ---- | C] () -- C:\Documents and Settings\wjabs\GoToAssistDownloadHelper.exe
[2011/07/27 10:16:37 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\Adobe GIF Format CS5 Prefs
[2011/03/08 14:57:40 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\Adobe BMP Format CS5 Prefs
[2011/02/14 18:30:39 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\Adobe PNG Format CS5 Prefs
[2009/02/16 10:59:21 | 000,001,890 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\MT.dat
[2008/05/22 12:58:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\wjabs\Application Data\dm.ini
[2008/05/17 14:44:14 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/04/21 10:13:05 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\wjabs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/16 12:47:56 | 000,002,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2006/12/11 18:00:53 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"ThreadingModel" = Both
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/29 00:52:40 | 001,495,552 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 06:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2004/08/03 19:56:48 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/08/31 19:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2011/08/10 17:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2014/04/28 05:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Credant
[2012/12/21 20:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2014/05/13 19:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCOTEMP
[2007/11/28 03:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2011/03/16 18:13:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2012/06/22 13:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/03/01 17:29:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/09/25 19:31:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/11/11 12:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\acccore
[2011/03/13 14:32:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/01/02 19:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Cisco
[2012/05/09 17:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Dropbox
[2008/04/16 12:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Funk Software
[2008/04/16 23:58:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\InterVideo
[2008/04/28 10:13:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\IronPort
[2008/05/16 11:15:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Leadertech
[2013/07/22 20:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Oracle
[2009/02/09 17:22:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Productivity Tools
[2008/04/17 21:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\Sametime
[2011/03/16 18:38:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2011/03/07 13:24:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\TeamViewer
[2008/10/01 01:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\vol_toolbar
[2009/04/14 11:33:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wjabs\Application Data\WebEx

========== Purity Check ==========

< End of report >

#3 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #3$
drlnb

Posted 14 May 2014 - 12:32 PM

Member

Topic Starter
Member
26 posts

Here is the extras report:

OTL Extras logfile created on: 5/14/2014 1:50:54 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\wjabs\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.60% Memory free
4.76 Gb Paging File | 3.72 Gb Available in Paging File | 78.08% Paging File free
Paging file location(s): C:\pagefile.sys 3021 3021 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 51.93 Gb Free Space | 55.74% Space Free | Partition Type: NTFS

Computer Name: WJABS-WXP01 | User Name: wjabs | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{075473F5-846A-448B-BCB3-104AA1760205}" = RecordNow Data
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26552D94-F7E4-4AAE-8C35-0C3681B2A285}" = Odyssey Client
"{2851123E-5786-41BE-A3F1-A9B21E499EEB}" = Altiris Task Synchronization Agent
"{2A8E4833-F483-4074-B4DB-F295F7901A8D}" = MobileMe Control Panel
"{2C5927BD-3F65-4207-8FB5-8EDF638A3511}_is1" = SmartPCFixer 5.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{4590D7AE-148D-41DC-9439-23B71611500A}" = CMG Windows Shield
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A702DA1-9E48-4346-8030-26B399CCFA8C}" = Altiris Application Metering Agent
"{4AC497A2-0765-4564-923F-ED8E30465922}" = Diskeeper 2007 Professional
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4E21223F-8D6C-446E-9CD3-587D206A8400}" = MetaFrame Presentation Server Client
"{4F7177E9-2B54-48B4-AAFD-03FA1F87A542}" = Bing Bar Platform
