# Some Kind of Bug?



## wdauser (Mar 30, 2011)

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Professional, Service Pack 2, 32 bit
Processor: Intel(R) Pentium(R) M processor 2.13GHz, x86 Family 6 Model 13 Stepping 8
Processor Count: 1
RAM: 1015 Mb
Graphics Card: Mobile Intel(R) 915GM/GMS,910GML Express Chipset Family, 128 Mb
Hard Drives: C: Total - 57137 MB, Free - 19092 MB;
Motherboard: Dell Inc., 0XD762
Antivirus: None


My issues are strange. I get about 5 minutes after boot to get into any application. I have a 'black bar" across my menu selections. I did have the super slow computer and google search results going weird places. 

My spyware search found only "DSO exploit" and i thought i resolved this but apparently not.

Any assistance is appreciated.


----------



## wdauser (Mar 30, 2011)

I was able to get a hijackthis log to generate! took a few tries but...

Logfile of HijackThis v1.99.0
Scan saved at 10:59:17 PM, on 9/9/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\Rar$EX01.109\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: vbAccelerator Grid Control - {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67} - C:\Documents and Settings\willie_dinish\Desktop\Malwarebytes' Anti-Malware\vbalsgrid6.ocx (file missing)
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - 
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


----------



## wdauser (Mar 30, 2011)

I was able to get a dds.file to successfully generate.

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by willie_dinish at 21:02:19 on 2012-09-10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.468 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: vbAccelerator Grid Control: {c5da1f2b-b2bf-4dfc-bc9a-439133543a67} - c:\documents and settings\willie_dinish\desktop\malwarebytes' anti-malware\vbalsgrid6.ocx
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\willie_dinish\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\willie~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: RegCompact - RegCompact.dll
LSA: Notification Packages = scecli
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-9 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-4-10 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-4-10 59664]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-9 348752]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-4-10 33552]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2010-2-3 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2010-2-3 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2010-2-3 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2010-2-3 10368]
S3 Normandy;Normandy SR2; [x]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-9 1095560]
.
=============== Created Last 30 ================
.
2012-09-03 03:02:38 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-09-03 03:02:38 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-08-25 06:23:59 -------- d-----w- c:\windows\system32\syncdb
.
==================== Find3M ====================
.
.
============= FINISH: 21:07:26.43 ===============


----------



## wdauser (Mar 30, 2011)

I'm not sure if i've done these posts correctly. I can't seem to find a way to attach files to my post. 

Any assistance is appreciated.


----------



## Cookiegal (Aug 27, 2003)

That's a very old version of HijackThis. Please uninstall it.

The report shows that you're currently running XP with only SP2. Why have you never installed SP3?


----------



## wdauser (Mar 30, 2011)

Computer froze in my last attempt to respond. Any case. Computer OS is as I received it. Kept my hijack this from some time back, as a safety net for times like this. It was the only thing that would install. Per your request i'll unstall that.

How should I proceed after that?


----------



## wdauser (Mar 30, 2011)

old hijack this removed. still only getting about 5 minutes of usable time before i must reboot the machine.

how should i proceed next?


----------



## Cookiegal (Aug 27, 2003)

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

Also please do this:

Please download * WVCheck* and save it to your desktop.


Double click WVCheck.exe to run it. (If you downloaded the zipped version you will need to extract it first.)
As indicated by the prompt, this program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file as a reply.


----------



## wdauser (Mar 30, 2011)

MG Diag Report Enclosed.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 76487-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {F2706ECD-DC45-441D-A00C-6DD287F6899A}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F2706ECD-DC45-441D-A00C-6DD287F6899A}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>76487-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1801674531-1532298954-2146899641</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude D610 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A06</Version><SMBIOSVersion major="2" minor="3"/><Date>20051002000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>0ADA3907018400E2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>4B857885C73DD00</Val><Hash>vmYp9J24N2OjPTaTf9CRsfepNtw=</Hash><Pid>73931-640-3961817-57075</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 17B86ell Inc|17B86:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System
OEM Activation 2.0 Data-->
N/A


----------



## Cookiegal (Aug 27, 2003)

Please post the other report as well.


----------



## wdauser (Mar 30, 2011)

WV Check Log enclosed.

Windows Validation Check
Version: 1.9.12.5
Log Created On: 1900_15-09-2012
-----------------------
Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2 
Windows Mode: Normal
Systemroot Path: C:\WINDOWS
WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last success time for Automatic Updates for 'Detect', 'Download' and 'Install' could not be found.

WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------

WVCheck's File Dump
-----------------------
WVCheck found no known bad files.

WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.

WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.

WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.

WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.

WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - b409909f6e2e8a7067076ed748abf1e7

-------- End of File, program close at 1912_15-09-2012 --------


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the Recovery Console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices (don't worry, the keyboard and mouse will still function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## wdauser (Mar 30, 2011)

Hmmm. ran into a little trouble. finally got the application to install and run, but no log. Threatfire was running as well. Did this cause some friction? Do i need to try this again?


----------



## Cookiegal (Aug 27, 2003)

Yes, it could have. I suggest you drag ComboFix to the Recycle Bin, download it again then disable ThreatFire before running the scan.


----------



## wdauser (Mar 30, 2011)

Ok. 2 issues. First "puppy" would not move to the recyle bin. So work around--downloaded file and called it "poppy." Now have run poppy and ran into an issue reading like....


Okay, didn't realize that the whole thing would copy, but here it is. Application is waiting open, but my only option forward by prompt is 'cancel." The program is also registering "Combofix completed." Kinda confused. Not sure what to do next. 

How do we proceed?


----------



## wdauser (Mar 30, 2011)

Been reading in the meantime. Looks like this run failed as well. I now have 4 versions of combofix. Do we need to uninstall somethings and start over? is the bug causing all of these issues to happen? What should we do next?


----------



## Cookiegal (Aug 27, 2003)

When having problems please just report rather than downloading the program four times. It looks like you just copied the DOS-type windw screen before it completed its run.

Please remove all the other ones you downloaded.

Boot the machine to safe mode with networking.

Then try running the program (puppy.exe) again.


----------



## wdauser (Mar 30, 2011)

Okay. cannot seem to get copies uninstall either. I'll explain a bit. 2 copies of combofix are from my previous round of dealing with virus (last year) the programs were not uninstalled at that time. then the two copies installed this week. again i can't seem to get anything to delete or uninstall or anything at this poin but i had a question.

with my previous combofix program the windows recovery tool was installed. i'm not sure that i've used nor am i clear as to when i would use it. i'm pretty certain that it has not been used. would this tool help us in what we are working on or am i skipping a few steps? 

In the meantime, still need to uninstall 4 copies of combofix and can't seem to get anything to happen on that front.

any assistance is appreciated.


----------



## Cookiegal (Aug 27, 2003)

Let's leave ComboFix for now and do this instead.

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## wdauser (Mar 30, 2011)

