[tpknet]

I found a rootkit with a real old version of AVG anti-rootkit. I can delete it but it comes back under a different name.

I went through all the steps of the guide so I deleted all the temp files and have a backup of my registry.
Malwarebytes came up clean but I don't know where the log file went. Gmer crashed but I was still able to post a log. ATL is still running after 9 hours and the system is really slow.

I noiced LSASS.EXE was taking up a lot of system resources before I ran OTL. Now Winlogon is taking up 50% of the CPU time.

I had to boot to "last known good configuration" to get the computer to even run earlier today.

Thank for the help.

Tpknet

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 21:36:43
Windows 5.1.2600 Service Pack 3
Running: 1zx_69.exe; Driver: C:\DOCUME~1\TPKNET\LOCALS~1\Temp\awdyyfod.sys


---- System - GMER 1.0.15 ----

SSDT BAFD420E ZwCreateKey
SSDT BAFD4204 ZwCreateThread
SSDT BAFD4213 ZwDeleteKey
SSDT BAFD421D ZwDeleteValueKey
SSDT sprw.sys ZwEnumerateKey [0xBA6CDDA4]
SSDT sprw.sys ZwEnumerateValueKey [0xBA6CE132]
SSDT BAFD4222 ZwLoadKey
SSDT sprw.sys ZwOpenKey [0xBA6B50C0]
SSDT BAFD41F0 ZwOpenProcess
SSDT BAFD41F5 ZwOpenThread
SSDT sprw.sys ZwQueryKey [0xBA6CE20A]
SSDT sprw.sys ZwQueryValueKey [0xBA6CE08A]
SSDT BAFD422C ZwReplaceKey
SSDT BAFD4227 ZwRestoreKey
SSDT BAFD4218 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB7835320]

INT 0x62 ? 8AE21BF8
INT 0x84 ? 8AE92BF8
INT 0x84 ? 8AE92BF8
INT 0x84 ? 8AE92BF8
INT 0x84 ? 8AE92BF8
INT 0xA4 ? 8AE21BF8
INT 0xA4 ? 8AE21BF8
INT 0xA4 ? 8AE92BF8
INT 0xA4 ? 8AE21BF8

Code 8958EBAC ZwRequestPort
Code 8958EC4C ZwRequestWaitReplyPort
Code 8958EB0C ZwTraceEvent
Code 8958EBAB NtRequestPort
Code 8958EC4B NtRequestWaitReplyPort
Code 8958EB0B NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AE911F8

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \FileSystem\Fastfat \FatCdrom 88CC01F8
Device \Driver\sptd \Device\4262850224 sprw.sys
Device \Driver\usbuhci \Device\USBPDO-0 8AD30500
Device \Driver\usbuhci \Device\USBPDO-1 8AD30500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AE931F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AE931F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AE931F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AE931F8
Device \Driver\usbuhci \Device\USBPDO-2 8AD30500
Device \Driver\usbuhci \Device\USBPDO-3 8AD30500
Device \Driver\usbehci \Device\USBPDO-4 8AC65500
Device \Driver\usbuhci \Device\USBPDO-5 8AD30500
Device \Driver\PCI_PNP2724 \Device\00000062 sprw.sys
Device \Driver\usbuhci \Device\USBPDO-6 8AD30500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE221F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\usbehci \Device\USBPDO-7 8AC65500
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE221F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\Cdrom \Device\CdRom0 8AC361F8

[Advertisements]

See if you can run Combofix:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

[RKinner]

See if you can run Combofix:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

[tpknet]

It was running kind of wierd still and I didn't trust it to boot properly so I booted in safe mode and ran combofix (charl1e) from the desktop.

I have had the computer unplugged from the network and am using my wifes laptop to download and transfer files via sneakernet (flash drive).

Here is the log file:


ComboFix 10-03-22.04 - TPKNET 03/23/2010 13:46:06.8.2 - x86 MINIMAL
Running from: c:\documents and settings\TPKNET\Desktop\charl1e.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3707538458-246846758-2490947888-1000
c:\windows\eSellerateEngine.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd


((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-17 02:20 . 2010-03-17 02:20 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-16 16:29 . 2010-03-16 16:29 -------- d-----w- c:\program files\Western Digital Corporation
2010-03-15 19:02 . 2010-03-15 19:02 -------- d-----w- c:\program files\Sophos
2010-03-14 01:14 . 2010-03-14 01:14 -------- d-----w- c:\documents and settings\TPKNET\Local Settings\Application Data\IsolatedStorage
2010-03-10 04:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 17:11 . 2010-03-07 17:11 -------- d-----w- c:\program files\GARMIN
2010-03-07 17:10 . 2010-03-07 17:10 -------- d-----w- c:\documents and settings\TPKNET\WINDOWS
2010-03-06 16:22 . 2010-03-06 16:22 -------- d-----w- c:\program files\ASA
2010-03-01 02:54 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-01 02:54 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-01 02:44 . 2007-09-06 22:56 98304 ----a-w- c:\windows\amcap.exe
2010-03-01 02:44 . 2008-02-21 23:15 3968 ----a-w- c:\windows\system32\drivers\DeNoise.sys
2010-03-01 02:44 . 2007-03-26 20:46 10252544 ----a-w- c:\windows\system32\drivers\snpstd3.sys
2010-03-01 02:44 . 2007-03-10 20:43 270336 ----a-w- c:\windows\tsnpstd3.exe
2010-03-01 02:44 . 2006-09-19 15:07 827392 ----a-w- c:\windows\vsnpstd3.exe
2010-03-01 02:44 . 2010-03-01 02:44 -------- d-----w- c:\program files\Common Files\snpstd3
2010-03-01 02:44 . 2007-03-12 17:41 61440 ----a-w- c:\windows\system32\vsnpstd3.dll
2010-03-01 02:44 . 2007-02-09 20:13 172032 ----a-w- c:\windows\system32\rsnpstd3.dll
2010-03-01 02:44 . 2005-11-23 19:55 53248 ----a-w- c:\windows\system32\csnpstd3.dll
2010-03-01 02:44 . 2005-11-23 19:55 53248 ----a-w- c:\windows\csnpstd3.dll
2010-02-23 04:43 . 2010-02-23 04:43 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 18:59 . 2006-10-17 13:31 -------- d-----w- c:\program files\Hauppauge MediaMVP
2010-03-23 18:44 . 2009-04-01 20:38 -------- d-----w- c:\documents and settings\TPKNET\Application Data\TeraCopy
2010-03-19 21:59 . 2010-01-06 21:58 -------- d-----w- c:\documents and settings\TPKNET\Application Data\HPAppData
2010-03-19 02:47 . 2009-04-02 21:25 -------- d-----w- c:\program files\TurboTax
2010-03-19 00:06 . 2006-10-14 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-03-16 18:55 . 2009-01-18 15:19 -------- d-----w- c:\program files\ERUNT
2010-03-16 16:32 . 2009-07-14 21:34 117760 ----a-w- c:\documents and settings\TPKNET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 02:32 . 2006-10-15 00:44 -------- d-----w- c:\documents and settings\TPKNET\Application Data\RipIt4Me
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut5_F946EEF9A44A45C3A4E7EEE014D4D3DD.exe
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut3_73608ABFE45D4092961364BF2182B7D5.exe
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut2_E4AA925E60AA4B4781E15914F58A69E6.exe
2010-03-06 16:24 . 2010-03-06 16:24 10134 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\ARPPRODUCTICON.exe
2010-03-06 16:05 . 2006-10-13 03:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 19:29 . 2007-07-19 17:47 30921 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-03 14:04 . 2008-10-09 20:31 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Skype
2010-03-03 14:01 . 2008-10-09 20:32 -------- d-----w- c:\documents and settings\TPKNET\Application Data\skypePM
2010-03-01 14:32 . 2008-12-20 04:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 08:36 . 2006-10-13 02:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-01 08:29 . 2006-10-20 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-01 08:27 . 2006-10-20 20:44 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-02-24 15:16 . 2009-10-02 18:25 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 12:41 . 2006-12-04 17:45 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Apple Computer
2010-02-18 05:46 . 2010-02-18 05:44 -------- d-----w- c:\program files\iTunes
2010-02-18 05:46 . 2010-02-18 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-18 05:44 . 2010-02-18 05:44 -------- d-----w- c:\program files\iPod
2010-02-18 05:44 . 2007-07-09 15:16 -------- d-----w- c:\program files\Common Files\Apple
2010-02-18 05:41 . 2007-05-29 13:39 -------- d-----w- c:\program files\QuickTime
2010-02-12 16:11 . 2010-02-12 16:11 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft
2010-02-11 20:54 . 2010-01-14 04:42 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Pamela
2010-02-05 01:28 . 2006-10-14 03:40 -------- d-----w- c:\program files\Google
2010-02-03 19:40 . 2010-02-03 19:40 -------- d-----w- c:\documents and settings\TPKNET\Application Data\DVDFab
2010-02-03 19:27 . 2009-01-03 22:22 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Vso
2010-02-03 19:27 . 2009-08-02 13:23 -------- d-----w- c:\program files\DVDFab 6
2010-02-02 19:47 . 2007-11-14 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-30 21:11 . 2010-01-30 21:09 23111 ----a-w- c:\windows\hpqins15.dat
2010-01-28 18:12 . 2010-01-28 17:58 -------- d-----w- c:\documents and settings\TPKNET\Application Data\FileZilla
2010-01-28 17:58 . 2010-01-28 17:58 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-23 01:51 . 2010-01-23 01:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 00:55 . 2009-07-14 21:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-01-16 16:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-01-16 16:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 22:35 . 2010-01-06 21:51 152202 ----a-w- c:\windows\hphins29.dat
2010-01-02 16:36 . 2009-01-17 02:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 18:52 . 2009-12-27 18:52 52224 ----a-w- c:\documents and settings\TPKNET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2003-06-19 17:05 . 2003-06-19 17:05 431888 --s-a-w- c:\program files\Common Files\riched20.dll
2009-12-04 01:18 . 2007-08-13 15:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-10-22 21:02 . 2007-10-22 21:02 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-21 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-01 2012912]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-12-01 389120]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"nwiz"="nwiz.exe" [2006-06-01 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"EPSON Stylus C86 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" [2003-11-25 99840]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 9134080]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 86016]
"SigmatelSysTrayApp"="sttray.exe" [2005-09-27 393216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\TPKNET\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-10-8 44384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-7-31 2680160]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-14 07:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SlimServer Tray Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SlimServer Tray Tool.lnk
backup=c:\windows\pss\SlimServer Tray Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 01:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-04-20 03:29 149024 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-04-20 03:38 1945688 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2007-04-20 03:24 1169744 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-08-02 22:17 9134080 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 01:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-08-11 17:33 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-08-11 17:33 110592 ----a-w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfilerU]
2007-10-02 16:10 233472 ----a-w- c:\program files\Saitek\SD6\Software\ProfilerU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2007-10-02 16:10 131072 ----a-w- c:\program files\Saitek\SD6\Software\SaiMfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"slimsvc"=3 (0x3)
"QBFCService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)
"TQGKQV"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\OrCAD_10.5\\setconfig.exe"=
"c:\\program files\\OrCAD_10.5\\updates.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsdoc.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsinfo.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsmps.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsMsgServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsNameServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsRemshClient.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsRunHidden.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsUnzip.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdswhich.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsZip.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cds_root.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clsAdminTool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clsbd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clu.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\dregprint.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\mpsinfo.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\nmp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\nmppath.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\obServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\van.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\versionviewer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\capture.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\comp16.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pcadi.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pstswp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\sch2cap.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\SETBROWS.EXE"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"c:\\program files\\OrCAD_10.5\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\cdsdoc\\bin\\obServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\cdsservipc.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\skill.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\fet\\bin\\versiontool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\javaws-1_2_0_02-windows-i586-i.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\java.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\javaw.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\jpicpl32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\keytool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\kinit.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\klist.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\ktab.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\orbd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\policytool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\rmid.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\servertool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\fvupdateutil.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcad.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcam.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcdin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\idfin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\ipc356.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\layout.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\libcat.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\lsession.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\max2hyp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxascb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxascx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxdxf.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxeco.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxfnetx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminw.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxorcad.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxp99x.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpcadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpcadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxprotb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxprotx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxstrb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxstrx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxtangb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxtangx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\mfceco.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\orcadodb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\padb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\padx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcb2max.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\prcat.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\protb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\protx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\searchTool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\setbrows.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\specin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\strb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\strx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tangb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tangx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\to386.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\toidf.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tomax.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tospec.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\update90.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\fonts\\f2g.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\fonts\\g2r.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\apstub.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\custaped.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\gerbline.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\gerbtool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\system\\fixtbar.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\samples\\demo\\reset.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\sroute\\batch32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\sroute\\sroute.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tutorial\\laytutor.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\vcadd\\vcadd32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\appmgr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\lxcwin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\modeled.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\MrkSrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\msgview.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\optimize.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\PDesign.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\psched.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspice.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspiceaa.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\psp_cmd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\simmgr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\simsrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\stmed.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\specctra\\bin\\specctra.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\merge.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\search.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\setup.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\callback.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\filter.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\index.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\summary.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\specctra\\bin\\specctra.com"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-02 691696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-01 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-03-01 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 CADopia License Manager;CADopia License Manager;c:\orcad\OrCAD_10.5\INTELL~1\LicenseManager\lmgrd.exe [2003-05-02 609280]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 lmgrd;Flexlm;c:\orcad\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe [2003-05-02 609280]
R2 MVPMedia;MVPMedia;c:\progra~1\HAUPPA~1\MVPStart.exe [2007-01-22 53248]
R2 MVPMediaSvc;MVPMediaSvc;c:\progra~1\HAUPPA~1\Hardware\DglSvcMain.exe [2007-01-22 45056]
R2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe [2007-10-25 233472]
R2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys [x]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-04 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\67.tmp [x]
R3 SaiH0255;SaiH0255;c:\windows\system32\DRIVERS\SaiH0255.sys [2007-05-01 132232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-01 12872]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - OSAFSLOC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 19:47]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:18]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:18]