"{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}" = IHA_MessageCenter
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{5E4B86E5-CD0E-4D3D-BE21-45A30326850A}" = Microsoft Search Enhancement Pack
"{5ECB4CCF-448D-4B52-B933-45961F4291A4}" = HP Photosmart Plus B210 series Product Improvement Study
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6675E71B-9843-4971-BC15-18AB52801134}" = Dragon NaturallySpeaking 7.0
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7F5FDEA1-D0AC-4D80-9D95-59775FCCFA40}" = HP Photosmart Plus B210 series Help
"{80F7955E-4651-4CB3-BCED-A27427DA0512}" = CREDANT Mobile Guardian Gatekeeper
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Office 2003 Compatibility Pack for 2007 File Formats
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{9B486871-27EB-49A5-8832-77176E63333C}" = iTunes
"{A0A1EB01-A6FD-423A-8480-364055A7C961}" = Altiris Software Delivery Solution Agent
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = RecordNow Copy
"{B68C99D8-B4B1-465A-9974-B3D20AD70352}" = Verizon Download Manager
"{B95B1BA9-F887-4B3C-8D3A-CCD4C4675120}" = Microsoft Default Manager
"{BD0FBA28-E22B-442C-A646-8F79D78CF515}" = EKPrint Studio (Sprint)
"{BD3373E7-3E77-4359-94C8-A1673B89C597}" = Altiris Local Security Agent
"{BE962181-E347-464E-AE70-276DD63A8293}" = HP Photosmart Plus B210 series Basic Device Software
"{BF755CD9-E185-498A-AAFB-E9F8470AB1CC}" = User Profile Hive Cleanup Service
"{C03073A3-FAD0-49A7-B426-41D1504EE3E1}" = Sametime MultiLanguage (English)
"{C2AAC8F2-F0CA-4582-9EB4-862638E03699}" = Adobe Shockwave 11
"{C2CDE75C-CA51-4335-9C13-84C00E6093A5}" = Windows Media Player Enterprise Deployment
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{C925823A-22A8-49DA-9B99-F5D5D105FBB4}" = NS Client script
"{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE12166F-4F65-4989-84A8-CA2728B12FC5}" = WinZip
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DE499746-67B9-11D4-97CE-0050DA10E5AE}" = Cisco Security Agent 6.0.0.220
"{E14ADE0E-75F3-4A46-87E5-26692DD626EC}" = Apple Mobile Device Support
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Access Data Sources across Domains" = Access Data Sources across Domains
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 12.0
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Altiris PCTransplant" = Altiris_PCTransplant
"Applications_Win32_Cisco_OutlookFreeBusyServerConfiguration" = Applications_Win32_Cisco_OutlookFreeBusyServerConfiguration
"Applications_Win32_Cisco_OutlookJunkEmailFilterLists" = Applications_Win32_Cisco_OutlookJunkEmailFilterLists
"Applications_Win32_Cisco_VPNProfileUpdate" = Applications_Win32_Cisco_VPNProfileUpdate
"Carrera Track Planner_is1" = Carrera Track Planner
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"Cisco Systems VPN Johannesburg Profile" = Cisco Systems VPN Johannesburg Profile
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Diskeeper - Enable Logging" = Diskeeper - Enable Logging
"Diskeeper - Gather Event Log Info" = Diskeeper - Gather Event Log Info
"HP Photo Creations" = HP Photo Creations
"IE 7 Blocker" = IE 7 Blocker
"IE_Favorites_Updater" = IE_Favorites_Updater
"IEzones" = IEzones
"Intel® PRO Network Connections Drivers - Custom Settings" = Intel® PRO Network Connections Drivers - Custom Settings
"ISScript11" = ISScript11
"Junk Email Filter security setting fix" = Junk Email Filter security setting fix
"Kerberos" = Kerberos
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"MESOL" = Intel® Active Management Technology Device Software
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox 29.0.1 (x86 en-US)" = Mozilla Firefox 29.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAV" = Norton AntiVirus
"NST" = Norton Identity Safe
"NVIDIA Drivers" = NVIDIA Drivers
"OnScreenDisplay" = On Screen Display
"OS_Win32_WindowsXP_Drivers_Lenovo_ThinkPad_T61" = OS_Win32_WindowsXP_Drivers_Lenovo_ThinkPad_T61
"OS_Win32_WindowsXP_Updates_PerformanceStability" = OS_Win32_WindowsXP_Updates_PerformanceStability
"Picasa2" = Picasa 2
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® PRO Network Connections Drivers
"SharePoint Outlook Integration" = SharePoint Outlook Integration
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkVantage Active Protection System - High Sensitivity Level" = ThinkVantage Active Protection System - High Sensitivity Level
"Verizon Online Help and Support" = Verizon Online Help and Support
"vol_toolbar" = Verizon Broadband Toolbar
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/14/2014 2:06:43 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = The process 'C:\WINDOWS\system32\spoolsv.exe' (as user NT AUTHORITY\SYSTEM)
attempted to receive the data [binary-data]. The operation was denied.