OTS Log completed.


```
OTS logfile created on: 9/19/2012 8:00:02 PM - Run 1
OTS by OldTimer - Version 3.1.47.2 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 560.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.26 Gb Free Space | 30.94% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILLIEDINISH
Current User Name: willie_dinish
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/09/18 21:36:52 | 000,646,656 | ---- | M] (OldTimer Tools)
realsched.exe -> C:\Program Files\real\realplayer\Update\realsched.exe -> [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.)
tftray.exe -> C:\Program Files\ThreatFire\TFTray.exe -> [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools)
tfservice.exe -> C:\Program Files\ThreatFire\TFService.exe -> [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools)
pctsauxs.exe -> C:\Program Files\Spyware Doctor\pctsAuxs.exe -> [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
reader_sl.exe -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2004/12/14 04:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated)
wlkeeper.exe -> C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -> [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation)
zcfgsvc.exe -> C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe -> [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation)
1xconfig.exe -> C:\Program Files\Intel\Wireless\Bin\1XConfig.exe -> [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel)
teatimer.exe -> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -> [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited)
hpohmr08.exe -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.)
hpotdd01.exe -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard)
hposts08.exe -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe -> [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.)
hpoevm08.exe -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe -> [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.)

[Modules - No Company Name]
d8021xps.dll -> C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL -> [2004/09/07 16:03:46 | 000,073,728 | ---- | M] ()

[Win32 Services - Safe List]
(ThreatFire) ThreatFire [Auto | Running] -> C:\Program Files\ThreatFire\TFService.exe -> [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools)
(sdCoreService) PC Tools Security Service [On_Demand | Stopped] -> C:\Program Files\Spyware Doctor\pctsSvc.exe -> [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools)
(sdAuxService) PC Tools Auxiliary Service [Auto | Running] -> C:\Program Files\Spyware Doctor\pctsAuxs.exe -> [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools)
(WLANKEEPER) WLANKEEPER [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -> [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation)

[Driver Services - Safe List]
(TfSysMon) TfSysMon [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\TfSysMon.sys -> [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools)
(TfFsMon) TfFsMon [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\TfFsMon.sys -> [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools)
(TfNetMon) TfNetMon [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\TfNetMon.sys -> [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools)
(PCTCore) PCTools KDS [File_System | Boot | Running] -> C:\WINDOWS\system32\drivers\PCTCore.sys -> [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools)
(DLADResM) DLADResM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLADResM.SYS -> [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio)
(DLABMFSM) DLABMFSM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLABMFSM.SYS -> [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -> [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -> [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -> [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio)
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLABOIOM.SYS -> [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -> [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio)
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAPoolM.SYS -> [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLACDBHM.SYS -> [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio)
(DLARTL_M) DLARTL_M [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLARTL_M.SYS -> [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio)
(STAC97) SigmaTel C-Major Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\STAC97.sys -> [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.)
(w29n51) Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\w29n51.sys -> [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\s24trans.sys -> [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation)
(b57w2k) Broadcom NetXtreme 57xx Gigabit Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\b57xp32.sys -> [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation)
(IWCA) Intel Wireless Connection Agent Miniport for Win XP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\iwca.sys -> [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation)
(mf) mf [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mf.sys -> [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation)
(HSFHWICH) HSFHWICH [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSFHWICH.sys -> [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSF_CNXT.sys -> [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.)
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSF_DP.sys -> [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.)
(GTIPCI21) GTIPCI21 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\gtipci21.sys -> [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments)
(OMCI) OMCI [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -> [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation)
(BrUsbScn) Brother MFC USB Scanner driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\BrUsbScn.sys -> [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.)
(brfilt) Brother MFC Filter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\BrFilt.sys -> [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.)
(RVIEG01) VSC Engine [Kernel | Auto | Running] -> C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -> [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland)
(UdfReadr) UdfReadr [File_System | System | Stopped] -> C:\WINDOWS\System32\drivers\udfreadr.sys -> [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\: Main\\"Start Page" -> http://www.google.com/ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> -> 
HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT] -> [2011/10/28 22:23:21 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2011/05/25 20:36:20 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 01:56:50 | 000,063,136 | ---- | M] (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2011/10/28 22:23:00 | 000,414,416 | ---- | M] (RealPlayer)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}" [HKLM] -> [vbAccelerator Grid Control] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k] -> File not found
"ThreatFire" -> C:\Program Files\ThreatFire\TFTray.exe [C:\Program Files\ThreatFire\TFTray.exe] -> [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools)
"TkBellExe" -> C:\program files\real\realplayer\update\realsched.exe ["C:\program files\real\realplayer\update\realsched.exe" -osboot] -> [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.)
"UserFaultCheck" -> [%systemroot%\system32\dumprep 0 -u] -> File not found
< Run [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"SpybotSD TeaTimer" -> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2004/12/14 04:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< willie_dinish Startup Folder > -> C:\Documents and Settings\willie_dinish\Start Menu\Programs\Startup -> 
C:\Documents and Settings\willie_dinish\Start Menu\Programs\Startup\SpySubtract.lnk -> -> File not found
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoCDBurning" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"HonorAutoRunSetting" -> [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoLogOff" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1002 domain(s) found. -> 
free_aol.com [http] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 18 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab [QuickTime Plugin Control] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 [WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 [MUWebControl Class] -> 
{6F15128C-E66A-490C-B848-5000B5ABEEAC} [HKLM] -> https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab [HP Download Manager] -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos-beta/OnlineScanner.cab [OnlineScanner Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
{BDEE1959-AB6B-4745-A29B-F492861102CC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1734B3D3-F475-4AE0-A718-EFF5F30521D5}\\DhcpNameServer -> 192.168.1.254 (Intel(R) PRO/Wireless 2200BG Network Connection) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> C:\WINDOWS\system32\userinit.exe -> [2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
dimsntfy -> Reg Error: Value error. -> File not found
igfxcui -> C:\WINDOWS\System32\igfxsrvc.dll -> [2005/02/15 09:02:58 | 000,348,160 | ---- | M] (Intel Corporation)
IntelWireless -> C:\Program Files\Intel\Wireless\Bin\LgNotify.dll -> [2004/09/07 16:08:06 | 000,110,592 | ---- | M] (Intel Corporation)
RegCompact -> C:\WINDOWS\System32\RegCompact.dll -> [2005/11/21 19:22:58 | 000,135,168 | ---- | M] (AMUST Software)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe" -> C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe [C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe:*:Enabled:Readon TV Movie Radio Player] -> [2010/06/12 20:44:06 | 001,659,904 | ---- | M] (Readon Technology)
"C:\Program Files\Real\RealPlayer\realplay.exe" -> C:\Program Files\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer] -> [2011/10/28 22:21:34 | 000,490,096 | ---- | M] (RealNetworks, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2008/09/04 09:46:43 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 

[Registry - Additional Scans - Safe List]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
6to4 -> -> File not found
Ias -> -> File not found
Iprip -> -> File not found
Irmon -> -> File not found
NWCWorkstation -> -> File not found
Nwsapagent -> -> File not found
WmdmPmSp -> -> File not found
*MultiFile Done* -> -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 8/22/2012 8:05:52 PM Computer Name = WILLIEDINISH | Source = EventSystem | ID = 4609 -> Description = The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this erro
Application [ Error ] 8/25/2012 8:40:49 PM Computer Name = WILLIEDINISH | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 8/27/2012 12:08:09 AM Computer Name = WILLIEDINISH | Source = crypt32 | ID = 131083 -> Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid. 
Application [ Error ] 8/29/2012 10:11:38 PM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x0e1b0d90.
Application [ Error ] 8/31/2012 1:20:39 AM Computer Name = WILLIEDINISH | Source = ESENT | ID = 489 -> Description = wuauclt (2472) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
Application [ Error ] 8/31/2012 1:20:39 AM Computer Name = WILLIEDINISH | Source = ESENT | ID = 455 -> Description = wuaueng.dll (2472) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.
Application [ Error ] 8/31/2012 1:21:08 AM Computer Name = WILLIEDINISH | Source = ESENT | ID = 489 -> Description = wuauclt (2472) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
Application [ Error ] 8/31/2012 1:21:08 AM Computer Name = WILLIEDINISH | Source = ESENT | ID = 455 -> Description = wuaueng.dll (2472) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.
Application [ Error ] 9/3/2012 10:44:11 PM Computer Name = WILLIEDINISH | Source = EventSystem | ID = 4609 -> Description = The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706F7 from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this erro
Application [ Error ] 9/10/2012 1:29:27 AM Computer Name = WILLIEDINISH | Source = Application Hang | ID = 1002 -> Description = Hanging application realplay.exe, version 12.0.1.669, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
System [ Error ] 9/18/2012 10:52:23 PM Computer Name = WILLIEDINISH | Source = Windows Update Agent | ID = 16 -> Description = Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
System [ Error ] 9/19/2012 6:39:38 PM Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876 -> Description = Driver UdfReadr.SYS has been blocked from loading.
System [ Error ] 9/19/2012 6:39:57 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000 -> Description = The Upload Manager service failed to start due to the following error: %%1079
System [ Error ] 9/19/2012 6:41:37 PM Computer Name = WILLIEDINISH | Source = Windows Update Agent | ID = 16 -> Description = Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
System [ Error ] 9/19/2012 8:18:52 PM Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876 -> Description = Driver UdfReadr.SYS has been blocked from loading.
System [ Error ] 9/19/2012 8:19:16 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000 -> Description = The Upload Manager service failed to start due to the following error: %%1079
System [ Error ] 9/19/2012 8:20:51 PM Computer Name = WILLIEDINISH | Source = Windows Update Agent | ID = 16 -> Description = Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
System [ Error ] 9/19/2012 8:57:29 PM Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876 -> Description = Driver UdfReadr.SYS has been blocked from loading.
System [ Error ] 9/19/2012 8:57:50 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000 -> Description = The Upload Manager service failed to start due to the following error: %%1079
System [ Error ] 9/19/2012 8:59:22 PM Computer Name = WILLIEDINISH | Source = Windows Update Agent | ID = 16 -> Description = Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/09/18 21:51:34 | 000,646,656 | ---- | C] (OldTimer Tools)
poppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\poppy.exe -> [2012/09/16 21:05:34 | 004,754,503 | R--- | C] (Swearware)
32788R22FWJFW -> C:\32788R22FWJFW -> [2012/09/16 20:08:41 | 000,000,000 | ---D | C]
Office Genuine Advantage -> C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage -> [2012/09/15 18:52:44 | 000,000,000 | ---D | C]
MGADiag.exe -> C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe -> [2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation)
dds.com -> C:\Documents and Settings\willie_dinish\Desktop\dds.com -> [2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware)
SysInfo.exe -> C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe -> [2012/09/09 21:41:26 | 000,509,440 | ---- | C] (Tech Support Guy System)
Malwarebytes' Anti-Malware -> C:\Documents and Settings\willie_dinish\Desktop\Malwarebytes' Anti-Malware -> [2012/09/02 22:14:24 | 000,000,000 | ---D | C]
Common Files -> C:\Documents and Settings\All Users\Application Data\Common Files -> [2012/09/02 22:02:38 | 000,000,000 | -H-D | C]
MFAData -> C:\Documents and Settings\All Users\Application Data\MFAData -> [2012/09/02 22:02:38 | 000,000,000 | ---D | C]
AdobeUM -> C:\Documents and Settings\LocalService\Application Data\AdobeUM -> [2012/09/02 21:42:27 | 000,000,000 | ---D | C]
Adobe -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe -> [2012/09/02 21:40:55 | 000,000,000 | ---D | C]
Recent -> C:\Documents and Settings\willie_dinish\Recent -> [2012/08/31 00:50:49 | 000,000,000 | RH-D | C]
Malwarebytes' Anti-Malware -> C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2012/08/26 23:07:37 | 000,000,000 | ---D | C]
syncdb -> C:\WINDOWS\System32\syncdb -> [2012/08/25 01:23:59 | 000,000,000 | ---D | C]
Sun -> C:\Documents and Settings\LocalService\Application Data\Sun -> [2012/08/21 19:39:23 | 000,000,000 | ---D | C]
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
13 C:\Documents and Settings\willie_dinish\My Documents\*.tmp files -> C:\Documents and Settings\willie_dinish\My Documents\*.tmp -> 
11 C:\Documents and Settings\willie_dinish\Desktop\*.tmp files -> C:\Documents and Settings\willie_dinish\Desktop\*.tmp -> 
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

[Files/Folders - Modified Within 30 Days]
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2012/09/19 19:58:07 | 000,002,206 | ---- | M] ()
RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/09/19 19:57:18 | 000,000,294 | ---- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2012/09/19 19:57:07 | 000,002,048 | --S- | M] ()
d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2012/09/19 19:22:42 | 000,000,664 | ---- | M] ()
OTS.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/09/18 21:36:52 | 000,646,656 | ---- | M] (OldTimer Tools)
GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job -> [2012/09/17 00:37:06 | 000,001,010 | ---- | M] ()
www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf -> C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf -> [2012/09/16 22:38:36 | 000,640,144 | ---- | M] ()
poppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\poppy.exe -> [2012/09/16 21:05:34 | 004,754,503 | R--- | M] (Swearware)
GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job -> [2012/09/16 20:37:06 | 000,000,958 | ---- | M] ()
puppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\puppy.exe -> [2012/09/16 20:08:15 | 004,754,503 | R--- | M] ()
WVCheck.exe -> C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe -> [2012/09/15 18:47:49 | 003,514,358 | ---- | M] ()
MGADiag.exe -> C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe -> [2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation)
Readon TV Movie Radio Player.lnk -> C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk -> [2012/09/10 22:30:03 | 000,002,683 | ---- | M] ()
dds.com -> C:\Documents and Settings\willie_dinish\Desktop\dds.com -> [2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware)
SysInfo.exe -> C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe -> [2012/09/09 21:41:28 | 000,509,440 | ---- | M] (Tech Support Guy System)
FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2012/08/25 13:53:49 | 000,248,696 | ---- | M] ()
RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/08/24 22:23:06 | 000,000,302 | ---- | M] ()
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
27 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
13 C:\Documents and Settings\willie_dinish\My Documents\*.tmp files -> C:\Documents and Settings\willie_dinish\My Documents\*.tmp -> 
11 C:\Documents and Settings\willie_dinish\Desktop\*.tmp files -> C:\Documents and Settings\willie_dinish\Desktop\*.tmp -> 
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

[Files - No Company Name]
www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf -> C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf -> [2012/09/16 22:38:31 | 000,640,144 | ---- | C] ()
puppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\puppy.exe -> [2012/09/16 20:08:15 | 004,754,503 | R--- | C] ()
WVCheck.exe -> C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe -> [2012/09/15 18:47:49 | 003,514,358 | ---- | C] ()
miniremoval_coolwebsearch_smartkiller.exe -> C:\Documents and Settings\willie_dinish\Desktop\miniremoval_coolwebsearch_smartkiller.exe -> [2012/09/02 20:50:50 | 000,098,304 | ---- | C] ()
.backup.dm -> C:\Documents and Settings\willie_dinish\Application Data\.backup.dm -> [2012/04/22 21:27:05 | 000,000,272 | ---- | C] ()
PUTTY.RND -> C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND -> [2011/07/20 19:31:39 | 000,000,600 | ---- | C] ()
dcache.bin -> C:\WINDOWS\System32\dcache.bin -> [2011/05/29 23:16:04 | 000,001,788 | ---- | C] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2011/05/19 00:47:19 | 000,256,512 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2011/05/19 00:47:19 | 000,208,896 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2011/05/19 00:47:19 | 000,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2011/05/19 00:47:19 | 000,080,412 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2011/05/19 00:47:19 | 000,068,096 | ---- | C] ()

[Alternate Data Streams]
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
```