2010-03-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microwebinc.com/links
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to MVP Favorite Radio Stations - c:\program files\Hauppauge MediaMVP\mvp.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: musicmatch.com\online
TCP: {B231E886-5737-4CD1-96DB-4E39F9399899} = 137.192.240.5,76.164.128.5
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://192.168.1.228/CSViewer.cab
FF - ProfilePath - c:\documents and settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.microwebinc.com/links
FF - component: c:\documents and settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.txt=Text-FileType
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\67.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(440)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-23 17:35:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-23 22:35

Pre-Run: 42,926,764,032 bytes free
Post-Run: 42,806,317,056 bytes free

Current=1 Default=1 Failed=8 LastKnownGood=3 Sets=1,2,3,7,8
- - End Of File - - 6062B9D1927528DE153BC76FE05F2B19

[RKinner]

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\windows\system32\DRIVERS\srenum.sys
c:\windows\system32\67.tmp

Driver::
srenum
MEMSWEEP2


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to char1e and let it start as before.

Post the new log.

Try OTL again and let's see if it will run now.

Ron

[tpknet]

When I run Combofix it says "antivirus: AntiVir Desktop" is running and when I press OK to disable it Combofix gives me a warning saying the real time scanner is still active and I can continue at my own risk.

I looked in the task manager and I don't see that running. I just found a program nircmd.cfxxe I didn't recognize.

What should I do?

Also, When it took 3 days to get a reply I posted this other topic that can be removed if you want:
http://www.geekstogo...AM-t272121.html

I thought I was following the rules on the "if you aren't getting help" topic but must not have done it right.

Todd

[RKinner]

The reason you didn't get a reply was because you did not post the 4 logs requested by the Malware Removal guidelines.

nircmd is part of combofix.

If you are sure your antivirus is off then go ahead and run combofix. It usually doesn't hurt anything to have it on tho it will slow things down. Some antiviruses will eat combofix components. Combofix gets its antivirus info from wmi and if it's not running right this can be wrong.

Ron

Edited by RKinner, 24 March 2010 - 08:49 PM.

[tpknet]

I ran Combofix and it rebooted fine. I then ran OTL (not in safe mode any more) and it seemed to run fine.

Here are the log files:



ComboFix 10-03-22.04 - TPKNET 03/24/2010 20:44:11.9.2 - x86 MINIMAL
Running from: c:\documents and settings\TPKNET\Desktop\charl1e.exe
Command switches used :: c:\documents and settings\TPKNET\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point

FILE ::
"c:\windows\system32\67.tmp"
"c:\windows\system32\DRIVERS\srenum.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Legacy_SRENUM
-------\Service_MEMSWEEP2
-------\Service_srenum