Error - 5/14/2014 2:12:21 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 74.125.226.172/443->192.168.1.4/2538,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:14:22 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 173.194.43.26/443->192.168.1.4/2625,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:15:35 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 74.125.226.44/443->192.168.1.4/2695,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:15:36 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 63.117.68.21/443->192.168.1.4/2696,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:15:36 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 74.125.29.84/443->192.168.1.4/2690,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:17:21 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 173.194.43.25/443->192.168.1.4/2836,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:18:20 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 173.194.43.60/443->192.168.1.4/2671,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:18:22 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 74.125.29.95/443->192.168.1.4/2876,
flags 0x04. The operation was denied.

Error - 5/14/2014 2:19:52 PM | Computer Name = WJABS-WXP01 | Source = CSAgent | ID = 256
Description = A packet with a bad transport layer header was detected. Reason: Illegal
TCP reserved flags set using interface Wifi\infra\enc:aes\WDK99. TCP: 74.125.226.219/443->192.168.1.4/2475,
flags 0x04. The operation was denied.

[ System Events ]
Error - 5/14/2014 12:16:13 AM | Computer Name = WJABS-WXP01 | Source = Print | ID = 6161
Description = The document Microsoft PowerPoint - Presentation1 owned by wjabs failed
to print on printer HP Photosmart Plus B210 series (Network). Data type: NT EMF
1.008. Size of the spool file in bytes: 1580. Number of bytes printed: 72. Total
number of pages in the document: 1. Number of pages printed: 0. Client machine:
\\WJABS-WXP01. Win32 error code returned by the print processor: 0 (0x0).

Error - 5/14/2014 12:23:50 AM | Computer Name = WJABS-WXP01 | Source = Print | ID = 6161
Description = The document Untitled - Notepad owned by wjabs failed to print on
printer HP Photosmart Plus B210 series (Network). Data type: NT EMF 1.008. Size
of the spool file in bytes: 932. Number of bytes printed: 72. Total number of pages
in the document: 1. Number of pages printed: 0. Client machine: \\WJABS-WXP01.
Win32 error code returned by the print processor: 0 (0x0).

Error - 5/14/2014 12:26:28 AM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 12:56:28 AM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 60 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 1:56:28 AM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 120 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 1:31:48 PM | Computer Name = WJABS-WXP01 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain CISCO due to the following:
   %%1311.    Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 5/14/2014 1:32:38 PM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 1:32:38 PM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 1:47:40 PM | Computer Name = WJABS-WXP01 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 5/14/2014 2:06:43 PM | Computer Name = WJABS-WXP01 | Source = Print | ID = 6161
Description = The document Microsoft Word - Document1 owned by wjabs failed to print
on printer HP Photosmart Plus B210 series (Network). Data type: NT EMF 1.008. Size
of the spool file in bytes: 3848. Number of bytes printed: 2584. Total number of
pages in the document: 1. Number of pages printed: 0. Client machine: \\WJABS-WXP01.
Win32 error code returned by the print processor: 0 (0x0).