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.

```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}" [HKLM] -> [vbAccelerator Grid Control]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
YN -> "UserFaultCheck" -> [%systemroot%\system32\dumprep 0 -u]
< willie_dinish Startup Folder > -> C:\Documents and Settings\willie_dinish\Start Menu\Programs\Startup
YN -> C:\Documents and Settings\willie_dinish\Start Menu\Programs\Startup\SpySubtract.lnk -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {BDEE1959-AB6B-4745-A29B-F492861102CC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> 13 C:\Documents and Settings\willie_dinish\My Documents\*.tmp files -> C:\Documents and Settings\willie_dinish\My Documents\*.tmp
NY -> 11 C:\Documents and Settings\willie_dinish\Desktop\*.tmp files -> C:\Documents and Settings\willie_dinish\Desktop\*.tmp
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 27 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 13 C:\Documents and Settings\willie_dinish\My Documents\*.tmp files -> C:\Documents and Settings\willie_dinish\My Documents\*.tmp
NY -> 11 C:\Documents and Settings\willie_dinish\Desktop\*.tmp files -> C:\Documents and Settings\willie_dinish\Desktop\*.tmp
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Alternate Data Streams]
NY -> @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## wdauser (Mar 30, 2011)

Cookiegal,

Something went sideways. I've followed these instructions. But it looks like the fix ONLY removed or unistalled the OTS software. No log was generated. I'm not sure if this was successful at all. I let the machine work on this for a couple hours. 

I only tried this one once obviously since the software unistalled. 

Any ideas? What should we try next?


----------



## Cookiegal (Aug 27, 2003)

Did you click on the CleanUP button in OTS by mistake?


----------



## wdauser (Mar 30, 2011)

I'm pretty sure that I didn't, but I can't be for certain. I guess I should reinstall OTS and re-run the fix.

Would this be a good approach?


----------



## Cookiegal (Aug 27, 2003)

Yes, please do that.


----------



## wdauser (Mar 30, 2011)

We have progress. Process run again. Log generated.

A l l P r o c e s s e s K i l l e d

[ R e g i s t r y - S a f e L i s t ]

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ B r o w s e r H e l p e r O b j e c t s \ { 5 3 7 0 7 9 6 2 - 6 F 7 4 - 2 D 5 3 - 2 6 4 4 - 2 0 6 D 7 9 4 2 4 8 4 F } \ d e l e t e d s u c c e s s f u l l y .

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 5 3 7 0 7 9 6 2 - 6 F 7 4 - 2 D 5 3 - 2 6 4 4 - 2 0 6 D 7 9 4 2 4 8 4 F } \ n o t f o u n d .

R e g i s t r y v a l u e H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ T o o l B a r \ \ { C 5 D A 1 F 2 B - B 2 B F - 4 D F C - B C 9 A - 4 3 9 1 3 3 5 4 3 A 6 7 } d e l e t e d s u c c e s s f u l l y .

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { C 5 D A 1 F 2 B - B 2 B F - 4 D F C - B C 9 A - 4 3 9 1 3 3 5 4 3 A 6 7 } \ d e l e t e d s u c c e s s f u l l y .

R e g i s t r y v a l u e H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ \ K e r n e l F a u l t C h e c k d e l e t e d s u c c e s s f u l l y .

R e g i s t r y v a l u e H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n \ \ U s e r F a u l t C h e c k d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ S t a r t M e n u \ P r o g r a m s \ S t a r t u p \ S p y S u b t r a c t . l n k m o v e d s u c c e s s f u l l y .

F i l e C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ S t a r t M e n u \ P r o g r a m s \ S t a r t u p \ S p y S u b t r a c t . l n k n o t f o u n d .

S t a r t i n g r e m o v a l o f A c t i v e X c o n t r o l { B D E E 1 9 5 9 - A B 6 B - 4 7 4 5 - A 2 9 B - F 4 9 2 8 6 1 1 0 2 C C }

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ C o d e S t o r e D a t a b a s e \ D i s t r i b u t i o n U n i t s \ { B D E E 1 9 5 9 - A B 6 B - 4 7 4 5 - A 2 9 B - F 4 9 2 8 6 1 1 0 2 C C } \ C o n t a i n s \ F i l e s \ n o t f o u n d .

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ C o d e S t o r e D a t a b a s e \ D i s t r i b u t i o n U n i t s \ { B D E E 1 9 5 9 - A B 6 B - 4 7 4 5 - A 2 9 B - F 4 9 2 8 6 1 1 0 2 C C } \ D o w n l o a d I n f o r m a t i o n \ n o t f o u n d .

R e g i s t r y k e y H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ C l a s s e s \ C L S I D \ { B D E E 1 9 5 9 - A B 6 B - 4 7 4 5 - A 2 9 B - F 4 9 2 8 6 1 1 0 2 C C } \ n o t f o u n d .

[ F i l e s / F o l d e r s - C r e a t e d W i t h i n 3 0 D a y s ]

F i l e n o t f o u n d !

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 0 3 3 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 0 9 8 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 2 0 3 8 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 2 2 0 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 0 4 9 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 3 9 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 5 4 7 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 5 5 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 6 6 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 7 8 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 8 0 6 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 8 2 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ M y D o c u m e n t s \ ~ W R L 3 9 3 5 . t m p d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 0 0 0 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 0 0 6 0 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 0 1 7 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 0 9 5 2 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 2 6 1 0 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 2 6 7 9 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 2 7 4 1 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 3 0 8 6 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 3 1 2 2 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 3 3 5 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ w i l l i e _ d i n i s h \ D e s k t o p \ ~ W R L 3 6 9 1 . t m p d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

C : \ W I N D O W S \ S y s t e m 3 2 \ C O N F I G . T M P d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

[ F i l e s / F o l d e r s - M o d i f i e d W i t h i n 3 0 D a y s ]

F i l e n o t f o u n d !

C : \ W I N D O W S \ 0 0 3 2 4 9 _ . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ S E T 2 9 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ S E T 2 A . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ S E T 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ S E T 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ S E T 8 . t m p d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

C : \ W I N D O W S \ T e m p \ f l a 1 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 0 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 1 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 2 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 6 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 7 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 8 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 1 D . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 2 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 2 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 2 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 2 6 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 3 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 4 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 5 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 6 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 7 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 8 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a 9 . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a A . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a B . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a C . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a D . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a E . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ f l a F . t m p d e l e t e d s u c c e s s f u l l y .

C : \ W I N D O W S \ T e m p \ n c h C . t m p d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

F i l e n o t f o u n d !

F i l e n o t f o u n d !

F i l e n o t f o u n d !

[ A l t e r n a t e D a t a S t r e a m s ]

F i l e n o t f o u n d !

A D S C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ T E M P : D F C 5 A 2 B 2 d e l e t e d s u c c e s s f u l l y .

F i l e n o t f o u n d !

[ E m p t y T e m p F o l d e r s ]

U s e r : A d m i n i s t r a t o r

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 3 2 7 6 8 b y t e s

U s e r : A d m i n i s t r a t o r . W I L L I E D I N I S H

- > T e m p f o l d e r e m p t i e d : 0 b y t e s

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 0 b y t e s

U s e r : A l l U s e r s

U s e r : D e f a u l t U s e r

- > T e m p f o l d e r e m p t i e d : 0 b y t e s

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 3 3 1 7 0 b y t e s

- > F l a s h c a c h e e m p t i e d : 4 1 6 2 0 b y t e s

U s e r : L o c a l S e r v i c e

- > T e m p f o l d e r e m p t i e d : 0 b y t e s

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 1 1 1 8 9 7 9 2 4 b y t e s

- > J a v a c a c h e e m p t i e d : 1 0 8 4 b y t e s

- > F l a s h c a c h e e m p t i e d : 6 3 2 8 8 b y t e s

U s e r : N e t w o r k S e r v i c e

- > T e m p f o l d e r e m p t i e d : 6 6 0 1 6 b y t e s

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 5 9 8 0 9 9 5 1 9 b y t e s

- > J a v a c a c h e e m p t i e d : 4 6 2 3 8 7 3 b y t e s

- > F l a s h c a c h e e m p t i e d : 2 8 5 9 2 6 b y t e s

U s e r : w i l l i e _ d i n i s h

- > T e m p f o l d e r e m p t i e d : 2 4 6 1 0 8 2 9 b y t e s

- > T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 1 8 0 9 9 8 9 6 4 b y t e s

- > J a v a c a c h e e m p t i e d : 0 b y t e s

- > F l a s h c a c h e e m p t i e d : 5 2 5 0 b y t e s

% s y s t e m d r i v e % . t m p f i l e s r e m o v e d : 0 b y t e s

% s y s t e m r o o t % . t m p f i l e s r e m o v e d : 0 b y t e s

% s y s t e m r o o t % \ S y s t e m 3 2 . t m p f i l e s r e m o v e d : 0 b y t e s

% s y s t e m r o o t % \ S y s t e m 3 2 \ d l l c a c h e . t m p f i l e s r e m o v e d : 0 b y t e s

% s y s t e m r o o t % \ S y s t e m 3 2 \ d r i v e r s . t m p f i l e s r e m o v e d : 0 b y t e s

W i n d o w s T e m p f o l d e r e m p t i e d : 1 1 9 6 5 1 5 b y t e s

% s y s t e m r o o t % \ s y s t e m 3 2 \ c o n f i g \ s y s t e m p r o f i l e \ L o c a l S e t t i n g s \ T e m p f o l d e r e m p t i e d : 7 4 5 9 7 2 1 8 b y t e s

% s y s t e m r o o t % \ s y s t e m 3 2 \ c o n f i g \ s y s t e m p r o f i l e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s f o l d e r e m p t i e d : 8 7 1 3 9 b y t e s

R e c y c l e B i n e m p t i e d : 4 0 6 5 6 1 3 9 b y t e s

T o t a l F i l e s C l e a n e d = 9 8 9 . 0 0 m b

[ E M P T Y F L A S H ]

U s e r : A d m i n i s t r a t o r

U s e r : A d m i n i s t r a t o r . W I L L I E D I N I S H

U s e r : A l l U s e r s

U s e r : D e f a u l t U s e r

- > F l a s h c a c h e e m p t i e d : 0 b y t e s

U s e r : L o c a l S e r v i c e

- > F l a s h c a c h e e m p t i e d : 0 b y t e s

U s e r : N e t w o r k S e r v i c e

- > F l a s h c a c h e e m p t i e d : 0 b y t e s

U s e r : w i l l i e _ d i n i s h

- > F l a s h c a c h e e m p t i e d : 0 b y t e s

T o t a l F l a s h F i l e s C l e a n e d = 0 . 0 0 m b

[ E M P T Y J A V A ]

U s e r : A d m i n i s t r a t o r

U s e r : A d m i n i s t r a t o r . W I L L I E D I N I S H

U s e r : A l l U s e r s

U s e r : D e f a u l t U s e r

U s e r : L o c a l S e r v i c e

- > J a v a c a c h e e m p t i e d : 0 b y t e s

U s e r : N e t w o r k S e r v i c e

- > J a v a c a c h e e m p t i e d : 0 b y t e s

U s e r : w i l l i e _ d i n i s h

- > J a v a c a c h e e m p t i e d : 0 b y t e s

T o t a l J a v a  F i l e s C l e a n e d = 0 . 0 0 m b

< E n d o f f i x l o g >

O T S b y O l d T i m e r - V e r s i o n 3 . 1 . 4 7 . 2 f i x l o g f i l e c r e a t e d o n 0 9 2 2 2 0 1 2 _ 2 3 5 9 2 3

F i l e s \ F o l d e r s m o v e d o n R e b o o t . . .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t u n n i n g - d o g - p h o t o g r a p h y - t i m - f l a c h [ 1 ] . t x t m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t y l e [ 2 ] . c s s m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ 1 3 4 4 6 4 9 2 8 3 6 3 7 _ 7 8 0 6 6 1 3 3 6 5 7 0 2 9 [ 5 ] . h t m m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ a l l [ 1 ] . j s m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ r e s u l t s [ 4 ] . h t m m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ t [ 1 ] . h t m m o v e d s u c c e s s f u l l y .

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 2 M 6 5 K F M 6 \ e d i t o r [ 1 ] . c s s m o v e d s u c c e s s f u l l y .

R e g i s t r y e n t r i e s d e l e t e d o n R e b o o t . . .

F i l e s \ F o l d e r s m o v e d o n R e b o o t . . .

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t u n n i n g - d o g - p h o t o g r a p h y - t i m - f l a c h [ 1 ] . t x t n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t y l e [ 2 ] . c s s n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ 1 3 4 4 6 4 9 2 8 3 6 3 7 _ 7 8 0 6 6 1 3 3 6 5 7 0 2 9 [ 5 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ a l l [ 1 ] . j s n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ r e s u l t s [ 4 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ t [ 1 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 2 M 6 5 K F M 6 \ e d i t o r [ 1 ] . c s s n o t f o u n d !

R e g i s t r y e n t r i e s d e l e t e d o n R e b o o t . . .

F i l e s \ F o l d e r s m o v e d o n R e b o o t . . .

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t u n n i n g - d o g - p h o t o g r a p h y - t i m - f l a c h [ 1 ] . t x t n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ X Q L 6 9 U H 6 \ s t y l e [ 2 ] . c s s n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ 1 3 4 4 6 4 9 2 8 3 6 3 7 _ 7 8 0 6 6 1 3 3 6 5 7 0 2 9 [ 5 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ a l l [ 1 ] . j s n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ r e s u l t s [ 4 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ V I 1 E M N 0 C \ t [ 1 ] . h t m n o t f o u n d !

F i l e \ F o l d e r C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 2 M 6 5 K F M 6 \ e d i t o r [ 1 ] . c s s n o t f o u n d !

R e g i s t r y e n t r i e s d e l e t e d o n R e b o o t . . .


----------



## Cookiegal (Aug 27, 2003)

I don't know how you added a space between every letter before posting that. It's very difficult to read.

Anyway, I'd like you to do the following please.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:dir
C:\WINDOWS\System32\syncdb
:filefind
dimsntfy.dll
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## wdauser (Mar 30, 2011)

Systemlook log is below. I thought the extra space was weird too. I actually re-ran this OTS fix a third time to be sure that something was not messed up. The OTS log file generated that way upon paste. Really kinda weird. What's next?

SystemLook 30.07.11 by jpshortstuff
Log created at 22:22 on 23/09/2012 by willie_dinish
Administrator - Elevation successful
========== dir ==========
C:\WINDOWS\System32\syncdb - Parameters: "(none)"
---Files---
.pref --a---- 595 bytes [06:23 25/08/2012] [06:23 25/08/2012]
---Folders---
None found.
========== filefind ==========
Searching for "dimsntfy.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\dimsntfy.dll --a---- 19456 bytes [00:15 24/11/2008] [00:11 14/04/2008] E2092F0A1D7ABC243F9C2362483D150D
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Please navigate to this file:

C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\*dimsntfy.dll*

Right-click the *dimsntfy.dll* file and select "copy".

Now navigate to this folder:

C:\WINDOWS\*System32*

Open the System32 folder and then right-click the mouse and select "paste" to drop a copy of the dimsntfy.dll file in this location.

Then reboot the machine and run SystemLook again with this script (so I can see if the file was dropped successfully):