((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-16 16:29 . 2010-03-16 16:29 -------- d-----w- c:\program files\Western Digital Corporation
2010-03-15 19:02 . 2010-03-15 19:02 -------- d-----w- c:\program files\Sophos
2010-03-14 01:14 . 2010-03-14 01:14 -------- d-----w- c:\documents and settings\TPKNET\Local Settings\Application Data\IsolatedStorage
2010-03-10 04:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 17:11 . 2010-03-07 17:11 -------- d-----w- c:\program files\GARMIN
2010-03-07 17:10 . 2010-03-07 17:10 -------- d-----w- c:\documents and settings\TPKNET\WINDOWS
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut5_F946EEF9A44A45C3A4E7EEE014D4D3DD.exe
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut3_73608ABFE45D4092961364BF2182B7D5.exe
2010-03-06 16:24 . 2010-03-06 16:24 40960 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\NewShortcut2_E4AA925E60AA4B4781E15914F58A69E6.exe
2010-03-06 16:24 . 2010-03-06 16:24 10134 ----a-r- c:\documents and settings\TPKNET\Application Data\Microsoft\Installer\{1ED1270A-B260-4AF8-83F7-33766F611EB9}\ARPPRODUCTICON.exe
2010-03-06 16:22 . 2010-03-06 16:22 -------- d-----w- c:\program files\ASA
2010-03-01 02:54 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-01 02:54 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-01 02:44 . 2007-09-06 22:56 98304 ----a-w- c:\windows\amcap.exe
2010-03-01 02:44 . 2008-02-21 23:15 3968 ----a-w- c:\windows\system32\drivers\DeNoise.sys
2010-03-01 02:44 . 2007-03-26 20:46 10252544 ----a-w- c:\windows\system32\drivers\snpstd3.sys
2010-03-01 02:44 . 2007-03-10 20:43 270336 ----a-w- c:\windows\tsnpstd3.exe
2010-03-01 02:44 . 2006-09-19 15:07 827392 ----a-w- c:\windows\vsnpstd3.exe
2010-03-01 02:44 . 2010-03-01 02:44 -------- d-----w- c:\program files\Common Files\snpstd3
2010-03-01 02:44 . 2007-03-12 17:41 61440 ----a-w- c:\windows\system32\vsnpstd3.dll
2010-03-01 02:44 . 2007-02-09 20:13 172032 ----a-w- c:\windows\system32\rsnpstd3.dll
2010-03-01 02:44 . 2005-11-23 19:55 53248 ----a-w- c:\windows\system32\csnpstd3.dll
2010-03-01 02:44 . 2005-11-23 19:55 53248 ----a-w- c:\windows\csnpstd3.dll
2010-02-23 04:43 . 2010-02-23 04:43 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 01:54 . 2006-10-17 13:31 -------- d-----w- c:\program files\Hauppauge MediaMVP
2010-03-24 16:38 . 2009-04-01 20:38 -------- d-----w- c:\documents and settings\TPKNET\Application Data\TeraCopy
2010-03-19 21:59 . 2010-01-06 21:58 -------- d-----w- c:\documents and settings\TPKNET\Application Data\HPAppData
2010-03-19 02:47 . 2009-04-02 21:25 -------- d-----w- c:\program files\TurboTax
2010-03-19 00:06 . 2006-10-14 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-03-16 18:55 . 2009-01-18 15:19 -------- d-----w- c:\program files\ERUNT
2010-03-16 16:32 . 2009-07-14 21:34 117760 ----a-w- c:\documents and settings\TPKNET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-15 02:32 . 2006-10-15 00:44 -------- d-----w- c:\documents and settings\TPKNET\Application Data\RipIt4Me
2010-03-06 16:05 . 2006-10-13 03:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 19:29 . 2007-07-19 17:47 30921 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-03 14:04 . 2008-10-09 20:31 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Skype
2010-03-03 14:01 . 2008-10-09 20:32 -------- d-----w- c:\documents and settings\TPKNET\Application Data\skypePM
2010-03-01 14:32 . 2008-12-20 04:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 08:36 . 2006-10-13 02:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-01 08:29 . 2006-10-20 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-01 08:27 . 2006-10-20 20:44 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-02-24 15:16 . 2009-10-02 18:25 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 12:41 . 2006-12-04 17:45 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Apple Computer
2010-02-18 05:46 . 2010-02-18 05:44 -------- d-----w- c:\program files\iTunes
2010-02-18 05:46 . 2010-02-18 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-18 05:44 . 2010-02-18 05:44 -------- d-----w- c:\program files\iPod
2010-02-18 05:44 . 2007-07-09 15:16 -------- d-----w- c:\program files\Common Files\Apple
2010-02-18 05:41 . 2007-05-29 13:39 -------- d-----w- c:\program files\QuickTime
2010-02-12 16:11 . 2010-02-12 16:11 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft
2010-02-11 20:54 . 2010-01-14 04:42 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Pamela
2010-02-05 01:28 . 2006-10-14 03:40 -------- d-----w- c:\program files\Google
2010-02-03 19:40 . 2010-02-03 19:40 -------- d-----w- c:\documents and settings\TPKNET\Application Data\DVDFab
2010-02-03 19:27 . 2009-01-03 22:22 -------- d-----w- c:\documents and settings\TPKNET\Application Data\Vso
2010-02-03 19:27 . 2009-08-02 13:23 -------- d-----w- c:\program files\DVDFab 6
2010-02-02 19:47 . 2007-11-14 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-30 21:11 . 2010-01-30 21:09 23111 ----a-w- c:\windows\hpqins15.dat
2010-01-28 18:12 . 2010-01-28 17:58 -------- d-----w- c:\documents and settings\TPKNET\Application Data\FileZilla
2010-01-28 17:58 . 2010-01-28 17:58 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-23 01:51 . 2010-01-23 01:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 00:55 . 2009-07-14 21:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-01-16 16:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-01-16 16:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 22:35 . 2010-01-06 21:51 152202 ----a-w- c:\windows\hphins29.dat
2010-01-02 16:36 . 2009-01-17 02:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 18:52 . 2009-12-27 18:52 52224 ----a-w- c:\documents and settings\TPKNET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2003-06-19 17:05 . 2003-06-19 17:05 431888 --s-a-w- c:\program files\Common Files\riched20.dll
2009-12-04 01:18 . 2007-08-13 15:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-10-22 21:02 . 2007-10-22 21:02 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 307200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-21 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-01 2012912]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-12-01 389120]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"nwiz"="nwiz.exe" [2006-06-01 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"EPSON Stylus C86 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" [2003-11-25 99840]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 9134080]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 86016]
"SigmatelSysTrayApp"="sttray.exe" [2005-09-27 393216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\TPKNET\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-10-8 44384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-7-31 2680160]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-14 07:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SlimServer Tray Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SlimServer Tray Tool.lnk
backup=c:\windows\pss\SlimServer Tray Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 01:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-04-20 03:29 149024 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-04-20 03:38 1945688 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2007-04-20 03:24 1169744 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-08-02 22:17 9134080 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 01:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-08-11 17:33 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-08-11 17:33 110592 ----a-w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfilerU]
2007-10-02 16:10 233472 ----a-w- c:\program files\Saitek\SD6\Software\ProfilerU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2007-10-02 16:10 131072 ----a-w- c:\program files\Saitek\SD6\Software\SaiMfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"slimsvc"=3 (0x3)
"QBFCService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)
"TQGKQV"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\OrCAD_10.5\\setconfig.exe"=
"c:\\program files\\OrCAD_10.5\\updates.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsdoc.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsinfo.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsmps.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsMsgServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsNameServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsRemshClient.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsRunHidden.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsUnzip.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdswhich.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cdsZip.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\cds_root.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clsAdminTool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clsbd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\clu.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\dregprint.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\mpsinfo.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\nmp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\nmppath.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\obServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\van.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\bin\\versionviewer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\capture.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\comp16.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pcadi.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\pstswp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\sch2cap.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\SETBROWS.EXE"=
"c:\\program files\\OrCAD_10.5\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"c:\\program files\\OrCAD_10.5\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\cdsdoc\\bin\\obServer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\cdsservipc.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\skill.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\fet\\bin\\versiontool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\javaws-1_2_0_02-windows-i586-i.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\java.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\javaw.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\jpicpl32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\keytool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\kinit.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\klist.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\ktab.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\orbd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\policytool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\rmid.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\servertool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\fvupdateutil.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcad.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcam.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gcdin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\idfin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\ipc356.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\layout.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\libcat.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\lsession.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\max2hyp.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxascb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxascx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxdxf.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxeco.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxfnetx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminw.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxminx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxorcad.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxp99x.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpcadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxpcadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxprotb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxprotx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxstrb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxstrx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxtangb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\maxtangx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\mfceco.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\orcadodb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\padb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\padx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcadb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcadx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\pcb2max.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\prcat.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\protb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\protx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\searchTool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\setbrows.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\specin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\strb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\strx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tangb.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tangx.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\to386.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\toidf.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tomax.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tospec.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\update90.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\fonts\\f2g.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\fonts\\g2r.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\apstub.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\custaped.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\gerbline.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\program\\gerbtool.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\gtool\\system\\fixtbar.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\samples\\demo\\reset.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\sroute\\batch32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\sroute\\sroute.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\tutorial\\laytutor.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\layout_plus\\vcadd\\vcadd32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\appmgr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\lxcwin.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\modeled.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\MrkSrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\msgview.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\optimize.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\PDesign.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\psched.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspice.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspiceaa.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\psp_cmd.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\simmgr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\simsrvr.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\pspice\\stmed.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\specctra\\bin\\specctra.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\merge.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\search.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\setup.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\callback.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\filter.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\index.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\summary.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"c:\\program files\\OrCAD_10.5\\tools\\specctra\\bin\\specctra.com"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 CADopia License Manager;CADopia License Manager;c:\orcad\OrCAD_10.5\INTELL~1\LicenseManager\lmgrd.exe [2003-05-02 609280]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 lmgrd;Flexlm;c:\orcad\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe [2003-05-02 609280]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-04 30192]
R3 SaiH0255;SaiH0255;c:\windows\system32\DRIVERS\SaiH0255.sys [2007-05-01 132232]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-02 691696]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-01 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-03-01 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 MVPMedia;MVPMedia;c:\progra~1\HAUPPA~1\MVPStart.exe [2007-01-22 53248]
S2 MVPMediaSvc;MVPMediaSvc;c:\progra~1\HAUPPA~1\Hardware\DglSvcMain.exe [2007-01-22 45056]
S2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe [2007-10-25 233472]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-01 12872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 19:47]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:18]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:18]