< End of report >

#4 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #4$
Render

Posted 25 May 2014 - 12:03 PM

Trusted Helper

Malware Removal
4,195 posts

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
Please reply within 3 days to be fair to other people asking for help.
Please tell me if you have your original Windows CD/DVD available
When in doubt, please stop and ask first. There's no harm in asking questions!

I'm sorry for the delay.

Please uninstall one of the following anti-virus programs: McAfee VirusScan Enterprise, Norton AntiVirus

Then proceed with this:

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:

Do not mouse-click Combofix's window while it is running. That may cause it to stall.
ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.

Please carefully follow all steps below:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofix. Use copy/paste.

Also please describe how your computer behaves at the moment.

#5 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #5$
drlnb

Posted 27 May 2014 - 12:56 PM

Member

Topic Starter
Member
26 posts

Hi,

Thanks for helping out! The log from Combofix

ComboFix 14-05-27.02 - wjabs 05/27/2014 14:25:20.1.2 - x86
Running from: c:\documents and settings\wjabs\Desktop\ComboFix.exe
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\wjabs\GoToAssistDownloadHelper.exe
c:\windows\system32\bin
c:\windows\system32\bin\MSVCRT.DLL
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
c:\windows\system32\hnetcfg.dll . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-27 to 2014-05-27 )))))))))))))))))))))))))))))))
.
.
2014-05-14 02:17 . 2014-05-14 02:52   --------   d-----w-   c:\documents and settings\wjabs\Local Settings\Application Data\NPE
2014-05-14 00:18 . 2014-05-14 00:18   --------   d-----w-   c:\program files\SmartPCFixer
2014-05-13 23:21 . 2014-05-15 21:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCOTEMP
2014-05-08 13:48 . 2014-05-08 13:48   227704   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2014-04-30 01:21 . 2014-04-30 01:21   --------   d-----w-   C:\spoolerlogs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-21 00:15 . 2012-08-02 21:29   12872   ----a-w-   c:\windows\system32\bootdelete.exe
2012-09-26 19:39 . 2012-09-26 19:38   4096000   ----a-w-   c:\program files\GUTB2.tmp
2012-09-25 04:38 . 2012-09-25 04:38   4096000   ----a-w-   c:\program files\GUTD0.tmp
2012-09-10 02:38 . 2012-09-10 02:38   3993600   ----a-w-   c:\program files\GUT14C0.tmp
2009-04-30 00:07 . 2014-05-12 19:54   23864   ----a-w-   c:\program files\mozilla firefox\components\Scriptff.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2004-08-03 . 200DE07E94D373D537A3C1DFFBD1F317 . 344064 . . [5.1.2600.2180] . . c:\windows\system32\hnetcfg.dll
[7] 2004-08-03 . 765B30C776A1780B46B479FE614F707C . 344064 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\hnetcfg.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"PtiuPbmd"="ptipbm.dll" [2003-09-16 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8495104]
"nwiz"="nwiz.exe" [2007-05-18 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-06 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2009-01-23 136512]
"AeXAgentLogon"="c:\progra~1\Altiris\ALTIRI~1\AeXAgentActivate.exe" [2008-10-30 153416]
"OdTray.exe"="c:\program files\Funk Software\Odyssey Client\OdTray.exe" [2006-08-17 1052735]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2007-01-02 167936]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2012-06-02 206120]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-08-16 152392]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Security Agent.lnk - c:\program files\Cisco Systems\CSAgent\bin\okclient.exe [2007-11-28 643072]
GKProbe.lnk - c:\program files\Credant\Gatekeeper\GKProbe.exe [2005-9-6 708608]
Manage Printers.lnk - c:\program files\Cisco Systems\CEPS\AddPrinter.exe -sanity [2006-12-11 139264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1
"NoSMConfigurePrograms"= 1 (0x1)
"UseDesktopIniCache"= 1 (0x1)
"NoRemoteChangeNotify"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDetailsThumbnailOnNetwork"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 14:13   161128   ----a-w-   c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-04-16 15:09   106496   ----a-w-   c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37   34344   -c--a-w-   c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 11:06   28672   ----a-w-   c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 aac;Adaptec RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/11/2006 4:18 PM 47496]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [5/29/2007 1:53 PM 404592]
R0 csacenter;Cisco Security Agent Rule Engine;c:\windows\system32\drivers\csacentr.sys [11/28/2007 3:19 AM 365568]
R0 csafile;Cisco Security Agent File Access Controller;c:\windows\system32\drivers\csafile.sys [11/28/2007 3:19 AM 134656]
R0 csanet;Cisco Security Agent Packet Verifier;c:\windows\system32\drivers\csanet.sys [11/28/2007 3:19 AM 307200]
R0 csareg;Cisco Security Agent Registry Access Controller;c:\windows\system32\drivers\csareg.sys [11/28/2007 3:19 AM 52736]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 1:58 PM 64288]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [8/17/2006 12:58 PM 254208]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 csatdi;Cisco Security Agent Network Access Controller;c:\windows\system32\drivers\csatdi.sys [11/28/2007 3:19 AM 455296]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [5/29/2007 1:58 PM 2057576]
R2 CSAgent;Cisco Security Agent;c:\program files\Cisco Systems\CSAgent\bin\csacontrol.exe [11/28/2007 3:19 AM 344064]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 AM 709992]
R2 guardian;CREDANT Mobile Guardian Gatekeeper;c:\program files\Credant\Gatekeeper\Gatekeeper.exe [9/6/2005 10:40 PM 679424]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 290832]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/23/2010 4:51 PM 159608]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/2/2012 6:34 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/2/2012 6:35 AM 185640]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [11/28/2007 2:47 AM 1489688]
S1 CCDevice;CCDevice; [x]
S3 CMGShieldNP;CMGShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 AM 161128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/23/2010 4:51 PM 87656]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-03 23:56   99840   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-22 23:56]
.
2014-05-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-CISCO-wjabs.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-14 08:44]
.
2014-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2014-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2013-04-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-11-28 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = ""
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: cisco.com\www
Trusted Zone: cisco.com\wwwin
Trusted Zone: cisco.com\wwwin-asiapac
Trusted Zone: cisco.com\wwwin-emea
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\wjabs\Application Data\Mozilla\Firefox\Profiles\tp6ueysr.default\
FF - prefs.js: browser.search.selectedEngine - Bing
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-27 14:41
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1452)
c:\windows\system32\odyEvent.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\CmgShieldNP.dll
.
- - - - - - - > 'explorer.exe'(4244)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
c:\windows\system32\Sensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\progra~1\MICROS~1\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Cisco Systems\CSAgent\bin\leventmgr.exe
c:\program files\Cisco Systems\CSAgent\bin\dcgate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Funk Software\Odyssey Client\odClientService.exe
c:\progra~1\Altiris\ALTIRI~1\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\progra~1\Altiris\ALTIRI~1\AeXAgentUIHost.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\EmsServiceHelper.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2014-05-27 14:48:21 - machine was rebooted
ComboFix-quarantined-files.txt 2014-05-27 18:48
.
Pre-Run: 57,241,423,872 bytes free
Post-Run: 58,947,739,648 bytes free
.
- - End Of File - - F415BFF51B6FDDE78CBCED2D262F4E27
8F558EB6672622401DA993E1E865C861