```
:filefind
dimsntfy.dll
```


----------



## wdauser (Mar 30, 2011)

New Log below. What's next?

SystemLook 30.07.11 by jpshortstuff
Log created at 20:07 on 24/09/2012 by willie_dinish
Administrator - Elevation successful
========== filefind ==========
Searching for "dimsntfy.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\dimsntfy.dll --a---- 19456 bytes [00:15 24/11/2008] [00:11 14/04/2008] E2092F0A1D7ABC243F9C2362483D150D
C:\WINDOWS\system32\dimsntfy.dll --a---- 19456 bytes [00:47 25/09/2012] [00:11 14/04/2008] E2092F0A1D7ABC243F9C2362483D150D
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\ESET\ESET Online Scanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## wdauser (Mar 30, 2011)

Log below. I did not run any next steps with eset (quarantine, uninstall). What next?

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=36fdf0c2e44d5644acb91b6174ba4c5b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-26 01:16:40
# local_time=2012-09-25 08:16:40 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 42526857 42526857 0 0
# scanned=64973
# found=10
# cleaned=10
# scan_time=3778
C:\Documents and Settings\LocalService\0.5105593274292319.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\0.342252721831257.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\0.8569444149379782.exe a variant of Win32/Kryptik.AKRC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\0.8904872731080723.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\willie_dinish\My Documents\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP835\A0945838.exe Win32/InstallMate application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP837\A1040513.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP837\A1040514.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP837\A1040515.exe a variant of Win32/Kryptik.AKRC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP837\A1040516.exe Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


----------



## Cookiegal (Aug 27, 2003)

Please go  here and download the *TDSSKiller.exe* to your desktop.

Double-click to TDSSKiller.exe on your desktop to run it.
Click on *Start Scan*
As we don't want to fix anything yet, if any malicious objects are detected, *do NOT select Cure* but select *Skip* instead.
It will produce a log once it finishes in the root drive which should look like this example:

C:\TDSSKiller.<version_date_time>log.txt

Please copy and paste the contents of that log in your next reply.


----------



## wdauser (Mar 30, 2011)

Hope this is the right log. Thanks for the help.

21:09:30.0546 3492 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
21:09:32.0328 3492 ============================================================
21:09:32.0328 3492 Current date / time: 2012/09/26 21:09:32.0328
21:09:32.0328 3492 SystemInfo:
21:09:32.0328 3492 
21:09:32.0328 3492 OS Version: 5.1.2600 ServicePack: 2.0
21:09:32.0328 3492 Product type: Workstation
21:09:32.0328 3492 ComputerName: WILLIEDINISH
21:09:32.0328 3492 UserName: willie_dinish
21:09:32.0328 3492 Windows directory: C:\WINDOWS
21:09:32.0328 3492 System windows directory: C:\WINDOWS
21:09:32.0328 3492 Processor architecture: Intel x86
21:09:32.0328 3492 Number of processors: 1
21:09:32.0328 3492 Page size: 0x1000
21:09:32.0328 3492 Boot type: Normal boot
21:09:32.0328 3492 ============================================================
21:09:50.0843 3492 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:09:50.0843 3492 Drive \Device\Harddisk1\DR3 - Size: 0x3C000000 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:09:50.0843 3492 ============================================================
21:09:50.0843 3492 \Device\Harddisk0\DR0:
21:09:50.0843 3492 MBR partitions:
21:09:50.0843 3492 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0x6F98B74
21:09:50.0843 3492 \Device\Harddisk1\DR3:
21:09:50.0843 3492 MBR partitions:
21:09:50.0843 3492 \Device\Harddisk1\DR3\Partition1: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1DFFE0
21:09:50.0843 3492 ============================================================
21:09:50.0890 3492 C: <-> \Device\Harddisk0\DR0\Partition1
21:09:50.0890 3492 ============================================================
21:09:50.0890 3492 Initialize success
21:09:50.0890 3492 ============================================================
21:10:12.0078 3884 ============================================================
21:10:12.0078 3884 Scan started
21:10:12.0078 3884 Mode: Manual; 
21:10:12.0078 3884 ============================================================
21:10:14.0468 3884 ================ Scan system memory ========================
21:10:19.0203 3884 System memory - ok
21:10:19.0203 3884 ================ Scan services =============================
21:10:19.0453 3884 Abiosdsk - ok
21:10:19.0453 3884 abp480n5 - ok
21:10:19.0531 3884 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:10:19.0546 3884 ACPI - ok
21:10:19.0609 3884 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
21:10:19.0609 3884 ACPIEC - ok
21:10:19.0625 3884 adpu160m - ok
21:10:19.0687 3884 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys
21:10:19.0687 3884 aec - ok
21:10:19.0750 3884 [ 076394A345EE5E9E3911FC0F058F4F38 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
21:10:19.0750 3884 AegisP - ok
21:10:19.0796 3884 [ 55E6E1C51B6D30E54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
21:10:19.0828 3884 AFD - ok
21:10:19.0828 3884 Aha154x - ok
21:10:19.0843 3884 aic78u2 - ok
21:10:19.0859 3884 aic78xx - ok
21:10:20.0015 3884 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
21:10:20.0015 3884 Alerter - ok
21:10:20.0078 3884 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
21:10:20.0078 3884 ALG - ok
21:10:20.0093 3884 AliIde - ok
21:10:20.0109 3884 amsint - ok
21:10:20.0140 3884 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
21:10:20.0140 3884 AppMgmt - ok
21:10:20.0156 3884 asc - ok
21:10:20.0171 3884 asc3350p - ok
21:10:20.0187 3884 asc3550 - ok
21:10:20.0343 3884 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:10:20.0406 3884 aspnet_state - ok
21:10:20.0453 3884 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:10:20.0453 3884 AsyncMac - ok
21:10:20.0453 3884 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
21:10:20.0468 3884 atapi - ok
21:10:20.0468 3884 Atdisk - ok
21:10:20.0515 3884 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:10:20.0515 3884 Atmarpc - ok
21:10:20.0562 3884 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
21:10:20.0562 3884 AudioSrv - ok
21:10:20.0625 3884 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
21:10:20.0625 3884 audstub - ok
21:10:20.0703 3884 [ 2ACF06176B9D011567D7F25B83DDD066 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:10:20.0703 3884 b57w2k - ok
21:10:20.0765 3884 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
21:10:20.0765 3884 Beep - ok
21:10:20.0843 3884 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll
21:10:20.0921 3884 BITS - ok
21:10:20.0984 3884 [ 4BA311473E0D8557827E6F2FE33A8095 ] brfilt C:\WINDOWS\system32\Drivers\Brfilt.sys
21:10:20.0984 3884 brfilt - ok
21:10:21.0062 3884 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
21:10:21.0062 3884 Browser - ok
21:10:21.0109 3884 [ 8E06CD96E00472C03770A697D04031C0 ] BrSerWDM C:\WINDOWS\system32\Drivers\BrSerWdm.sys
21:10:21.0109 3884 BrSerWDM - ok
21:10:21.0125 3884 [ 37E2D0B12DDF536CD64AF6EB3B580EF8 ] BrUsbMdm C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
21:10:21.0125 3884 BrUsbMdm - ok
21:10:21.0187 3884 [ 1C5F014048E5B2748C1A8AD297C50B6F ] BrUsbScn C:\WINDOWS\system32\Drivers\BrUsbScn.sys
21:10:21.0187 3884 BrUsbScn - ok
21:10:21.0437 3884 catchme - ok
21:10:21.0484 3884 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
21:10:21.0500 3884 cbidf2k - ok
21:10:21.0546 3884 [ 6163ED60B684BAB19D3352AB22FC48B2 ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:10:21.0546 3884 CCDECODE - ok
21:10:21.0562 3884 cd20xrnt - ok
21:10:21.0609 3884 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
21:10:21.0609 3884 Cdaudio - ok
21:10:21.0687 3884 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
21:10:21.0687 3884 Cdfs - ok
21:10:21.0718 3884 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:10:21.0718 3884 Cdrom - ok
21:10:21.0765 3884 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
21:10:21.0765 3884 cercsr6 - ok
21:10:21.0781 3884 Changer - ok
21:10:21.0828 3884 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
21:10:21.0828 3884 CiSvc - ok
21:10:21.0875 3884 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
21:10:21.0875 3884 ClipSrv - ok
21:10:21.0968 3884 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:10:22.0203 3884 clr_optimization_v2.0.50727_32 - ok
21:10:22.0234 3884 [ 4266BE808F85826AEDF3C64C1E240203 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:10:22.0250 3884 CmBatt - ok
21:10:22.0265 3884 CmdIde - ok
21:10:22.0281 3884 [ DF1B1A24BF52D0EBC01ED4ECE8979F50 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:10:22.0281 3884 Compbatt - ok
21:10:22.0296 3884 COMSysApp - ok
21:10:22.0312 3884 Cpqarray - ok
21:10:22.0390 3884 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
21:10:22.0390 3884 CryptSvc - ok
21:10:22.0406 3884 dac2w2k - ok
21:10:22.0406 3884 dac960nt - ok
21:10:22.0500 3884 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
21:10:22.0546 3884 DcomLaunch - ok
21:10:22.0609 3884 [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
21:10:22.0625 3884 Dhcp - ok
21:10:22.0640 3884 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
21:10:22.0640 3884 Disk - ok
21:10:22.0718 3884 [ 0659E6E0A95564F958D9DF7313F7701E ] DLABMFSM C:\WINDOWS\system32\DLA\DLABMFSM.SYS
21:10:22.0718 3884 DLABMFSM - ok
21:10:22.0734 3884 [ 8691C78908F0BD66170669DB268369F2 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
21:10:22.0734 3884 DLABOIOM - ok
21:10:22.0781 3884 [ 76167B5EB2DFFC729EDC36386876B40B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
21:10:22.0781 3884 DLACDBHM - ok
21:10:22.0828 3884 [ 5615744A1056933B90E6AC54FEB86F35 ] DLADResM C:\WINDOWS\system32\DLA\DLADResM.SYS
21:10:22.0843 3884 DLADResM - ok
21:10:22.0859 3884 [ 1AECA2AFA5005CE4A550CF8EB55A8C88 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
21:10:22.0875 3884 DLAIFS_M - ok
21:10:22.0875 3884 [ 840E7F6ABB885C72B9FFDDB022EF5B6D ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
21:10:22.0890 3884 DLAOPIOM - ok
21:10:22.0890 3884 [ 0294D18731AC05DA80132CE88F8A876B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
21:10:22.0906 3884 DLAPoolM - ok
21:10:22.0906 3884 [ 91886FED52A3F9966207BCE46CFD794F ] DLARTL_M C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
21:10:22.0906 3884 DLARTL_M - ok
21:10:22.0921 3884 [ CCA4E121D599D7D1706A30F603731E59 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
21:10:22.0937 3884 DLAUDFAM - ok
21:10:22.0953 3884 [ 7DAB85C33135DF24419951DA4E7D38E5 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
21:10:22.0968 3884 DLAUDF_M - ok
21:10:22.0968 3884 dmadmin - ok
21:10:23.0062 3884 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
21:10:23.0109 3884 dmboot - ok
21:10:23.0125 3884 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
21:10:23.0140 3884 dmio - ok
21:10:23.0203 3884 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
21:10:23.0203 3884 dmload - ok
21:10:23.0234 3884 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
21:10:23.0234 3884 dmserver - ok
21:10:23.0281 3884 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
21:10:23.0281 3884 DMusic - ok
21:10:23.0312 3884 [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
21:10:23.0312 3884 Dnscache - ok
21:10:23.0375 3884 [ AD7FC1963B152B3728E3C4F83554A576 ] dot4 C:\WINDOWS\system32\DRIVERS\Dot4.sys
21:10:23.0390 3884 dot4 - ok
21:10:23.0437 3884 [ 77CE63A8A34AE23D9FE4C7896D1DEBE7 ] Dot4Print C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
21:10:23.0453 3884 Dot4Print - ok
21:10:23.0484 3884 [ 6EC3AF6BB5B30E488A0C559921F012E1 ] dot4usb C:\WINDOWS\system32\DRIVERS\dot4usb.sys
21:10:23.0484 3884 dot4usb - ok
21:10:23.0500 3884 dpti2o - ok
21:10:23.0546 3884 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
21:10:23.0546 3884 drmkaud - ok
21:10:23.0578 3884 [ C00440385CF9F3D142917C63F989E244 ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
21:10:23.0578 3884 DRVMCDB - ok
21:10:23.0593 3884 [ 6E6AB29D3C06E64CE81FEACDA85394B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
21:10:23.0593 3884 DRVNDDM - ok
21:10:23.0671 3884 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
21:10:23.0671 3884 ERSvc - ok
21:10:23.0734 3884 [ 4712531AB7A01B7EE059853CA17D39BD ] Eventlog C:\WINDOWS\system32\services.exe
21:10:23.0750 3884 Eventlog - ok
21:10:23.0796 3884 [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem C:\WINDOWS\system32\es.dll
21:10:23.0812 3884 EventSystem - ok
21:10:24.0015 3884 [ D335183519E6814DFAB4ED3DD806A943 ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
21:10:24.0015 3884 EvtEng - ok
21:10:24.0046 3884 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
21:10:24.0046 3884 Fastfat - ok
21:10:24.0140 3884 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
21:10:24.0156 3884 FastUserSwitchingCompatibility - ok
21:10:24.0171 3884 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
21:10:24.0171 3884 Fdc - ok
21:10:24.0187 3884 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
21:10:24.0203 3884 Fips - ok
21:10:24.0203 3884 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
21:10:24.0218 3884 Flpydisk - ok
21:10:24.0234 3884 [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:10:24.0234 3884 FltMgr - ok
21:10:24.0375 3884 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:10:24.0375 3884 FontCache3.0.0.0 - ok
21:10:24.0390 3884 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:10:24.0390 3884 Fs_Rec - ok
21:10:24.0406 3884 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:10:24.0406 3884 Ftdisk - ok
21:10:24.0468 3884 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:10:24.0468 3884 Gpc - ok
21:10:24.0546 3884 [ 7D074058804AD398F93CA0A08AF83FF2 ] GTIPCI21 C:\WINDOWS\system32\DRIVERS\gtipci21.sys
21:10:24.0546 3884 GTIPCI21 - ok
21:10:24.0703 3884 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:10:24.0703 3884 helpsvc - ok
21:10:24.0765 3884 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll
21:10:24.0765 3884 HidServ - ok
21:10:24.0812 3884 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:10:24.0812 3884 hidusb - ok
21:10:24.0828 3884 hpn - ok
21:10:25.0015 3884 [ A30E97371E38EF45B0757561B2796733 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
21:10:25.0031 3884 hpqcxs08 - ok
21:10:25.0109 3884 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:10:25.0109 3884 HPZid412 - ok
21:10:25.0171 3884 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:10:25.0171 3884 HPZipr12 - ok
21:10:25.0187 3884 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:10:25.0203 3884 HPZius12 - ok
21:10:25.0265 3884 [ 140BA850417896B6B3322048DE280368 ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
21:10:25.0265 3884 HSFHWICH - ok
21:10:25.0406 3884 [ B2DFC168D6F7512FAEA085253C5A37AD ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
21:10:25.0500 3884 HSF_DP - ok
21:10:25.0578 3884 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