2010-03-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microwebinc.com/links
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to MVP Favorite Radio Stations - c:\program files\Hauppauge MediaMVP\mvp.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: musicmatch.com\online
TCP: {B231E886-5737-4CD1-96DB-4E39F9399899} = 137.192.240.5,76.164.128.5
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://192.168.1.228/CSViewer.cab
FF - ProfilePath - c:\documents and settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.microwebinc.com/links
FF - component: c:\documents and settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spda.sys >>UNKNOWN [0x8AE3A938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba674cb8
\Driver\atapi -> atapi.sys @ 0xba609b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> 0x8a8ee1b0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> 0x8a8ee1b0
NDIS: Intel® PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xba512bb0
PacketIndicateHandler -> NDIS.sys @ 0xba501a0d
SendHandler -> NDIS.sys @ 0xba515b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\progra~1\HAUPPA~1\Hardware\HcwSms.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\sttray.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosHdpProc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-03-24 21:23:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 02:23
ComboFix2.txt 2010-03-23 22:35

Pre-Run: 42,820,325,376 bytes free
Post-Run: 42,656,628,736 bytes free

Current=1 Default=1 Failed=8 LastKnownGood=3 Sets=1,2,3,7,8
- - End Of File - - 206C90C10E5B4D36A5CCC6D057D592F5







OTL logfile created on: 3/24/2010 9:26:26 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\TPKNET\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 39.76 Gb Free Space | 31.07% Space Free | Partition Type: NTFS
Drive D: | 244.62 Gb Total Space | 32.92 Gb Free Space | 13.46% Space Free | Partition Type: NTFS
Drive E: | 244.14 Gb Total Space | 190.67 Gb Free Space | 78.10% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 687.36 Gb Total Space | 36.77 Gb Free Space | 5.35% Space Free | Partition Type: NTFS
Drive I: | 465.76 Gb Total Space | 71.22 Gb Free Space | 15.29% Space Free | Partition Type: NTFS
Drive J: | 698.64 Gb Total Space | 61.58 Gb Free Space | 8.81% Space Free | Partition Type: NTFS