#6 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #6$
drlnb

Posted 27 May 2014 - 01:38 PM

Member

Topic Starter
Member
26 posts

Hi,

After running Combofix I was able to print! My Security Agent is still picking up ARP and IPCONFIG requests.... which I do not think is normal?

5/27/2014 3:28:10 PM: The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\ipconfig.exe'. The operation was denied. [2564]

5/27/2014 3:28:10 PM: The current application 'C:\WINDOWS\system32\cmd.exe' (as user NT AUTHORITY\SYSTEM) attempted to execute the new application 'C:\WINDOWS\system32\arp.exe'. The operation was denied. [2564]

Thanks again!

#7 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #7$
Render

Posted 28 May 2014 - 05:26 AM

Trusted Helper

Malware Removal
4,195 posts

Hi,

Please proceed with this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\system32\dllcache\hnetcfg.dll | c:\windows\system32\hnetcfg.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#8 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #8$
drlnb

Posted 28 May 2014 - 10:10 AM

Member

Topic Starter
Member
26 posts

Hi,

Here's the new log

ComboFix 14-05-27.02 - wjabs 05/28/2014 11:36:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1303 [GMT -4:00]
Running from: c:\documents and settings\wjabs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\wjabs\Desktop\CFScript.txt
AV: Cisco Security Agent *Disabled/Updated* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Cisco Security Agent *Disabled* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\hnetcfg.dll --> c:\windows\system32\hnetcfg.dll
.
(((((((((((((((((((((((((   Files Created from 2014-04-28 to 2014-05-28 )))))))))))))))))))))))))))))))
.
.
2014-05-27 19:08 . 2014-05-27 19:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP Photo Creations
2014-05-27 19:08 . 2014-05-27 19:08   --------   d-----w-   c:\program files\HP Photo Creations
2014-05-27 19:06 . 2010-06-14 20:04   273256   ------w-   c:\windows\system32\HPDiscoPM8e11.dll
2014-05-27 19:06 . 2010-06-14 20:48   1907560   ----a-w-   c:\windows\system32\HPScanMiniDrv_PSB210.dll
2014-05-27 19:06 . 2010-06-14 20:48   264552   ----a-w-   c:\windows\system32\hpinksts8e11LM.dll
2014-05-27 19:06 . 2010-06-14 20:48   232296   ----a-w-   c:\windows\system32\hpinksts8e11.dll
2014-05-27 19:06 . 2010-06-14 20:48   213352   ----a-w-   c:\windows\system32\hpinkcoi8e11.dll
2014-05-14 02:17 . 2014-05-14 02:52   --------   d-----w-   c:\documents and settings\wjabs\Local Settings\Application Data\NPE
2014-05-14 00:18 . 2014-05-14 00:18   --------   d-----w-   c:\program files\SmartPCFixer
2014-05-13 23:21 . 2014-05-15 21:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCOTEMP
2014-05-08 13:48 . 2014-05-08 13:48   227704   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2014-04-30 01:21 . 2014-04-30 01:21   --------   d-----w-   C:\spoolerlogs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-21 00:15 . 2012-08-02 21:29   12872   ----a-w-   c:\windows\system32\bootdelete.exe
2012-09-26 19:39 . 2012-09-26 19:38   4096000   ----a-w-   c:\program files\GUTB2.tmp
2012-09-25 04:38 . 2012-09-25 04:38   4096000   ----a-w-   c:\program files\GUTD0.tmp
2012-09-10 02:38 . 2012-09-10 02:38   3993600   ----a-w-   c:\program files\GUT14C0.tmp
2009-04-30 00:07 . 2014-05-12 19:54   23864   ----a-w-   c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"PtiuPbmd"="ptipbm.dll" [2003-09-16 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8495104]
"nwiz"="nwiz.exe" [2007-05-18 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-06 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2009-01-23 136512]
"AeXAgentLogon"="c:\progra~1\Altiris\ALTIRI~1\AeXAgentActivate.exe" [2008-10-30 153416]
"OdTray.exe"="c:\program files\Funk Software\Odyssey Client\OdTray.exe" [2006-08-17 1052735]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2007-01-02 167936]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2012-06-02 206120]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Security Agent.lnk - c:\program files\Cisco Systems\CSAgent\bin\okclient.exe [2007-11-28 643072]
GKProbe.lnk - c:\program files\Credant\Gatekeeper\GKProbe.exe [2005-9-6 708608]
Manage Printers.lnk - c:\program files\Cisco Systems\CEPS\AddPrinter.exe -sanity [2006-12-11 139264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1
"NoSMConfigurePrograms"= 1 (0x1)
"UseDesktopIniCache"= 1 (0x1)
"NoRemoteChangeNotify"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDetailsThumbnailOnNetwork"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 14:13   161128   ----a-w-   c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-04-16 15:09   106496   ----a-w-   c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37   34344   -c--a-w-   c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 11:06   28672   ----a-w-   c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 aac;Adaptec RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/11/2006 4:18 PM 47496]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [5/29/2007 1:53 PM 404592]
R0 csacenter;Cisco Security Agent Rule Engine;c:\windows\system32\drivers\csacentr.sys [11/28/2007 3:19 AM 365568]
R0 csafile;Cisco Security Agent File Access Controller;c:\windows\system32\drivers\csafile.sys [11/28/2007 3:19 AM 134656]
R0 csanet;Cisco Security Agent Packet Verifier;c:\windows\system32\drivers\csanet.sys [11/28/2007 3:19 AM 307200]
R0 csareg;Cisco Security Agent Registry Access Controller;c:\windows\system32\drivers\csareg.sys [11/28/2007 3:19 AM 52736]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 1:58 PM 64288]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [8/17/2006 12:58 PM 254208]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 csatdi;Cisco Security Agent Network Access Controller;c:\windows\system32\drivers\csatdi.sys [11/28/2007 3:19 AM 455296]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [5/29/2007 1:58 PM 2057576]
R2 CSAgent;Cisco Security Agent;c:\program files\Cisco Systems\CSAgent\bin\csacontrol.exe [11/28/2007 3:19 AM 344064]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 AM 709992]
R2 guardian;CREDANT Mobile Guardian Gatekeeper;c:\program files\Credant\Gatekeeper\Gatekeeper.exe [9/6/2005 10:40 PM 679424]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 290832]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/23/2010 4:51 PM 159608]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/2/2012 6:34 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/2/2012 6:35 AM 185640]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [11/28/2007 2:47 AM 1489688]
S1 CCDevice;CCDevice; [x]
S3 CMGShieldNP;CMGShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 AM 161128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/23/2010 4:51 PM 87656]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-03 23:56   99840   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-22 23:56]
.
2014-05-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-CISCO-wjabs.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-14 08:44]
.
2014-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-05-27 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2014-05-27 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\hpwebreg.exe [2010-06-14 20:10]
.
2014-05-28 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-11-28 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = ""
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: cisco.com\www
Trusted Zone: cisco.com\wwwin
Trusted Zone: cisco.com\wwwin-asiapac
Trusted Zone: cisco.com\wwwin-emea
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\wjabs\Application Data\Mozilla\Firefox\Profiles\tp6ueysr.default\
FF - prefs.js: browser.search.selectedEngine - Bing
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-28 11:44
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1468)
c:\windows\system32\odyEvent.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\CmgShieldNP.dll
.
Completion time: 2014-05-28 11:46:38
ComboFix-quarantined-files.txt 2014-05-28 15:46
ComboFix2.txt 2014-05-27 18:48
.
Pre-Run: 58,735,087,616 bytes free
Post-Run: 58,710,560,768 bytes free
.
- - End Of File - - 69397EA0A4FB6435E2D4FAF31093DE1F
8F558EB6672622401DA993E1E865C861

#9 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #9$
Render

Posted 28 May 2014 - 10:34 AM

Trusted Helper

Malware Removal
4,195 posts

Please run ComboFix one more time with following script:

AtJob::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#10 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #10$
drlnb

Posted 28 May 2014 - 11:32 AM

Member

Topic Starter
Member
26 posts

Hi,

The latest log:

ComboFix 14-05-27.02 - wjabs 05/28/2014 13:05:56.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1175 [GMT -4:00]
Running from: c:\documents and settings\wjabs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\wjabs\Desktop\CFScript.txt
AV: Cisco Security Agent *Disabled/Updated* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Cisco Security Agent *Disabled* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-28 to 2014-05-28 )))))))))))))))))))))))))))))))
.
.
2014-05-28 15:58 . 2014-05-28 15:58   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2014-05-28 15:58 . 2014-05-28 15:58   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2014-05-28 15:58 . 2014-05-28 15:58   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2014-05-28 15:58 . 2014-05-28 15:58   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2014-05-28 15:58 . 2014-05-28 15:58   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2014-05-28 15:58 . 2014-05-28 15:58   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2014-05-28 15:58 . 2014-05-28 15:58   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2014-05-28 15:58 . 2014-05-28 15:58   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2014-05-28 15:58 . 2014-05-28 15:58   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2014-05-28 15:58 . 2014-05-28 15:58   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2014-05-28 15:58 . 2014-05-28 15:58   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2014-05-28 15:58 . 2014-05-28 15:58   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2014-05-28 15:57 . 2014-05-28 15:57   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2014-05-28 15:57 . 2014-05-28 15:57   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2014-05-28 15:57 . 2014-05-28 15:57   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2014-05-28 15:57 . 2014-05-28 15:57   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2014-05-28 15:57 . 2014-05-28 15:57   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2014-05-27 19:08 . 2014-05-27 19:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP Photo Creations
2014-05-27 19:08 . 2014-05-27 19:08   --------   d-----w-   c:\program files\HP Photo Creations
2014-05-27 19:06 . 2010-06-14 20:04   273256   ------w-   c:\windows\system32\HPDiscoPM8e11.dll
2014-05-27 19:06 . 2010-06-14 20:48   1907560   ----a-w-   c:\windows\system32\HPScanMiniDrv_PSB210.dll
2014-05-27 19:06 . 2010-06-14 20:48   264552   ----a-w-   c:\windows\system32\hpinksts8e11LM.dll
2014-05-27 19:06 . 2010-06-14 20:48   232296   ----a-w-   c:\windows\system32\hpinksts8e11.dll
2014-05-27 19:06 . 2010-06-14 20:48   213352   ----a-w-   c:\windows\system32\hpinkcoi8e11.dll
2014-05-14 02:17 . 2014-05-14 02:52   --------   d-----w-   c:\documents and settings\wjabs\Local Settings\Application Data\NPE
2014-05-14 00:18 . 2014-05-14 00:18   --------   d-----w-   c:\program files\SmartPCFixer
2014-05-13 23:21 . 2014-05-15 21:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCOTEMP
2014-05-08 13:48 . 2014-05-08 13:48   227704   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2014-04-30 01:21 . 2014-04-30 01:21   --------   d-----w-   C:\spoolerlogs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-21 00:15 . 2012-08-02 21:29   12872   ----a-w-   c:\windows\system32\bootdelete.exe
2012-09-26 19:39 . 2012-09-26 19:38   4096000   ----a-w-   c:\program files\GUTB2.tmp
2012-09-25 04:38 . 2012-09-25 04:38   4096000   ----a-w-   c:\program files\GUTD0.tmp
2012-09-10 02:38 . 2012-09-10 02:38   3993600   ----a-w-   c:\program files\GUT14C0.tmp
2009-04-30 00:07 . 2014-05-12 19:54   23864   ----a-w-   c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"PtiuPbmd"="ptipbm.dll" [2003-09-16 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8495104]
"nwiz"="nwiz.exe" [2007-05-18 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-06 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2009-01-23 136512]
"AeXAgentLogon"="c:\progra~1\Altiris\ALTIRI~1\AeXAgentActivate.exe" [2008-10-30 153416]
"OdTray.exe"="c:\program files\Funk Software\Odyssey Client\OdTray.exe" [2006-08-17 1052735]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2007-01-02 167936]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2012-06-02 206120]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Security Agent.lnk - c:\program files\Cisco Systems\CSAgent\bin\okclient.exe [2007-11-28 643072]
GKProbe.lnk - c:\program files\Credant\Gatekeeper\GKProbe.exe [2005-9-6 708608]
Manage Printers.lnk - c:\program files\Cisco Systems\CEPS\AddPrinter.exe -sanity [2006-12-11 139264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1
"NoSMConfigurePrograms"= 1 (0x1)
"UseDesktopIniCache"= 1 (0x1)
"NoRemoteChangeNotify"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDetailsThumbnailOnNetwork"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 14:13   161128   ----a-w-   c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-04-16 15:09   106496   ----a-w-   c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37   34344   -c--a-w-   c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 11:06   28672   ----a-w-   c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 aac;Adaptec RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/11/2006 4:18 PM 47496]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [5/29/2007 1:53 PM 404592]
R0 csacenter;Cisco Security Agent Rule Engine;c:\windows\system32\drivers\csacentr.sys [11/28/2007 3:19 AM 365568]
R0 csafile;Cisco Security Agent File Access Controller;c:\windows\system32\drivers\csafile.sys [11/28/2007 3:19 AM 134656]
R0 csanet;Cisco Security Agent Packet Verifier;c:\windows\system32\drivers\csanet.sys [11/28/2007 3:19 AM 307200]
R0 csareg;Cisco Security Agent Registry Access Controller;c:\windows\system32\drivers\csareg.sys [11/28/2007 3:19 AM 52736]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 1:58 PM 64288]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [8/17/2006 12:58 PM 254208]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 csatdi;Cisco Security Agent Network Access Controller;c:\windows\system32\drivers\csatdi.sys [11/28/2007 3:19 AM 455296]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [5/29/2007 1:58 PM 2057576]
R2 CSAgent;Cisco Security Agent;c:\program files\Cisco Systems\CSAgent\bin\csacontrol.exe [11/28/2007 3:19 AM 344064]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 10:08 AM 709992]
R2 guardian;CREDANT Mobile Guardian Gatekeeper;c:\program files\Credant\Gatekeeper\Gatekeeper.exe [9/6/2005 10:40 PM 679424]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 290832]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/23/2010 4:51 PM 159608]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/2/2012 6:34 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/2/2012 6:35 AM 185640]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [11/28/2007 2:47 AM 1489688]
S1 CCDevice;CCDevice; [x]
S3 CMGShieldNP;CMGShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 10:13 AM 161128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\wjabs\LOCALS~1\Temp\mfe_rr.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/23/2010 4:51 PM 87656]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-03 23:56   99840   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-22 23:56]
.
2014-05-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-CISCO-wjabs.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-14 08:44]
.
2014-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-05-27 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-27 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2014-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 16:06]
.
2014-05-27 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job
- c:\program files\HP\HP Photosmart Plus B210 series\Bin\hpwebreg.exe [2010-06-14 20:10]
.
2014-05-28 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-11-28 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = ""
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: cisco.com\www
Trusted Zone: cisco.com\wwwin
Trusted Zone: cisco.com\wwwin-asiapac
Trusted Zone: cisco.com\wwwin-emea
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\wjabs\Application Data\Mozilla\Firefox\Profiles\tp6ueysr.default\
FF - prefs.js: browser.search.selectedEngine - Bing
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-28 13:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1456)
c:\windows\system32\odyEvent.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\CmgShieldNP.dll
.
Completion time: 2014-05-28 13:15:25
ComboFix-quarantined-files.txt 2014-05-28 17:15
ComboFix2.txt 2014-05-28 15:46
ComboFix3.txt 2014-05-27 18:48
.
Pre-Run: 58,686,832,640 bytes free
Post-Run: 58,641,072,128 bytes free
.
- - End Of File - - 98E0A872BE05BC008753D61E91C904C6
8F558EB6672622401DA993E1E865C861