21:10:25.0593 3884 HTTP - ok
21:10:25.0656 3884 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
21:10:25.0687 3884 HTTPFilter - ok
21:10:25.0687 3884 i2omgmt - ok
21:10:25.0703 3884 i2omp - ok
21:10:25.0750 3884 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:10:25.0750 3884 i8042prt - ok
21:10:25.0843 3884 [ 737DA0BE27652C4482AC5CDE099BFCE9 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:10:25.0906 3884 ialm - ok
21:10:26.0156 3884 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:10:26.0203 3884 idsvc - ok
21:10:26.0234 3884 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
21:10:26.0234 3884 Imapi - ok
21:10:26.0296 3884 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
21:10:26.0296 3884 ImapiService - ok
21:10:26.0312 3884 ini910u - ok
21:10:26.0375 3884 [ 2D722B2B54AB55B2FA475EB58D7B2AAD ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
21:10:26.0390 3884 IntelIde - ok
21:10:26.0406 3884 [ 279FB78702454DFF2BB445F238C048D2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:10:26.0421 3884 intelppm - ok
21:10:26.0453 3884 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
21:10:26.0453 3884 Ip6Fw - ok
21:10:26.0500 3884 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:10:26.0500 3884 IpFilterDriver - ok
21:10:26.0531 3884 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:10:26.0531 3884 IpInIp - ok
21:10:26.0578 3884 [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:10:26.0593 3884 IpNat - ok
21:10:26.0609 3884 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:10:26.0625 3884 IPSec - ok
21:10:26.0656 3884 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
21:10:26.0671 3884 IRENUM - ok
21:10:26.0687 3884 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:10:26.0687 3884 isapnp - ok
21:10:26.0718 3884 [ 872D090CA5C306F62D1982BCE6302376 ] IWCA C:\WINDOWS\system32\DRIVERS\iwca.sys
21:10:26.0718 3884 IWCA - ok
21:10:26.0906 3884 [ 11C3EFB4BAC41175D03B1595DB1A4A4F ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
21:10:26.0921 3884 JavaQuickStarterService - ok
21:10:26.0937 3884 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:10:26.0937 3884 Kbdclass - ok
21:10:27.0015 3884 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:10:27.0015 3884 kbdhid - ok
21:10:27.0046 3884 [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
21:10:27.0062 3884 kmixer - ok
21:10:27.0125 3884 [ 674D3E5A593475915DC6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
21:10:27.0125 3884 KSecDD - ok
21:10:27.0171 3884 [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
21:10:27.0203 3884 lanmanserver - ok
21:10:27.0265 3884 [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
21:10:27.0281 3884 lanmanworkstation - ok
21:10:27.0296 3884 lbrtfdc - ok
21:10:27.0343 3884 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
21:10:27.0359 3884 LmHosts - ok
21:10:27.0453 3884 [ F8B823414A22DBF3BEC10DCAA5F93CD8 ] McciCMService C:\Program Files\Common Files\Motive\McciCMService.exe
21:10:27.0468 3884 McciCMService - ok
21:10:27.0562 3884 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
21:10:27.0562 3884 MDM - ok
21:10:27.0609 3884 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:10:27.0609 3884 mdmxsdk - ok
21:10:27.0640 3884 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
21:10:27.0640 3884 Messenger - ok
21:10:27.0687 3884 [ 729D83E56C29C510258A6E9E79FFDDC3 ] mf C:\WINDOWS\system32\DRIVERS\mf.sys
21:10:27.0687 3884 mf - ok
21:10:27.0703 3884 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
21:10:27.0703 3884 mnmdd - ok
21:10:27.0750 3884 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
21:10:27.0750 3884 mnmsrvc - ok
21:10:27.0796 3884 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
21:10:27.0796 3884 Modem - ok
21:10:27.0812 3884 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:10:27.0812 3884 Mouclass - ok
21:10:27.0890 3884 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:10:27.0890 3884 mouhid - ok
21:10:27.0906 3884 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
21:10:27.0921 3884 MountMgr - ok
21:10:27.0921 3884 mraid35x - ok
21:10:27.0937 3884 [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:10:27.0953 3884 MRxDAV - ok
21:10:28.0031 3884 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:10:28.0078 3884 MRxSmb - ok
21:10:28.0140 3884 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
21:10:28.0140 3884 MSDTC - ok
21:10:28.0187 3884 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
21:10:28.0187 3884 Msfs - ok
21:10:28.0203 3884 MSIServer - ok
21:10:28.0250 3884 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:10:28.0250 3884 MSKSSRV - ok
21:10:28.0265 3884 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:10:28.0265 3884 MSPCLOCK - ok
21:10:28.0281 3884 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
21:10:28.0281 3884 MSPQM - ok
21:10:28.0328 3884 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:10:28.0328 3884 mssmbios - ok
21:10:28.0390 3884 [ BF13612142995096AB084F2DB7F40F77 ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
21:10:28.0390 3884 MSTEE - ok
21:10:28.0406 3884 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
21:10:28.0406 3884 Mup - ok
21:10:28.0453 3884 [ 5C8DC6429C43DC6177C1FA5B76290D1A ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:10:28.0453 3884 NABTSFEC - ok
21:10:28.0515 3884 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
21:10:28.0531 3884 NDIS - ok
21:10:28.0593 3884 [ 520CE427A8B298F54112857BCF6BDE15 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:10:28.0593 3884 NdisIP - ok
21:10:28.0640 3884 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:10:28.0640 3884 NdisTapi - ok
21:10:28.0671 3884 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:10:28.0671 3884 Ndisuio - ok
21:10:28.0687 3884 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:10:28.0703 3884 NdisWan - ok
21:10:28.0703 3884 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
21:10:28.0718 3884 NDProxy - ok
21:10:28.0781 3884 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
21:10:28.0781 3884 Net Driver HPZ12 - ok
21:10:28.0796 3884 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
21:10:28.0796 3884 NetBIOS - ok
21:10:28.0921 3884 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
21:10:28.0937 3884 NetBT - ok
21:10:29.0000 3884 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
21:10:29.0015 3884 NetDDE - ok
21:10:29.0031 3884 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
21:10:29.0031 3884 NetDDEdsdm - ok
21:10:29.0062 3884 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
21:10:29.0062 3884 Netlogon - ok
21:10:29.0109 3884 [ 36739B39267914BA69AD0610A0299732 ] Netman C:\WINDOWS\System32\netman.dll
21:10:29.0125 3884 Netman - ok
21:10:29.0203 3884 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:10:29.0234 3884 NetTcpPortSharing - ok
21:10:29.0312 3884 [ 097722F235A1FB698BF9234E01B52637 ] Nla C:\WINDOWS\System32\mswsock.dll
21:10:29.0328 3884 Nla - ok
21:10:29.0343 3884 Normandy - ok
21:10:29.0406 3884 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
21:10:29.0421 3884 Npfs - ok
21:10:29.0453 3884 [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
21:10:29.0531 3884 Ntfs - ok
21:10:29.0531 3884 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
21:10:29.0546 3884 NtLmSsp - ok
21:10:29.0656 3884 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
21:10:29.0703 3884 NtmsSvc - ok
21:10:29.0750 3884 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
21:10:29.0750 3884 Null - ok
21:10:29.0812 3884 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:10:29.0828 3884 NwlnkFlt - ok
21:10:29.0828 3884 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:10:29.0843 3884 NwlnkFwd - ok
21:10:29.0906 3884 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
21:10:29.0906 3884 OMCI - ok
21:10:29.0968 3884 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:10:29.0968 3884 ose - ok
21:10:30.0031 3884 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
21:10:30.0031 3884 Parport - ok
21:10:30.0046 3884 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
21:10:30.0046 3884 PartMgr - ok
21:10:30.0156 3884 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
21:10:30.0171 3884 ParVdm - ok
21:10:30.0187 3884 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
21:10:30.0187 3884 PCI - ok
21:10:30.0250 3884 PCIDump - ok
21:10:30.0265 3884 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
21:10:30.0265 3884 PCIIde - ok
21:10:30.0281 3884 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:10:30.0296 3884 Pcmcia - ok
21:10:30.0343 3884 [ AA9CFA67850893FBB168B9C4E4C86952 ] PCTCore C:\WINDOWS\system32\drivers\PCTCore.sys
21:10:30.0343 3884 PCTCore - ok
21:10:30.0359 3884 PDCOMP - ok
21:10:30.0375 3884 PDFRAME - ok
21:10:30.0390 3884 PDRELI - ok
21:10:30.0390 3884 PDRFRAME - ok
21:10:30.0406 3884 perc2 - ok
21:10:30.0421 3884 perc2hib - ok
21:10:30.0484 3884 [ 4712531AB7A01B7EE059853CA17D39BD ] PlugPlay C:\WINDOWS\system32\services.exe
21:10:30.0500 3884 PlugPlay - ok
21:10:30.0531 3884 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
21:10:30.0531 3884 Pml Driver HPZ12 - ok
21:10:30.0546 3884 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
21:10:30.0546 3884 PolicyAgent - ok
21:10:30.0578 3884 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:10:30.0578 3884 PptpMiniport - ok
21:10:30.0593 3884 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
21:10:30.0593 3884 ProtectedStorage - ok
21:10:30.0609 3884 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
21:10:30.0625 3884 PSched - ok
21:10:30.0656 3884 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:10:30.0656 3884 Ptilink - ok
21:10:30.0703 3884 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:10:30.0703 3884 PxHelp20 - ok
21:10:30.0718 3884 ql1080 - ok
21:10:30.0718 3884 Ql10wnt - ok
21:10:30.0734 3884 ql12160 - ok
21:10:30.0750 3884 ql1240 - ok
21:10:30.0765 3884 ql1280 - ok
21:10:30.0812 3884 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:10:30.0812 3884 RasAcd - ok
21:10:30.0875 3884 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
21:10:30.0875 3884 RasAuto - ok
21:10:30.0921 3884 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:10:30.0921 3884 Rasl2tp - ok
21:10:31.0000 3884 [ 49B5EED5FB89D39456A2F616CCD8BA5D ] RasMan C:\WINDOWS\System32\rasmans.dll
21:10:31.0000 3884 RasMan - ok
21:10:31.0015 3884 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:10:31.0015 3884 RasPppoe - ok
21:10:31.0031 3884 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
21:10:31.0046 3884 Raspti - ok
21:10:31.0093 3884 [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:10:31.0109 3884 Rdbss - ok
21:10:31.0125 3884 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:10:31.0125 3884 RDPCDD - ok
21:10:31.0203 3884 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:10:31.0203 3884 rdpdr - ok
21:10:31.0281 3884 [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
21:10:31.0296 3884 RDPWD - ok
21:10:31.0343 3884 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
21:10:31.0359 3884 RDSessMgr - ok
21:10:31.0359 3884 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
21:10:31.0375 3884 redbook - ok
21:10:31.0406 3884 [ 15BA3BCEEB32C4279B27F5C3389E4847 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
21:10:31.0421 3884 RegSrvc - ok
21:10:31.0468 3884 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
21:10:31.0468 3884 RemoteAccess - ok
21:10:31.0515 3884 [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
21:10:31.0515 3884 RemoteRegistry - ok
21:10:31.0578 3884 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\system32\locator.exe
21:10:31.0578 3884 RpcLocator - ok
21:10:31.0640 3884 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] RpcSs C:\WINDOWS\System32\rpcss.dll
21:10:31.0656 3884 RpcSs - ok
21:10:31.0750 3884 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
21:10:31.0750 3884 RSVP - ok
21:10:31.0921 3884 [ 93F66FAEA8BF047D4242AC85AADA403D ] RVIEG01 C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys
21:10:31.0921 3884 RVIEG01 - ok
21:10:31.0984 3884 [ 79A647519CA3E700E9738153F788FB7D ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
21:10:32.0000 3884 S24EventMonitor - ok
21:10:32.0046 3884 [ 81AA6F0D6A2BE1C550F814B036215888 ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
21:10:32.0062 3884 s24trans - ok
21:10:32.0078 3884 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
21:10:32.0078 3884 SamSs - ok
21:10:32.0156 3884 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
21:10:32.0156 3884 SCardSvr - ok
21:10:32.0234 3884 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
21:10:32.0234 3884 Schedule - ok
21:10:32.0390 3884 [ 2881D5C135D076BCF52B0F5AD3D8DC0B ] sdAuxService C:\Program Files\Spyware Doctor\pctsAuxs.exe
21:10:32.0390 3884 sdAuxService - ok
21:10:32.0484 3884 [ 9CACA3FAD05C4B0D7967592E65B338F1 ] sdCoreService C:\Program Files\Spyware Doctor\pctsSvc.exe
21:10:32.0562 3884 sdCoreService - ok
21:10:32.0625 3884 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:10:32.0625 3884 Secdrv - ok
21:10:32.0671 3884 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
21:10:32.0671 3884 seclogon - ok
21:10:32.0703 3884 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
21:10:32.0703 3884 SENS - ok
21:10:32.0765 3884 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
21:10:32.0781 3884 serenum - ok
21:10:32.0796 3884 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
21:10:32.0812 3884 Serial - ok
21:10:32.0859 3884 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
21:10:32.0859 3884 Sfloppy - ok
21:10:32.0937 3884 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
21:10:32.0984 3884 SharedAccess - ok
21:10:33.0031 3884 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
21:10:33.0031 3884 ShellHWDetection - ok
21:10:33.0046 3884 Simbad - ok
21:10:33.0093 3884 [ 5CAEED86821FA2C6139E32E9E05CCDC9 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:10:33.0093 3884 SLIP - ok
21:10:33.0125 3884 Sparrow - ok
21:10:33.0171 3884 [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
21:10:33.0171 3884 splitter - ok
21:10:33.0218 3884 [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler C:\WINDOWS\system32\spoolsv.exe
21:10:33.0218 3884 Spooler - ok
21:10:33.0265 3884 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
21:10:33.0312 3884 sr - ok
21:10:33.0375 3884 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
21:10:33.0390 3884 srservice - ok
21:10:33.0484 3884 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
21:10:33.0484 3884 Srv - ok
21:10:33.0546 3884 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
21:10:33.0546 3884 SSDPSRV - ok
21:10:33.0625 3884 [ 305CC42945A713347F978D78566113F3 ] STAC97 C:\WINDOWS\system32\drivers\STAC97.sys
21:10:33.0640 3884 STAC97 - ok
21:10:33.0734 3884 [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc C:\WINDOWS\system32\wiaservc.dll
21:10:33.0781 3884 stisvc - ok
21:10:33.0875 3884 [ 51778FD315C9882F1CBD932743E62A72 ] stllssvr C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
21:10:33.0875 3884 stllssvr - ok
21:10:33.0921 3884 [ 284C57DF5DC7ABCA656BC2B96A667AFB ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:10:33.0921 3884 streamip - ok
21:10:33.0953 3884 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
21:10:33.0968 3884 swenum - ok