Computer Name: CORE-2-DESKTOP
Current User Name: TPKNET
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/19 19:40:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TPKNET\Desktop\OTL.exe
PRC - [2010/03/01 09:32:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/12/21 00:45:56 | 000,039,424 | ---- | M] (Nullsoft) -- C:\Program Files\Winamp\winampa.exe
PRC - [2009/12/03 20:18:41 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/12/01 08:55:10 | 000,389,120 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2009/12/01 08:55:10 | 000,066,560 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2009/10/30 06:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/10/10 14:32:18 | 000,305,664 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2009/10/10 14:32:18 | 000,203,264 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/07/31 18:36:14 | 002,680,160 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2009/07/31 14:23:22 | 000,354,128 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosHdpProc.exe
PRC - [2009/07/30 22:20:04 | 000,144,752 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/06/08 15:34:58 | 000,660,808 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2009/06/03 16:33:14 | 000,308,552 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/01/09 16:54:42 | 002,262,352 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2008/10/21 03:48:52 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/08/01 14:29:56 | 000,075,080 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
PRC - [2008/07/24 12:25:00 | 000,111,944 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
PRC - [2008/07/24 12:24:24 | 000,083,272 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2008/05/01 23:15:46 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/25 13:38:00 | 000,233,472 | ---- | M] () -- C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
PRC - [2007/03/10 15:43:52 | 000,270,336 | ---- | M] () -- C:\WINDOWS\tsnpstd3.exe
PRC - [2007/01/27 09:42:48 | 000,044,384 | ---- | M] (Antony Lewis) -- C:\Program Files\WordWeb\wweb32.exe
PRC - [2007/01/22 18:07:48 | 000,053,248 | ---- | M] (Hauppauge Computer Works) -- C:\Program Files\Hauppauge MediaMVP\MVPStart.exe
PRC - [2007/01/22 18:06:38 | 000,122,880 | ---- | M] (Hauppauge Computer Works, Inc.) -- C:\Program Files\Hauppauge MediaMVP\Hardware\HcwSMS.exe
PRC - [2007/01/22 18:06:14 | 000,045,056 | ---- | M] (Hauppauge Computer Works, Inc.) -- C:\Program Files\Hauppauge MediaMVP\Hardware\DglSvcMain.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/11/03 20:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/09/19 10:07:28 | 000,827,392 | ---- | M] () -- C:\WINDOWS\vsnpstd3.exe
PRC - [2005/10/14 05:51:12 | 000,239,320 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2005/10/14 03:53:50 | 000,087,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2005/09/27 12:49:22 | 000,393,216 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2004/08/04 05:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
PRC - [2004/01/08 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE


========== Modules (SafeList) ==========

MOD - [2010/03/19 19:40:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TPKNET\Desktop\OTL.exe
MOD - [2008/05/01 23:15:35 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2008/04/13 19:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2004/01/08 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL
MOD - [2004/01/08 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/03 20:18:41 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/12/01 08:55:10 | 000,066,560 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/09/16 19:01:16 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/30 22:20:04 | 000,144,752 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/13 19:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/04/13 19:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2007/10/25 13:38:00 | 000,233,472 | ---- | M] () [Auto | Running] -- C:\Program Files\BUFFALO\NASNAVI\nassvc.exe -- (NasPmService)
SRV - [2007/07/24 17:57:06 | 000,074,360 | ---- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/05/10 10:54:26 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2007/04/19 22:29:44 | 000,411,168 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/01/22 18:07:48 | 000,053,248 | ---- | M] (Hauppauge Computer Works) [Auto | Running] -- C:\Program Files\Hauppauge MediaMVP\MVPStart.exe -- (MVPMedia)
SRV - [2007/01/22 18:06:14 | 000,045,056 | ---- | M] (Hauppauge Computer Works, Inc.) [Auto | Running] -- C:\Program Files\Hauppauge MediaMVP\Hardware\DglSvcMain.exe -- (MVPMediaSvc)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2006/11/09 18:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/09/20 10:12:20 | 006,352,963 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\SlimServer\server\slim.exe -- (slimsvc)
SRV - [2005/10/14 05:51:46 | 028,768,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2005/10/14 05:51:12 | 000,239,320 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2005/10/14 05:50:20 | 000,045,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2005/10/14 03:53:50 | 000,087,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/03/07 13:30:46 | 000,180,224 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2004/08/04 05:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)
SRV - [2004/08/04 05:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)
SRV - [2003/05/02 01:15:52 | 000,609,280 | R--- | M] (Macrovision Corporation) [Auto | Stopped] -- C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe -- (lmgrd)
SRV - [2003/05/02 01:15:52 | 000,609,280 | R--- | M] (Macrovision Corporation) [Auto | Stopped] -- C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe -- (CADopia License Manager)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microwebinc.com/links
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.microwebinc.com/links"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.4
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/30 16:10:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 00:41:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 00:41:25 | 000,000,000 | ---D | M]