#11 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #11$
Render

Posted 28 May 2014 - 11:45 AM

Trusted Helper

Malware Removal
4,195 posts

OK. Please follow the steps bellow:

Please download aswMBR.exeto your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Note: If avast! antivirus is already installed, just do the next step.
Click the Scan button to start scan.
On completion of the scan click Save log, save it to your desktop and post in your next reply.
Also on Desktop there should be a file called MBR.dat after that. Please attach it here.

How to add an attachment to a new topic or reply

NEXT...

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure all the boxes are checked
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

#12 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #12$
drlnb

Posted 28 May 2014 - 11:59 AM

Member

Topic Starter
Member
26 posts

Render,

Here's the aswMBR log.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-05-28 14:20:32
-----------------------------
14:20:32.781    OS Version: Windows 5.1.2600 Service Pack 2
14:20:32.781    Number of processors: 2 586 0xF0B
14:20:32.781    ComputerName: WJABS-WXP01 UserName: wjabs
14:20:40.703    Initialize success
14:28:49.359    AVAST engine defs: 14052801
14:34:55.156    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
14:34:55.156    Disk 0 Vendor: ST910021 4.06 Size: 95396MB BusType: 3
14:34:55.500    Disk 0 MBR read successfully
14:34:55.500    Disk 0 MBR scan
14:34:55.828    Disk 0 Windows XP default MBR code
14:34:55.828    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        95393 MB offset 63
14:34:55.906    Disk 0 scanning sectors +195365520
14:34:56.234    Disk 0 scanning C:\WINDOWS\system32\drivers
14:35:48.375    Service scanning
14:36:38.234    Modules scanning
14:36:44.109    Disk 0 trace - called modules:
14:36:44.156    ntkrnlpa.exe csacentr.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
14:36:44.156    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9a7368]
14:36:44.156    3 CLASSPNP.SYS[ba8f905b] -> nt!IofCallDriver -> \Device\000000a3[0x8a934f18]
14:36:44.156    5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a8ff030]
14:36:44.515    AVAST engine scan C:\WINDOWS
14:37:05.468    AVAST engine scan C:\WINDOWS\system32
14:39:55.265    AVAST engine scan C:\WINDOWS\system32\drivers
14:40:12.953    AVAST engine scan C:\Documents and Settings\wjabs
14:57:14.531    AVAST engine scan C:\Documents and Settings\All Users
15:21:41.843    Scan finished successfully
15:22:14.078    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\wjabs\Desktop\MBR.dat"
15:22:14.187    The log file has been saved successfully to "C:\Documents and Settings\wjabs\Desktop\aswMBR.txt"

Edited by drlnb, 28 May 2014 - 01:29 PM.

#13 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #13$
drlnb

Posted 28 May 2014 - 01:32 PM

Member

Topic Starter
Member
26 posts

Here's the MBR.dat file

Attached Files

MBR.dat 512bytes 250 downloads

#14 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #14$
drlnb

Posted 28 May 2014 - 01:36 PM

Member

Topic Starter
Member
26 posts

Here's the FSS.txt file:

Farbar Service Scanner Version: 21-05-2014
Ran by wjabs (administrator) on 28-05-2014 at 15:29:52
Running from "C:\Documents and Settings\wjabs\Desktop"
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-12-11 16:34] - [2006-05-19 08:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2006-12-11 16:34] - [2008-08-14 05:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2006-12-11 16:34] - [2004-08-03 18:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-12-11 16:34] - [2008-06-20 06:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2006-12-11 16:34] - [2004-08-03 18:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2006-12-11 16:34] - [2008-02-20 01:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll
[2006-12-11 16:34] - [2004-08-03 19:56] - 0331264 ___AC (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2006-12-11 16:34] - [2005-08-22 14:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2006-12-11 17:41] - [2004-08-03 19:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2006-12-11 17:42] - [2004-08-03 19:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2006-12-11 17:42] - [2004-08-03 18:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2006-12-11 16:34] - [2004-08-03 19:56] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2006-12-11 17:41] - [2004-08-03 19:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2006-12-11 17:42] - [2004-08-03 19:56] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2006-12-11 17:42] - [2004-08-03 19:56] - 0382464 ___AC (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2006-12-11 16:34] - [2008-07-07 16:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