21:10:33.0984 3884 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
21:10:34.0000 3884 swmidi - ok
21:10:34.0015 3884 SwPrv - ok
21:10:34.0031 3884 symc810 - ok
21:10:34.0031 3884 symc8xx - ok
21:10:34.0046 3884 sym_hi - ok
21:10:34.0062 3884 sym_u3 - ok
21:10:34.0140 3884 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
21:10:34.0140 3884 sysaudio - ok
21:10:34.0203 3884 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
21:10:34.0218 3884 SysmonLog - ok
21:10:34.0265 3884 [ FB78839B36025AA286A51289ED28B73E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
21:10:34.0281 3884 TapiSrv - ok
21:10:34.0312 3884 [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:10:34.0375 3884 Tcpip - ok
21:10:34.0421 3884 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
21:10:34.0421 3884 TDPIPE - ok
21:10:34.0453 3884 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
21:10:34.0453 3884 TDTCP - ok
21:10:34.0500 3884 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
21:10:34.0500 3884 TermDD - ok
21:10:34.0578 3884 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
21:10:34.0593 3884 TermService - ok
21:10:34.0640 3884 [ 95746E5B1473432F3D9458940DBA6E3A ] TfFsMon C:\WINDOWS\system32\drivers\TfFsMon.sys
21:10:34.0640 3884 TfFsMon - ok
21:10:34.0703 3884 [ 02FFDD873E31C5C2D57CA87D11EC36AF ] TfNetMon C:\WINDOWS\system32\drivers\TfNetMon.sys
21:10:34.0703 3884 TfNetMon - ok
21:10:34.0718 3884 [ F8BD92251AB439383C051CE907D78CCE ] TfSysMon C:\WINDOWS\system32\drivers\TfSysMon.sys
21:10:34.0718 3884 TfSysMon - ok
21:10:34.0796 3884 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes C:\WINDOWS\System32\shsvcs.dll
21:10:34.0812 3884 Themes - ok
21:10:34.0859 3884 ThreatFire - ok
21:10:34.0890 3884 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
21:10:34.0906 3884 TlntSvr - ok
21:10:34.0906 3884 TosIde - ok
21:10:34.0968 3884 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
21:10:34.0968 3884 TrkWks - ok
21:10:35.0015 3884 [ 3858EFF2133F182A9321CF7C8F74DAD6 ] UdfReadr C:\WINDOWS\system32\drivers\UdfReadr.sys
21:10:35.0015 3884 UdfReadr - ok
21:10:35.0109 3884 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
21:10:35.0109 3884 Udfs - ok
21:10:35.0140 3884 UIUSys - ok
21:10:35.0140 3884 ultra - ok
21:10:35.0234 3884 [ BB879DCFD22926EFBEB3298129898CBB ] UnlockerDriver5 C:\Program Files\Unlocker\UnlockerDriver5.sys
21:10:35.0234 3884 UnlockerDriver5 - ok
21:10:35.0281 3884 [ CED744117E91BDC0BEB810F7D8608183 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
21:10:35.0296 3884 Update - ok
21:10:35.0359 3884 [ 8827911A8C37E40C027CBFC88E69D967 ] uploadmgr C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:10:35.0359 3884 uploadmgr - ok
21:10:35.0421 3884 [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost C:\WINDOWS\System32\upnphost.dll
21:10:35.0437 3884 upnphost - ok
21:10:35.0484 3884 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
21:10:35.0500 3884 UPS - ok
21:10:35.0562 3884 [ 45A0D14B26C35497AD93BCE7E15C9941 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
21:10:35.0578 3884 usbaudio - ok
21:10:35.0609 3884 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:10:35.0609 3884 usbccgp - ok
21:10:35.0640 3884 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:10:35.0640 3884 usbehci - ok
21:10:35.0656 3884 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:10:35.0656 3884 usbhub - ok
21:10:35.0703 3884 [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:10:35.0718 3884 usbprint - ok
21:10:35.0734 3884 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:10:35.0750 3884 usbscan - ok
21:10:35.0765 3884 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:10:35.0765 3884 USBSTOR - ok
21:10:35.0812 3884 [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:10:35.0828 3884 usbuhci - ok
21:10:35.0875 3884 [ 8968FF3973A883C49E8B564200F565B9 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
21:10:35.0890 3884 usbvideo - ok
21:10:35.0906 3884 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
21:10:35.0906 3884 VgaSave - ok
21:10:35.0921 3884 ViaIde - ok
21:10:36.0031 3884 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
21:10:36.0031 3884 VolSnap - ok
21:10:36.0093 3884 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
21:10:36.0125 3884 VSS - ok
21:10:36.0406 3884 [ F0F902220910C4FBE42A51964BD33599 ] w29n51 C:\WINDOWS\system32\DRIVERS\w29n51.sys
21:10:36.0609 3884 w29n51 - ok
21:10:36.0687 3884 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
21:10:36.0703 3884 W32Time - ok
21:10:36.0750 3884 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:10:36.0750 3884 Wanarp - ok
21:10:36.0765 3884 WDICA - ok
21:10:36.0812 3884 [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
21:10:36.0828 3884 wdmaud - ok
21:10:36.0890 3884 [ 265F534EF76832435AFBF771EC97176D ] WebClient C:\WINDOWS\System32\webclnt.dll
21:10:36.0890 3884 WebClient - ok
21:10:37.0015 3884 [ 2DC7C0B6175A0A8ED84A4F70199C93B5 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:10:37.0078 3884 winachsf - ok
21:10:37.0218 3884 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
21:10:37.0218 3884 winmgmt - ok
21:10:37.0390 3884 [ 43ED73F10DE96E0A23244BD9CF04F5C2 ] WLANKEEPER C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
21:10:37.0406 3884 WLANKEEPER - ok
21:10:37.0468 3884 [ 36678803A8030EE9A771935CFC1848BD ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
21:10:37.0468 3884 WmdmPmSN - ok
21:10:37.0562 3884 [ E8E57B0F9EB03D1AABEC28D550C75116 ] Wmi C:\WINDOWS\System32\advapi32.dll
21:10:37.0609 3884 Wmi - ok
21:10:37.0671 3884 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:10:37.0687 3884 WmiApSrv - ok
21:10:37.0765 3884 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
21:10:37.0781 3884 wscsvc - ok
21:10:37.0843 3884 [ D5842484F05E12121C511AA93F6439EC ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:10:37.0843 3884 WSTCODEC - ok
21:10:37.0890 3884 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
21:10:37.0906 3884 wuauserv - ok
21:10:38.0031 3884 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
21:10:38.0062 3884 WZCSVC - ok
21:10:38.0093 3884 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
21:10:38.0109 3884 xmlprov - ok
21:10:38.0140 3884 ================ Scan global ===============================
21:10:38.0218 3884 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
21:10:38.0312 3884 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
21:10:38.0343 3884 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
21:10:38.0390 3884 [ 4712531AB7A01B7EE059853CA17D39BD ] C:\WINDOWS\system32\services.exe
21:10:38.0406 3884 [Global] - ok
21:10:38.0406 3884 ================ Scan MBR ==================================
21:10:38.0437 3884 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
21:10:38.0437 3884 Suspicious mbr (Forged): \Device\Harddisk0\DR0
21:10:38.0468 3884 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
21:10:38.0468 3884 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
21:10:38.0484 3884 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR3
21:10:47.0640 3884 \Device\Harddisk1\DR3 - ok
21:10:47.0640 3884 ================ Scan VBR ==================================
21:10:47.0703 3884 [ C670B0642E80197B8CB8AB3716B8549C ] \Device\Harddisk0\DR0\Partition1
21:10:47.0703 3884 \Device\Harddisk0\DR0\Partition1 - ok
21:10:47.0718 3884 [ EC6584F4F757CB8CE17A1987F47175F9 ] \Device\Harddisk1\DR3\Partition1
21:10:47.0718 3884 \Device\Harddisk1\DR3\Partition1 - ok
21:10:47.0718 3884 ============================================================
21:10:47.0718 3884 Scan finished
21:10:47.0718 3884 ============================================================
21:10:47.0781 3876 Detected object count: 1
21:10:47.0781 3876 Actual detected object count: 1
21:11:10.0781 3876 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - skipped by user
21:11:10.0781 3876 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Skip


----------



## Cookiegal (Aug 27, 2003)

Yes, scan again with TDSSKiller and this time choose the option to "cure" the infection then post back a new log please.


----------



## wdauser (Mar 30, 2011)

00:21:25.0968 4012 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
00:21:27.0703 4012 ============================================================
00:21:27.0703 4012 Current date / time: 2012/09/27 00:21:27.0703
00:21:27.0703 4012 SystemInfo:
00:21:27.0703 4012 
00:21:27.0703 4012 OS Version: 5.1.2600 ServicePack: 2.0
00:21:27.0703 4012 Product type: Workstation
00:21:27.0703 4012 ComputerName: WILLIEDINISH
00:21:27.0703 4012 UserName: willie_dinish
00:21:27.0703 4012 Windows directory: C:\WINDOWS
00:21:27.0703 4012 System windows directory: C:\WINDOWS
00:21:27.0703 4012 Processor architecture: Intel x86
00:21:27.0703 4012 Number of processors: 1
00:21:27.0703 4012 Page size: 0x1000
00:21:27.0703 4012 Boot type: Normal boot
00:21:27.0703 4012 ============================================================
00:21:52.0625 4012 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:21:52.0656 4012 Drive \Device\Harddisk1\DR3 - Size: 0x3C000000 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
00:21:52.0656 4012 ============================================================
00:21:52.0656 4012 \Device\Harddisk0\DR0:
00:21:52.0656 4012 MBR partitions:
00:21:52.0656 4012 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0x6F98B74
00:21:52.0656 4012 \Device\Harddisk1\DR3:
00:21:52.0656 4012 MBR partitions:
00:21:52.0656 4012 \Device\Harddisk1\DR3\Partition1: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1DFFE0
00:21:52.0656 4012 ============================================================
00:21:52.0718 4012 C: <-> \Device\Harddisk0\DR0\Partition1
00:21:52.0750 4012 ============================================================
00:21:52.0750 4012 Initialize success
00:21:52.0750 4012 ============================================================
00:21:58.0187 3008 ============================================================
00:21:58.0187 3008 Scan started
00:21:58.0187 3008 Mode: Manual; 
00:21:58.0187 3008 ============================================================
00:22:03.0640 3008 ================ Scan system memory ========================
00:22:12.0296 3008 System memory - ok
00:22:12.0312 3008 ================ Scan services =============================
00:22:14.0843 3008 98097109 - ok
00:22:14.0843 3008 Abiosdsk - ok
00:22:14.0859 3008 abp480n5 - ok
00:22:15.0046 3008 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:22:15.0187 3008 ACPI - ok
00:22:15.0312 3008 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
00:22:15.0375 3008 ACPIEC - ok
00:22:15.0375 3008 adpu160m - ok
00:22:15.0500 3008 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys
00:22:15.0578 3008 aec - ok
00:22:15.0703 3008 [ 076394A345EE5E9E3911FC0F058F4F38 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
00:22:15.0718 3008 AegisP - ok
00:22:15.0812 3008 [ 55E6E1C51B6D30E54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
00:22:15.0890 3008 AFD - ok
00:22:15.0906 3008 Aha154x - ok
00:22:15.0906 3008 aic78u2 - ok
00:22:15.0921 3008 aic78xx - ok
00:22:16.0015 3008 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
00:22:16.0062 3008 Alerter - ok
00:22:16.0109 3008 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
00:22:16.0109 3008 ALG - ok
00:22:16.0125 3008 AliIde - ok
00:22:16.0140 3008 amsint - ok
00:22:16.0250 3008 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
00:22:16.0390 3008 AppMgmt - ok
00:22:16.0406 3008 asc - ok
00:22:16.0421 3008 asc3350p - ok
00:22:16.0437 3008 asc3550 - ok
00:22:17.0296 3008 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
00:22:18.0218 3008 aspnet_state - ok
00:22:18.0296 3008 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:22:18.0375 3008 AsyncMac - ok
00:22:18.0390 3008 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
00:22:18.0406 3008 atapi - ok
00:22:18.0406 3008 Atdisk - ok
00:22:18.0484 3008 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:22:18.0546 3008 Atmarpc - ok
00:22:18.0703 3008 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
00:22:18.0750 3008 AudioSrv - ok
00:22:18.0890 3008 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
00:22:18.0890 3008 audstub - ok
00:22:19.0031 3008 [ 2ACF06176B9D011567D7F25B83DDD066 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
00:22:19.0140 3008 b57w2k - ok
00:22:19.0234 3008 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
00:22:19.0296 3008 Beep - ok
00:22:19.0687 3008 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll
00:22:20.0125 3008 BITS - ok
00:22:20.0203 3008 [ 4BA311473E0D8557827E6F2FE33A8095 ] brfilt C:\WINDOWS\system32\Drivers\Brfilt.sys
00:22:20.0343 3008 brfilt - ok
00:22:20.0500 3008 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
00:22:20.0656 3008 Browser - ok
00:22:20.0859 3008 [ 8E06CD96E00472C03770A697D04031C0 ] BrSerWDM C:\WINDOWS\system32\Drivers\BrSerWdm.sys
00:22:20.0875 3008 BrSerWDM - ok
00:22:20.0890 3008 [ 37E2D0B12DDF536CD64AF6EB3B580EF8 ] BrUsbMdm C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
00:22:20.0906 3008 BrUsbMdm - ok
00:22:21.0062 3008 [ 1C5F014048E5B2748C1A8AD297C50B6F ] BrUsbScn C:\WINDOWS\system32\Drivers\BrUsbScn.sys
00:22:21.0156 3008 BrUsbScn - ok
00:22:21.0843 3008 catchme - ok
00:22:21.0984 3008 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
00:22:22.0125 3008 cbidf2k - ok
00:22:22.0390 3008 [ 6163ED60B684BAB19D3352AB22FC48B2 ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:22:22.0437 3008 CCDECODE - ok
00:22:22.0453 3008 cd20xrnt - ok
00:22:22.0515 3008 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
00:22:22.0546 3008 Cdaudio - ok
00:22:22.0750 3008 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
00:22:22.0875 3008 Cdfs - ok
00:22:23.0000 3008 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:22:23.0078 3008 Cdrom - ok
00:22:23.0156 3008 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
00:22:23.0250 3008 cercsr6 - ok
00:22:23.0250 3008 Changer - ok
00:22:23.0437 3008 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
00:22:23.0500 3008 CiSvc - ok
00:22:23.0546 3008 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
00:22:23.0578 3008 ClipSrv - ok
00:22:24.0312 3008 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:22:25.0906 3008 clr_optimization_v2.0.50727_32 - ok
00:22:25.0984 3008 [ 4266BE808F85826AEDF3C64C1E240203 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
00:22:26.0015 3008 CmBatt - ok
00:22:26.0031 3008 CmdIde - ok
00:22:26.0265 3008 [ DF1B1A24BF52D0EBC01ED4ECE8979F50 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
00:22:26.0484 3008 Compbatt - ok
00:22:26.0500 3008 COMSysApp - ok
00:22:26.0515 3008 Cpqarray - ok
00:22:26.0640 3008 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
00:22:26.0703 3008 CryptSvc - ok
00:22:26.0718 3008 dac2w2k - ok
00:22:26.0734 3008 dac960nt - ok
00:22:27.0046 3008 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
00:22:27.0750 3008 DcomLaunch - ok
00:22:27.0906 3008 [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
00:22:27.0984 3008 Dhcp - ok
00:22:28.0078 3008 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
00:22:28.0093 3008 Disk - ok
00:22:28.0343 3008 [ 0659E6E0A95564F958D9DF7313F7701E ] DLABMFSM C:\WINDOWS\system32\DLA\DLABMFSM.SYS
00:22:28.0359 3008 DLABMFSM - ok