[2009/03/23 11:22:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Extensions
[2010/02/26 18:34:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions
[2009/08/17 13:43:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/29 09:49:57 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/11/17 15:41:28 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/02/17 10:21:48 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2008/02/06 19:24:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\[email protected](2).com
[2010/02/17 10:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\[email protected]
[2007/12/12 19:18:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Mozilla\Firefox\Profiles\8lshjtg1.default\extensions\[email protected]
[2010/02/26 18:34:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/16 02:28:50 | 000,155,648 | ---- | M] (Solidworks Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll
[2009/12/21 00:47:02 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/03/24 21:15:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe ()
O4 - HKLM..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe ()
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\TPKNET\Start Menu\Programs\Startup\WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (Antony Lewis)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to MVP Favorite Radio Stations - C:\Program Files\Hauppauge MediaMVP\mvp.htm ()
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} http://chil.solidwor...elsStandard.cab (EModelNonVersionSpecificViewControl Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin....nderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1160746614294 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1177609958031 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} http://192.168.1.228/CSViewer.cab (CSViewer Control)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\TPKNET\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\TPKNET\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/30 23:37:22 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/24 20:50:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/03/23 13:44:42 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/23 13:44:42 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/23 13:44:42 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/23 13:44:42 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/23 13:44:24 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/19 19:40:27 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TPKNET\Desktop\OTL.exe
[2010/03/16 11:29:54 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital Corporation
[2010/03/15 14:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/03/13 20:23:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\IsolatedStorage
[2010/03/13 20:14:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TPKNET\Local Settings\Application Data\IsolatedStorage
[2010/02/28 21:44:51 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd3.dll
[2010/02/28 21:44:51 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll
[2010/02/28 21:44:51 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll
[2010/02/28 21:44:51 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\csnpstd3.dll
[2010/01/06 11:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/06 11:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/10/04 12:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/01/05 11:35:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/05 11:35:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/05 11:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/05 11:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/03 17:22:48 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\TPKNET\Application Data\pcouffin.sys
[2008/04/23 22:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/07/24 10:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2007/04/27 03:02:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/01/05 01:07:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2007/01/05 01:07:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2003/06/19 12:05:04 | 000,431,888 | --S- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\riched20.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/24 21:17:09 | 000,492,272 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/24 21:17:09 | 000,090,412 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/24 21:17:08 | 000,594,396 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/24 21:16:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/24 21:15:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/24 21:15:39 | 000,012,620 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/24 21:15:39 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/24 20:57:14 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/24 20:54:33 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/24 20:54:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/24 20:54:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/24 20:53:02 | 013,631,488 | ---- | M] () -- C:\Documents and Settings\TPKNET\ntuser.dat
[2010/03/24 20:53:02 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\TPKNET\ntuser.ini
[2010/03/24 20:52:59 | 004,401,936 | -H-- | M] () -- C:\Documents and Settings\TPKNET\Local Settings\Application Data\IconCache.db
[2010/03/23 15:33:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/23 11:32:20 | 003,898,395 | R--- | M] () -- C:\Documents and Settings\TPKNET\Desktop\charl1e.exe
[2010/03/20 11:22:09 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\TPKNET\Desktop\Outlook.lnk
[2010/03/19 19:59:59 | 000,002,080 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2010/03/19 19:56:37 | 000,063,804 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/19 19:40:32 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TPKNET\Desktop\OTL.exe
[2010/03/19 15:06:10 | 000,015,980 | ---- | M] () -- C:\WINDOWS\UEDIT32.INI
[2010/03/19 14:01:21 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/18 21:25:24 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/03/17 17:32:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/16 13:55:50 | 000,000,605 | ---- | M] () -- C:\Documents and Settings\TPKNET\Desktop\ERUNT.lnk
[2010/03/15 14:05:00 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/03/15 02:06:54 | 000,001,220 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/14 21:42:32 | 000,002,425 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Paint Shop Pro 7.lnk
[2010/03/14 13:25:09 | 000,025,686 | ---- | M] () -- C:\Documents and Settings\TPKNET\Desktop\Saitek_X-52_Joystick_Calibration_Script_All_Sims.pdf
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\rifazite
[2010/03/23 13:44:42 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/23 13:44:42 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/23 13:44:42 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/23 13:44:42 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/23 13:44:42 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/23 11:32:10 | 003,898,395 | R--- | C] () -- C:\Documents and Settings\TPKNET\Desktop\charl1e.exe
[2010/03/19 18:09:22 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\TPKNET\Desktop\1zx_69.exe
[2010/03/16 13:55:50 | 000,000,605 | ---- | C] () -- C:\Documents and Settings\TPKNET\Desktop\ERUNT.lnk
[2010/03/14 13:25:09 | 000,025,686 | ---- | C] () -- C:\Documents and Settings\TPKNET\Desktop\Saitek_X-52_Joystick_Calibration_Script_All_Sims.pdf
[2010/03/13 20:17:28 | 000,002,393 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/02/28 21:44:56 | 000,015,498 | ---- | C] () -- C:\WINDOWS\snpstd3.ini
[2010/02/28 21:44:55 | 000,003,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\DeNoise.sys
[2010/01/06 16:51:42 | 000,001,896 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/12/07 12:14:34 | 000,073,816 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/21 19:50:25 | 000,000,473 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2009/11/11 11:04:35 | 000,001,413 | ---- | C] () -- C:\WINDOWS\System32\pfdnnt_actions.sys
[2009/03/31 15:53:03 | 000,010,929 | ---- | C] () -- C:\WINDOWS\UN060501.INI
[2009/01/16 21:42:18 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/01/08 13:22:49 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2009/01/05 15:35:49 | 000,002,080 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009/01/03 17:22:54 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\TPKNET\Application Data\pcouffin.log
[2009/01/03 17:22:48 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\TPKNET\Application Data\pcouffin.cat
[2009/01/03 17:22:48 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\TPKNET\Application Data\pcouffin.inf
[2008/11/01 13:57:02 | 000,111,376 | ---- | C] () -- C:\WINDOWS\System32\expat.dll
[2008/11/01 13:57:02 | 000,040,352 | ---- | C] () -- C:\WINDOWS\System32\agcrypto.dll
[2008/09/23 19:51:45 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/02/27 12:08:06 | 000,042,537 | RH-- | C] () -- C:\WINDOWS\System32\srosa.sys
[2008/02/26 22:03:07 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2008/01/09 16:01:48 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/12/20 16:13:05 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/12/20 16:13:02 | 001,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/12/20 16:13:02 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/12/20 16:13:01 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/12/20 16:13:01 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/10/22 16:02:37 | 000,010,856 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/10/22 14:41:33 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2007/09/08 13:09:37 | 000,290,904 | R--- | C] () -- C:\WINDOWS\System32\vc6-re200l.dll
[2007/05/10 10:54:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2007/05/01 17:11:28 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_0C.dll
[2007/05/01 17:11:28 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_10.dll
[2007/05/01 17:11:28 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_0A.dll
[2007/05/01 17:11:28 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_09.dll
[2007/05/01 17:11:28 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_11.dll
[2007/05/01 17:11:26 | 000,847,872 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255.Dll
[2007/05/01 17:11:26 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_07.dll
[2007/05/01 17:11:26 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\SaiC0255_0402.dll
[2007/04/26 20:49:59 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/04/26 20:49:45 | 000,000,045 | ---- | C] () -- C:\WINDOWS\EPSONC86.ini
[2007/04/26 18:51:51 | 000,161,792 | ---- | C] () -- C:\WINDOWS\System32\crownmon.dll