C:\WINDOWS\system32\cryptsvc.dll
[2006-12-11 16:34] - [2004-08-03 19:56] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2006-12-11 16:34] - [2004-08-03 19:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2006-12-11 16:34] - [2009-02-09 06:01] - 0401408 ____A (Microsoft Corporation) 24B5D53B9ACCC1E2EDCF0A878D6659D4

C:\WINDOWS\system32\services.exe
[2006-12-11 16:34] - [2009-02-06 06:22] - 0110592 ____A (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD

Extra List:
=======
AegisP(9) CdpPacket(15) csatdi(18) Gpc(6) IPSec(4) mfetdik(16) NetBT(5) NwlnkIpx(12) NwlnkNb(17) odysseyIM4(13) PSched(7) RFCOMM(8) Tcpip(3)
0x1100000004000000010000000200000003000000120000000B00000005000000060000000700000008000000090000000A0000000D0000000E0000000F0000000C00000011000000
IpSec Tag value is correct.

**** End of log ****

#15 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #15$
Render

Posted 28 May 2014 - 02:12 PM

Trusted Helper

Malware Removal
4,195 posts

aswMBR scan results are good. Resuls of FSS are strange as some services are missing. Have you checked all possible boxes?

Anyway, how is your computer running now, besides these cmd problems?

Please proceed with this:

Go to Start > All Programs > Accessories
Right click Command Prompt and select Run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

Let me know then if there is any improvement

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

As Featured On:

Geeks to Go Forum 343,326 topics
Quick Links FAQ Malware Cleaning Guide How it Works
Downloads 2+ million

View New Content

NT AUTHORITY\SYSTEM attempted to execute the new application

#1 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #1$
drlnb

Posted 14 May 2014 - 12:28 AM

Advertisements

#2 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #2$
drlnb

Posted 14 May 2014 - 12:30 PM

#3 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #3$
drlnb

Posted 14 May 2014 - 12:32 PM

#4 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #4$
Render

Posted 25 May 2014 - 12:03 PM

#5 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #5$
drlnb

Posted 27 May 2014 - 12:56 PM

#6 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #6$
drlnb

Posted 27 May 2014 - 01:38 PM

#7 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #7$
Render

Posted 28 May 2014 - 05:26 AM

#8 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #8$
drlnb

Posted 28 May 2014 - 10:10 AM

#9 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #9$
Render

Posted 28 May 2014 - 10:34 AM

#10 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #10$
drlnb

Posted 28 May 2014 - 11:32 AM

Advertisements

#11 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #11$
Render

Posted 28 May 2014 - 11:45 AM

#12 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #12$
drlnb

Posted 28 May 2014 - 11:59 AM

#13 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #13$
drlnb

Posted 28 May 2014 - 01:32 PM

Attached Files

#14 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #14$
drlnb

Posted 28 May 2014 - 01:36 PM

#15 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #15$
Render

Posted 28 May 2014 - 02:12 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

NT AUTHORITY\SYSTEM attempted to execute the new application

#1 drlnb Posted 14 May 2014 - 12:28 AM

Advertisements

#2 drlnb Posted 14 May 2014 - 12:30 PM

#3 drlnb Posted 14 May 2014 - 12:32 PM

#4 Render Posted 25 May 2014 - 12:03 PM

#5 drlnb Posted 27 May 2014 - 12:56 PM

#6 drlnb Posted 27 May 2014 - 01:38 PM

#7 Render Posted 28 May 2014 - 05:26 AM

#8 drlnb Posted 28 May 2014 - 10:10 AM

#9 Render Posted 28 May 2014 - 10:34 AM

#10 drlnb Posted 28 May 2014 - 11:32 AM

Advertisements

#11 Render Posted 28 May 2014 - 11:45 AM

#12 drlnb Posted 28 May 2014 - 11:59 AM

#13 drlnb Posted 28 May 2014 - 01:32 PM

Attached Files

#14 drlnb Posted 28 May 2014 - 01:36 PM

#15 Render Posted 28 May 2014 - 02:12 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

Sign In

#1 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #1$
drlnb

Posted 14 May 2014 - 12:28 AM

#2 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #2$
drlnb

Posted 14 May 2014 - 12:30 PM

#3 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #3$
drlnb

Posted 14 May 2014 - 12:32 PM

#4 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #4$
Render

Posted 25 May 2014 - 12:03 PM

#5 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #5$
drlnb

Posted 27 May 2014 - 12:56 PM

#6 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #6$
drlnb

Posted 27 May 2014 - 01:38 PM

#7 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #7$
Render

Posted 28 May 2014 - 05:26 AM

#8 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #8$
drlnb

Posted 28 May 2014 - 10:10 AM

#9 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #9$
Render

Posted 28 May 2014 - 10:34 AM

#10 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #10$
drlnb

Posted 28 May 2014 - 11:32 AM

#11 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #11$
Render

Posted 28 May 2014 - 11:45 AM

#12 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #12$
drlnb

Posted 28 May 2014 - 11:59 AM

#13 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #13$
drlnb

Posted 28 May 2014 - 01:32 PM

#14 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #14$
drlnb

Posted 28 May 2014 - 01:36 PM

#15 $NT AUTHORITY\SYSTEM attempted to execute the new application: post #15$
Render

Posted 28 May 2014 - 02:12 PM