00:22:28.0421 3008 [ 8691C78908F0BD66170669DB268369F2 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
00:22:28.0515 3008 DLABOIOM - ok
00:22:28.0578 3008 [ 76167B5EB2DFFC729EDC36386876B40B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
00:22:28.0593 3008 DLACDBHM - ok
00:22:28.0625 3008 [ 5615744A1056933B90E6AC54FEB86F35 ] DLADResM C:\WINDOWS\system32\DLA\DLADResM.SYS
00:22:28.0625 3008 DLADResM - ok
00:22:28.0703 3008 [ 1AECA2AFA5005CE4A550CF8EB55A8C88 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
00:22:28.0703 3008 DLAIFS_M - ok
00:22:28.0765 3008 [ 840E7F6ABB885C72B9FFDDB022EF5B6D ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
00:22:28.0765 3008 DLAOPIOM - ok
00:22:28.0812 3008 [ 0294D18731AC05DA80132CE88F8A876B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
00:22:28.0812 3008 DLAPoolM - ok
00:22:28.0843 3008 [ 91886FED52A3F9966207BCE46CFD794F ] DLARTL_M C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
00:22:28.0859 3008 DLARTL_M - ok
00:22:28.0906 3008 [ CCA4E121D599D7D1706A30F603731E59 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
00:22:28.0906 3008 DLAUDFAM - ok
00:22:28.0968 3008 [ 7DAB85C33135DF24419951DA4E7D38E5 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
00:22:28.0968 3008 DLAUDF_M - ok
00:22:28.0984 3008 dmadmin - ok
00:22:29.0421 3008 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
00:22:29.0671 3008 dmboot - ok
00:22:29.0734 3008 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
00:22:30.0000 3008 dmio - ok
00:22:30.0093 3008 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
00:22:30.0140 3008 dmload - ok
00:22:30.0281 3008 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
00:22:30.0296 3008 dmserver - ok
00:22:30.0343 3008 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
00:22:30.0421 3008 DMusic - ok
00:22:30.0515 3008 [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
00:22:30.0625 3008 Dnscache - ok
00:22:31.0015 3008 [ AD7FC1963B152B3728E3C4F83554A576 ] dot4 C:\WINDOWS\system32\DRIVERS\Dot4.sys
00:22:31.0484 3008 dot4 - ok
00:22:31.0609 3008 [ 77CE63A8A34AE23D9FE4C7896D1DEBE7 ] Dot4Print C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
00:22:31.0609 3008 Dot4Print - ok
00:22:31.0640 3008 [ 6EC3AF6BB5B30E488A0C559921F012E1 ] dot4usb C:\WINDOWS\system32\DRIVERS\dot4usb.sys
00:22:31.0640 3008 dot4usb - ok
00:22:31.0656 3008 dpti2o - ok
00:22:31.0703 3008 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
00:22:31.0718 3008 drmkaud - ok
00:22:31.0734 3008 [ C00440385CF9F3D142917C63F989E244 ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
00:22:31.0750 3008 DRVMCDB - ok
00:22:31.0781 3008 [ 6E6AB29D3C06E64CE81FEACDA85394B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
00:22:31.0781 3008 DRVNDDM - ok
00:22:31.0828 3008 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
00:22:31.0828 3008 ERSvc - ok
00:22:31.0906 3008 [ 4712531AB7A01B7EE059853CA17D39BD ] Eventlog C:\WINDOWS\system32\services.exe
00:22:31.0906 3008 Eventlog - ok
00:22:31.0953 3008 [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem C:\WINDOWS\system32\es.dll
00:22:31.0968 3008 EventSystem - ok
00:22:32.0171 3008 [ D335183519E6814DFAB4ED3DD806A943 ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
00:22:32.0171 3008 EvtEng - ok
00:22:32.0234 3008 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
00:22:32.0234 3008 Fastfat - ok
00:22:32.0312 3008 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
00:22:32.0328 3008 FastUserSwitchingCompatibility - ok
00:22:32.0359 3008 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
00:22:32.0390 3008 Fdc - ok
00:22:32.0453 3008 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
00:22:32.0453 3008 Fips - ok
00:22:32.0468 3008 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
00:22:32.0468 3008 Flpydisk - ok
00:22:32.0484 3008 [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:22:32.0500 3008 FltMgr - ok
00:22:32.0640 3008 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
00:22:32.0656 3008 FontCache3.0.0.0 - ok
00:22:32.0796 3008 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:22:32.0812 3008 Fs_Rec - ok
00:22:32.0843 3008 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:22:32.0843 3008 Ftdisk - ok
00:22:32.0906 3008 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:22:32.0906 3008 Gpc - ok
00:22:32.0984 3008 [ 7D074058804AD398F93CA0A08AF83FF2 ] GTIPCI21 C:\WINDOWS\system32\DRIVERS\gtipci21.sys
00:22:32.0984 3008 GTIPCI21 - ok
00:22:33.0140 3008 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
00:22:33.0140 3008 helpsvc - ok
00:22:33.0281 3008 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll
00:22:33.0281 3008 HidServ - ok
00:22:33.0343 3008 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:22:33.0343 3008 hidusb - ok
00:22:33.0359 3008 hpn - ok
00:22:33.0531 3008 [ A30E97371E38EF45B0757561B2796733 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
00:22:33.0562 3008 hpqcxs08 - ok
00:22:33.0640 3008 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
00:22:33.0640 3008 HPZid412 - ok
00:22:33.0687 3008 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
00:22:33.0687 3008 HPZipr12 - ok
00:22:33.0718 3008 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
00:22:33.0718 3008 HPZius12 - ok
00:22:33.0781 3008 [ 140BA850417896B6B3322048DE280368 ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
00:22:33.0781 3008 HSFHWICH - ok
00:22:33.0890 3008 [ B2DFC168D6F7512FAEA085253C5A37AD ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
00:22:34.0000 3008 HSF_DP - ok
00:22:34.0078 3008 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
00:22:34.0093 3008 HTTP - ok
00:22:34.0171 3008 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
00:22:34.0203 3008 HTTPFilter - ok
00:22:34.0218 3008 i2omgmt - ok
00:22:34.0218 3008 i2omp - ok
00:22:34.0281 3008 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:22:34.0281 3008 i8042prt - ok
00:22:34.0406 3008 [ 737DA0BE27652C4482AC5CDE099BFCE9 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
00:22:34.0468 3008 ialm - ok
00:22:34.0687 3008 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:22:34.0734 3008 idsvc - ok
00:22:34.0781 3008 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
00:22:34.0781 3008 Imapi - ok
00:22:34.0828 3008 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
00:22:34.0843 3008 ImapiService - ok
00:22:34.0859 3008 ini910u - ok
00:22:34.0906 3008 [ 2D722B2B54AB55B2FA475EB58D7B2AAD ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
00:22:34.0906 3008 IntelIde - ok
00:22:34.0937 3008 [ 279FB78702454DFF2BB445F238C048D2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:22:34.0937 3008 intelppm - ok
00:22:34.0984 3008 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
00:22:34.0984 3008 Ip6Fw - ok
00:22:35.0031 3008 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:22:35.0031 3008 IpFilterDriver - ok
00:22:35.0046 3008 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:22:35.0062 3008 IpInIp - ok
00:22:35.0109 3008 [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:22:35.0125 3008 IpNat - ok
00:22:35.0140 3008 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:22:35.0140 3008 IPSec - ok
00:22:35.0187 3008 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
00:22:35.0187 3008 IRENUM - ok
00:22:35.0218 3008 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:22:35.0218 3008 isapnp - ok
00:22:35.0281 3008 [ 872D090CA5C306F62D1982BCE6302376 ] IWCA C:\WINDOWS\system32\DRIVERS\iwca.sys
00:22:35.0281 3008 IWCA - ok
00:22:35.0468 3008 [ 11C3EFB4BAC41175D03B1595DB1A4A4F ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
00:22:35.0484 3008 JavaQuickStarterService - ok
00:22:35.0515 3008 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:22:35.0515 3008 Kbdclass - ok
00:22:35.0593 3008 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid  C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:22:35.0609 3008 kbdhid - ok
00:22:35.0640 3008 [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
00:22:35.0640 3008 kmixer - ok
00:22:35.0687 3008 [ 674D3E5A593475915DC6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
00:22:35.0703 3008 KSecDD - ok
00:22:35.0750 3008 [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
00:22:35.0765 3008 lanmanserver - ok
00:22:35.0828 3008 [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
00:22:35.0843 3008 lanmanworkstation - ok
00:22:35.0859 3008 lbrtfdc - ok
00:22:35.0921 3008 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
00:22:35.0921 3008 LmHosts - ok
00:22:36.0031 3008 [ F8B823414A22DBF3BEC10DCAA5F93CD8 ] McciCMService C:\Program Files\Common Files\Motive\McciCMService.exe
00:22:36.0031 3008 McciCMService - ok
00:22:36.0140 3008 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
00:22:36.0140 3008 MDM - ok
00:22:36.0171 3008 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
00:22:36.0171 3008 mdmxsdk - ok
00:22:36.0203 3008 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
00:22:36.0218 3008 Messenger - ok
00:22:36.0250 3008 [ 729D83E56C29C510258A6E9E79FFDDC3 ] mf C:\WINDOWS\system32\DRIVERS\mf.sys
00:22:36.0265 3008 mf - ok
00:22:36.0281 3008 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
00:22:36.0281 3008 mnmdd - ok
00:22:36.0312 3008 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
00:22:36.0328 3008 mnmsrvc - ok
00:22:36.0375 3008 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
00:22:36.0375 3008 Modem - ok
00:22:36.0406 3008 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:22:36.0406 3008 Mouclass - ok
00:22:36.0484 3008 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:22:36.0484 3008 mouhid - ok
00:22:36.0500 3008 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
00:22:36.0515 3008 MountMgr - ok
00:22:36.0515 3008 mraid35x - ok
00:22:36.0531 3008 [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:22:36.0546 3008 MRxDAV - ok
00:22:36.0625 3008 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:22:36.0671 3008 MRxSmb - ok
00:22:36.0734 3008 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
00:22:36.0734 3008 MSDTC - ok
00:22:36.0750 3008 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
00:22:36.0750 3008 Msfs - ok
00:22:36.0765 3008 MSIServer - ok
00:22:36.0812 3008 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:22:36.0812 3008 MSKSSRV - ok
00:22:36.0828 3008 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:22:36.0828 3008 MSPCLOCK - ok
00:22:36.0843 3008 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
00:22:36.0843 3008 MSPQM - ok
00:22:36.0890 3008 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:22:36.0890 3008 mssmbios - ok
00:22:36.0968 3008 [ BF13612142995096AB084F2DB7F40F77 ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
00:22:36.0968 3008 MSTEE - ok
00:22:36.0968 3008 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
00:22:36.0984 3008 Mup - ok
00:22:37.0015 3008 [ 5C8DC6429C43DC6177C1FA5B76290D1A ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:22:37.0015 3008 NABTSFEC - ok
00:22:37.0078 3008 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
00:22:37.0078 3008 NDIS - ok
00:22:37.0125 3008 [ 520CE427A8B298F54112857BCF6BDE15 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:22:37.0140 3008 NdisIP - ok
00:22:37.0187 3008 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:22:37.0187 3008 NdisTapi - ok
00:22:37.0218 3008 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:22:37.0218 3008 Ndisuio - ok
00:22:37.0234 3008 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:22:37.0234 3008 NdisWan - ok
00:22:37.0250 3008 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
00:22:37.0250 3008 NDProxy - ok
00:22:37.0312 3008 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
00:22:37.0328 3008 Net Driver HPZ12 - ok
00:22:37.0328 3008 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
00:22:37.0343 3008 NetBIOS - ok
00:22:37.0406 3008 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
00:22:37.0421 3008 NetBT - ok
00:22:37.0500 3008 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
00:22:37.0515 3008 NetDDE - ok
00:22:37.0531 3008 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
00:22:37.0546 3008 NetDDEdsdm - ok
00:22:37.0609 3008 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
00:22:37.0609 3008 Netlogon - ok
00:22:37.0656 3008 [ 36739B39267914BA69AD0610A0299732 ] Netman C:\WINDOWS\System32\netman.dll
00:22:37.0656 3008 Netman - ok
00:22:37.0750 3008 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
00:22:37.0750 3008 NetTcpPortSharing - ok
00:22:37.0828 3008 [ 097722F235A1FB698BF9234E01B52637 ] Nla C:\WINDOWS\System32\mswsock.dll
00:22:37.0921 3008 Nla - ok
00:22:37.0937 3008 Normandy - ok
00:22:38.0015 3008 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
00:22:38.0015 3008 Npfs - ok
00:22:38.0062 3008 [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
00:22:38.0078 3008 Ntfs - ok
00:22:38.0093 3008 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
00:22:38.0109 3008 NtLmSsp - ok
00:22:38.0187 3008 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
00:22:38.0218 3008 NtmsSvc - ok
00:22:38.0296 3008 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
00:22:38.0296 3008 Null - ok
00:22:38.0343 3008 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:22:38.0343 3008 NwlnkFlt - ok
00:22:38.0359 3008 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:22:38.0359 3008 NwlnkFwd - ok
00:22:38.0437 3008 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
00:22:38.0437 3008 OMCI - ok
00:22:38.0500 3008 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
00:22:38.0500 3008 ose - ok
00:22:38.0546 3008 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
00:22:38.0562 3008 Parport - ok
00:22:38.0578 3008 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
00:22:38.0578 3008 PartMgr - ok
00:22:38.0640 3008 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
00:22:38.0640 3008 ParVdm - ok
00:22:38.0656 3008 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
00:22:38.0656 3008 PCI - ok
00:22:38.0687 3008 PCIDump - ok
00:22:38.0703 3008 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
00:22:38.0703 3008 PCIIde - ok
00:22:38.0734 3008 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
00:22:38.0734 3008 Pcmcia - ok
00:22:38.0781 3008 [ AA9CFA67850893FBB168B9C4E4C86952 ] PCTCore C:\WINDOWS\system32\drivers\PCTCore.sys
00:22:38.0781 3008 PCTCore - ok
00:22:38.0796 3008 PDCOMP - ok
00:22:38.0812 3008 PDFRAME - ok
00:22:38.0828 3008 PDRELI - ok
00:22:38.0843 3008 PDRFRAME - ok
00:22:38.0859 3008 perc2 - ok
00:22:38.0875 3008 perc2hib - ok
00:22:38.0953 3008 [ 4712531AB7A01B7EE059853CA17D39BD ] PlugPlay C:\WINDOWS\system32\services.exe
00:22:38.0953 3008 PlugPlay - ok
00:22:38.0984 3008 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
00:22:38.0984 3008 Pml Driver HPZ12 - ok
00:22:39.0000 3008 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
00:22:39.0000 3008 PolicyAgent - ok
00:22:39.0062 3008 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:22:39.0062 3008 PptpMiniport - ok
00:22:39.0078 3008 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
00:22:39.0078 3008 ProtectedStorage - ok
00:22:39.0093 3008 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
00:22:39.0109 3008 PSched - ok
00:22:39.0156 3008 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:22:39.0156 3008 Ptilink - ok