[2007/04/26 18:51:51 | 000,099,328 | ---- | C] () -- C:\WINDOWS\System32\crnsnmp.dll
[2007/04/26 18:51:51 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\crnutil.dll
[2007/04/04 17:19:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/04/04 17:14:27 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2007/04/04 17:14:27 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2007/04/04 17:12:23 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2007/04/04 17:10:04 | 000,000,152 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3200 Installer.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/30 23:40:10 | 000,194,248 | ---- | C] () -- C:\WINDOWS\System32\LTRFD13n.DLL
[2007/01/30 23:37:22 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll
[2007/01/30 23:37:22 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2007/01/30 23:37:22 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll
[2007/01/30 23:37:22 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll
[2007/01/30 23:37:22 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2007/01/30 23:37:22 | 000,001,289 | ---- | C] () -- C:\WINDOWS\VFO.INI
[2007/01/24 11:34:30 | 000,000,608 | ---- | C] () -- C:\WINDOWS\3DHOME.INI
[2007/01/16 00:10:12 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/12/30 18:04:26 | 000,002,927 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/11/09 10:46:43 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/11/09 10:46:42 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/11/09 10:46:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/11/09 10:46:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/11/09 10:46:42 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/11/09 10:46:42 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/10/23 11:35:58 | 000,000,146 | ---- | C] () -- C:\WINDOWS\capture.INI
[2006/10/20 09:37:46 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\THBIni20.dll
[2006/10/18 10:14:18 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\TPKNET\Local Settings\Application Data\fusioncache.dat
[2006/10/18 10:09:55 | 000,000,104 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2006/10/17 16:05:59 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/10/16 10:08:40 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\TPKNET\Application Data\$_hpcst$.hpc
[2006/10/13 23:41:26 | 000,164,864 | ---- | C] () -- C:\Documents and Settings\TPKNET\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/13 20:19:25 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/10/13 20:17:08 | 000,000,121 | ---- | C] () -- C:\Documents and Settings\TPKNET\Application Data\FixVTS.ini
[2006/10/13 20:05:09 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\CuteZipShell.dll
[2006/10/13 19:57:34 | 000,015,980 | ---- | C] () -- C:\WINDOWS\UEDIT32.INI
[2006/10/13 19:09:44 | 000,903,168 | ---- | C] () -- C:\WINDOWS\System32\mitmdl30.dll
[2006/10/13 19:09:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\lffax60n.dll
[2006/10/13 19:09:44 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\lfcmp60n.dll
[2006/10/13 19:09:44 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\lfpng60n.dll
[2006/10/13 19:09:44 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\lftif60n.dll
[2006/10/13 19:09:44 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\lfpcx60n.dll
[2006/10/13 19:09:44 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfpct60n.dll
[2006/10/13 19:09:44 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfeps60n.dll
[2006/10/13 19:09:44 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\lfbmp60n.dll
[2006/10/13 19:09:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lfpsd60n.dll
[2006/10/13 19:09:44 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\lftga60n.dll
[2006/10/13 19:09:44 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwpg60n.dll
[2006/10/13 19:09:44 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwmf60n.dll
[2006/10/13 19:09:44 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\lfmsp60n.dll
[2006/10/13 19:09:44 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\lfmac60n.dll
[2006/10/13 15:34:06 | 000,023,040 | R--- | C] () -- C:\WINDOWS\System32\drivers\GVCplDrv.sys
[2006/10/12 21:32:12 | 000,000,840 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/01 04:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/01 04:22:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/01 04:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/01 04:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/01 04:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/01 04:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/01 04:22:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/03/07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2005/03/07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2005/03/07 13:30:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2005/03/07 13:30:46 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2005/03/07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2005/03/07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2005/03/07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2005/03/07 13:30:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2004/08/03 19:56:46 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/03 03:25:59 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\dlportio.sys
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/07/24 18:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2009/01/05 11:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2006/12/05 10:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks
[2009/02/28 20:34:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2007/07/19 12:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/11/08 10:34:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/01/05 11:35:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2007/01/31 00:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2007/01/31 00:14:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
[2006/10/20 15:44:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2008/03/08 13:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2007/10/29 15:01:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2008/09/23 19:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2007/01/30 23:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2008/02/26 10:33:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/23 14:41:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TOSHIBA
[2009/04/01 15:13:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/02/18 00:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/29 08:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/11/03 21:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Audacity
[2007/07/24 18:01:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Autodesk
[2009/01/07 22:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\BitTyrant
[2009/01/08 09:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\DAEMON Tools
[2009/06/05 16:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\DAEMON Tools Lite
[2009/01/08 09:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\DAEMON Tools Pro
[2010/02/03 14:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\DVDFab
[2007/04/04 17:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\EPSON
[2006/11/09 10:43:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\FarStone
[2010/01/28 13:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\FileZilla
[2009/11/20 21:47:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\FreeVideoConverter
[2006/10/13 20:03:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\GlobalSCAPE
[2008/12/19 23:20:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\gtk-2.0
[2009/11/20 18:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\ImgBurn
[2006/11/09 10:47:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\InterVideo
[2009/01/18 10:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\IObit
[2007/04/26 20:52:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Leadertech
[2007/10/30 12:21:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\LinkedIn
[2007/05/03 09:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\MusicIP
[2006/11/09 10:31:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Musicmatch
[2007/04/26 12:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\OfficeUpdate12
[2010/02/11 15:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Pamela
[2008/02/19 12:52:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Publish Providers
[2009/11/04 22:00:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Red Kawa
[2009/11/20 19:53:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Regensoft
[2010/03/14 21:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\RipIt4Me
[2007/02/26 20:04:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Seattle Avionics
[2008/02/19 12:51:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Sony
[2008/02/19 12:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Sony Setup
[2007/02/21 13:13:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\STOIK
[2010/03/24 21:26:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\TeraCopy
[2010/02/03 14:27:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\Vso
[2008/06/12 08:32:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TPKNET\Application Data\webex
[2010/03/24 20:57:14 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

[RKinner]

Looking pretty good. I do see a suspicious folder:

C:\WINDOWS\System32\rifazite

I'd manually delete it. If you don't know how we can run otl or combofix again and get rid of it that way.

Also I think you should uninstall IOBIT.
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

It's a Chinese ripoff of MBAM.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html

If windows blocks the active x then try putting Bitdefender in your trusted sites: In IE, Tool, Internet Options, Security, Trusted Sites, Sites. Then uncheck the HTTPS box and put in *.bitdefender.com then ADD. OK.


Ron

[tpknet]

Theres was a file named rifazite with no extension in the system32 folder, not a folder. I deleted it.

I did all the rest and the BitDefender scan came up clean.

I found out by searching the internet the random named rootkit that the old AVG antivirus was finding is probably from Daemon tools lite. I am not sure what was causing my computer to crash. I assume you found something we got rid of.

Tpknet.

[RKinner]

The first combofix run took out some stuff that looked suspicious so I suppose that was the problem. I saw the drivers from demon tools but left them in since they usually don't hurt anything. Unless you have other issues I think we are done.

You may not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

Ron

[tpknet]

Thanks for your help.