00:22:39.0187 3008 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:22:39.0203 3008 PxHelp20 - ok
00:22:39.0203 3008 ql1080 - ok
00:22:39.0218 3008 Ql10wnt - ok
00:22:39.0234 3008 ql12160 - ok
00:22:39.0250 3008 ql1240 - ok
00:22:39.0265 3008 ql1280 - ok
00:22:39.0312 3008 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:22:39.0312 3008 RasAcd - ok
00:22:39.0375 3008 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
00:22:39.0375 3008 RasAuto - ok
00:22:39.0421 3008 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:22:39.0421 3008 Rasl2tp - ok
00:22:39.0546 3008 [ 49B5EED5FB89D39456A2F616CCD8BA5D ] RasMan C:\WINDOWS\System32\rasmans.dll
00:22:39.0546 3008 RasMan - ok
00:22:39.0578 3008 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:22:39.0578 3008 RasPppoe - ok
00:22:39.0593 3008 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
00:22:39.0593 3008 Raspti - ok
00:22:39.0734 3008 [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:22:39.0734 3008 Rdbss - ok
00:22:39.0750 3008 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:22:39.0750 3008 RDPCDD - ok
00:22:39.0890 3008 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:22:40.0109 3008 rdpdr - ok
00:22:40.0218 3008 [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
00:22:40.0312 3008 RDPWD - ok
00:22:40.0468 3008 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
00:22:40.0500 3008 RDSessMgr - ok
00:22:40.0546 3008 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
00:22:40.0546 3008 redbook - ok
00:22:40.0609 3008 [ 15BA3BCEEB32C4279B27F5C3389E4847 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
00:22:40.0609 3008 RegSrvc - ok
00:22:40.0734 3008 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
00:22:40.0796 3008 RemoteAccess - ok
00:22:41.0000 3008 [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
00:22:41.0031 3008 RemoteRegistry - ok
00:22:41.0171 3008 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\system32\locator.exe
00:22:41.0203 3008 RpcLocator - ok
00:22:41.0265 3008 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] RpcSs C:\WINDOWS\System32\rpcss.dll
00:22:41.0265 3008 RpcSs - ok
00:22:41.0359 3008 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
00:22:41.0406 3008 RSVP - ok
00:22:41.0593 3008 [ 93F66FAEA8BF047D4242AC85AADA403D ] RVIEG01 C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys
00:22:41.0593 3008 RVIEG01 - ok
00:22:41.0796 3008 [ 79A647519CA3E700E9738153F788FB7D ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
00:22:41.0796 3008 S24EventMonitor - ok
00:22:41.0875 3008 [ 81AA6F0D6A2BE1C550F814B036215888 ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
00:22:41.0906 3008 s24trans - ok
00:22:41.0953 3008 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
00:22:41.0953 3008 SamSs - ok
00:22:42.0015 3008 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
00:22:42.0031 3008 SCardSvr - ok
00:22:42.0093 3008 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
00:22:42.0125 3008 Schedule - ok
00:22:42.0453 3008 [ 2881D5C135D076BCF52B0F5AD3D8DC0B ] sdAuxService C:\Program Files\Spyware Doctor\pctsAuxs.exe
00:22:42.0468 3008 sdAuxService - ok
00:22:42.0953 3008 [ 9CACA3FAD05C4B0D7967592E65B338F1 ] sdCoreService C:\Program Files\Spyware Doctor\pctsSvc.exe
00:22:43.0140 3008 sdCoreService - ok
00:22:43.0234 3008 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:22:43.0265 3008 Secdrv - ok
00:22:43.0281 3008 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
00:22:43.0281 3008 seclogon - ok
00:22:43.0343 3008 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
00:22:43.0375 3008 SENS - ok
00:22:43.0421 3008 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
00:22:43.0437 3008 serenum - ok
00:22:43.0453 3008 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
00:22:43.0453 3008 Serial - ok
00:22:43.0562 3008 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
00:22:43.0578 3008 Sfloppy - ok
00:22:43.0671 3008 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
00:22:43.0718 3008 SharedAccess - ok
00:22:43.0765 3008 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
00:22:43.0781 3008 ShellHWDetection - ok
00:22:43.0796 3008 Simbad - ok
00:22:43.0859 3008 [ 5CAEED86821FA2C6139E32E9E05CCDC9 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:22:43.0859 3008 SLIP - ok
00:22:43.0875 3008 Sparrow - ok
00:22:43.0953 3008 [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
00:22:43.0953 3008 splitter - ok
00:22:44.0015 3008 [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler C:\WINDOWS\system32\spoolsv.exe
00:22:44.0031 3008 Spooler - ok
00:22:44.0062 3008 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
00:22:44.0062 3008 sr - ok
00:22:44.0140 3008 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
00:22:44.0140 3008 srservice - ok
00:22:44.0218 3008 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
00:22:44.0234 3008 Srv - ok
00:22:44.0296 3008 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
00:22:44.0312 3008 SSDPSRV - ok
00:22:44.0390 3008 [ 305CC42945A713347F978D78566113F3 ] STAC97 C:\WINDOWS\system32\drivers\STAC97.sys
00:22:44.0390 3008 STAC97 - ok
00:22:44.0609 3008 [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc C:\WINDOWS\system32\wiaservc.dll
00:22:44.0671 3008 stisvc - ok
00:22:44.0812 3008 [ 51778FD315C9882F1CBD932743E62A72 ] stllssvr C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
00:22:44.0859 3008 stllssvr - ok
00:22:44.0875 3008 [ 284C57DF5DC7ABCA656BC2B96A667AFB ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:22:44.0890 3008 streamip - ok
00:22:44.0953 3008 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
00:22:45.0000 3008 swenum - ok
00:22:45.0046 3008 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
00:22:45.0078 3008 swmidi - ok
00:22:45.0093 3008 SwPrv - ok
00:22:45.0109 3008 symc810 - ok
00:22:45.0125 3008 symc8xx - ok
00:22:45.0140 3008 sym_hi - ok
00:22:45.0156 3008 sym_u3 - ok
00:22:45.0203 3008 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
00:22:45.0234 3008 sysaudio - ok
00:22:45.0328 3008 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
00:22:45.0390 3008 SysmonLog - ok
00:22:45.0500 3008 [ FB78839B36025AA286A51289ED28B73E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
00:22:45.0515 3008 TapiSrv - ok
00:22:45.0546 3008 [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:22:45.0656 3008 Tcpip - ok
00:22:45.0687 3008 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
00:22:45.0734 3008 TDPIPE - ok
00:22:45.0781 3008 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
00:22:45.0796 3008 TDTCP - ok
00:22:45.0828 3008 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
00:22:45.0828 3008 TermDD - ok
00:22:45.0890 3008 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
00:22:45.0906 3008 TermService - ok
00:22:45.0968 3008 [ 95746E5B1473432F3D9458940DBA6E3A ] TfFsMon C:\WINDOWS\system32\drivers\TfFsMon.sys
00:22:45.0984 3008 TfFsMon - ok
00:22:46.0062 3008 [ 02FFDD873E31C5C2D57CA87D11EC36AF ] TfNetMon C:\WINDOWS\system32\drivers\TfNetMon.sys
00:22:46.0062 3008 TfNetMon - ok
00:22:46.0093 3008 [ F8BD92251AB439383C051CE907D78CCE ] TfSysMon C:\WINDOWS\system32\drivers\TfSysMon.sys
00:22:46.0109 3008 TfSysMon - ok
00:22:46.0187 3008 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes C:\WINDOWS\System32\shsvcs.dll
00:22:46.0203 3008 Themes - ok
00:22:46.0265 3008 ThreatFire - ok
00:22:46.0296 3008 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
00:22:46.0312 3008 TlntSvr - ok
00:22:46.0328 3008 TosIde - ok
00:22:46.0375 3008 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
00:22:46.0390 3008 TrkWks - ok
00:22:46.0453 3008 [ 3858EFF2133F182A9321CF7C8F74DAD6 ] UdfReadr C:\WINDOWS\system32\drivers\UdfReadr.sys
00:22:46.0484 3008 UdfReadr - ok
00:22:46.0531 3008 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
00:22:46.0578 3008 Udfs - ok
00:22:46.0609 3008 UIUSys - ok
00:22:46.0625 3008 ultra - ok
00:22:46.0671 3008 [ BB879DCFD22926EFBEB3298129898CBB ] UnlockerDriver5 C:\Program Files\Unlocker\UnlockerDriver5.sys
00:22:46.0687 3008 UnlockerDriver5 - ok
00:22:46.0906 3008 [ CED744117E91BDC0BEB810F7D8608183 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
00:22:46.0984 3008 Update - ok
00:22:47.0015 3008 [ 8827911A8C37E40C027CBFC88E69D967 ] uploadmgr C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
00:22:47.0015 3008 uploadmgr - ok
00:22:47.0140 3008 [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost C:\WINDOWS\System32\upnphost.dll
00:22:47.0171 3008 upnphost - ok
00:22:47.0218 3008 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
00:22:47.0234 3008 UPS - ok
00:22:47.0343 3008 [ 45A0D14B26C35497AD93BCE7E15C9941 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
00:22:47.0343 3008 usbaudio - ok
00:22:47.0390 3008 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:22:47.0406 3008 usbccgp - ok
00:22:47.0437 3008 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:22:47.0468 3008 usbehci - ok
00:22:47.0484 3008 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:22:47.0515 3008 usbhub - ok
00:22:47.0546 3008 [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:22:47.0562 3008 usbprint - ok
00:22:47.0578 3008 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:22:47.0593 3008 usbscan - ok
00:22:47.0625 3008 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:22:47.0625 3008 USBSTOR - ok
00:22:47.0671 3008 [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:22:47.0718 3008 usbuhci - ok
00:22:47.0812 3008 [ 8968FF3973A883C49E8B564200F565B9 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
00:22:47.0875 3008 usbvideo - ok
00:22:47.0906 3008 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
00:22:47.0906 3008 VgaSave - ok
00:22:47.0921 3008 ViaIde - ok
00:22:47.0984 3008 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
00:22:48.0000 3008 VolSnap - ok
00:22:48.0203 3008 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
00:22:48.0250 3008 VSS - ok
00:22:48.0593 3008 [ F0F902220910C4FBE42A51964BD33599 ] w29n51 C:\WINDOWS\system32\DRIVERS\w29n51.sys
00:22:49.0078 3008 w29n51 - ok
00:22:49.0140 3008 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
00:22:49.0390 3008 W32Time - ok
00:22:49.0453 3008 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:22:49.0531 3008 Wanarp - ok
00:22:49.0546 3008 WDICA - ok
00:22:49.0593 3008 [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
00:22:49.0640 3008 wdmaud - ok
00:22:49.0734 3008 [ 265F534EF76832435AFBF771EC97176D ] WebClient C:\WINDOWS\System32\webclnt.dll
00:22:49.0796 3008 WebClient - ok
00:22:50.0031 3008 [ 2DC7C0B6175A0A8ED84A4F70199C93B5 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
00:22:50.0140 3008 winachsf - ok
00:22:50.0515 3008 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
00:22:50.0593 3008 winmgmt - ok
00:22:50.0671 3008 [ 43ED73F10DE96E0A23244BD9CF04F5C2 ] WLANKEEPER C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
00:22:50.0734 3008 WLANKEEPER - ok
00:22:50.0796 3008 [ 36678803A8030EE9A771935CFC1848BD ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
00:22:50.0859 3008 WmdmPmSN - ok
00:22:50.0953 3008 [ E8E57B0F9EB03D1AABEC28D550C75116 ] Wmi C:\WINDOWS\System32\advapi32.dll
00:22:51.0046 3008 Wmi - ok
00:22:51.0109 3008 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
00:22:51.0171 3008 WmiApSrv - ok
00:22:51.0234 3008 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
00:22:51.0312 3008 wscsvc - ok
00:22:51.0343 3008 [ D5842484F05E12121C511AA93F6439EC ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:22:51.0437 3008 WSTCODEC - ok
00:22:51.0468 3008 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
00:22:51.0531 3008 wuauserv - ok
00:22:51.0578 3008 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
00:22:51.0671 3008 WZCSVC - ok
00:22:51.0750 3008 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
00:22:51.0843 3008 xmlprov - ok
00:22:51.0875 3008 ================ Scan global ===============================
00:22:51.0937 3008 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
00:22:52.0078 3008 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
00:22:52.0234 3008 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
00:22:52.0375 3008 [ 4712531AB7A01B7EE059853CA17D39BD ] C:\WINDOWS\system32\services.exe
00:22:52.0453 3008 [Global] - ok
00:22:52.0453 3008 ================ Scan MBR ==================================
00:22:52.0484 3008 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
00:22:52.0484 3008 Suspicious mbr (Forged): \Device\Harddisk0\DR0
00:22:52.0515 3008 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
00:22:52.0515 3008 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
00:22:52.0546 3008 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR3
00:23:00.0859 3008 \Device\Harddisk1\DR3 - ok
00:23:00.0859 3008 ================ Scan VBR ==================================
00:23:00.0937 3008 [ C670B0642E80197B8CB8AB3716B8549C ] \Device\Harddisk0\DR0\Partition1
00:23:01.0000 3008 \Device\Harddisk0\DR0\Partition1 - ok
00:23:01.0000 3008 [ EC6584F4F757CB8CE17A1987F47175F9 ] \Device\Harddisk1\DR3\Partition1
00:23:01.0015 3008 \Device\Harddisk1\DR3\Partition1 - ok
00:23:01.0015 3008 ============================================================
00:23:01.0015 3008 Scan finished
00:23:01.0015 3008 ============================================================
00:23:01.0062 2964 Detected object count: 1
00:23:01.0062 2964 Actual detected object count: 1
00:23:41.0281 2964 \Device\Harddisk0\DR0\# - copied to quarantine
00:23:41.0281 2964 \Device\Harddisk0\DR0 - copied to quarantine
00:23:41.0328 2964 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
00:23:41.0343 2964 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
00:23:41.0359 2964 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
00:23:41.0359 2964 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
00:23:41.0375 2964 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
00:23:41.0578 2964 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
00:23:41.0593 2964 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
00:23:41.0593 2964 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
00:23:41.0609 2964 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
00:23:41.0625 2964 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
00:23:41.0625 2964 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
00:23:41.0640 2964 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
00:23:41.0656 2964 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
00:23:41.0671 2964 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
00:23:41.0828 2964 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
00:23:42.0328 2964 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
00:23:42.0328 2964 \Device\Harddisk0\DR0 - ok
00:23:42.0328 2964 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure


----------



## Cookiegal (Aug 27, 2003)

Please run TDSSKiller again and post the new log. I need to be sure the infection has been cleared.


----------



## wdauser (Mar 30, 2011)

Log enclosed. What do we do next?

19:06:49.0921 2200 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
19:06:51.0656 2200 ============================================================
19:06:51.0656 2200 Current date / time: 2012/09/27 19:06:51.0656
19:06:51.0656 2200 SystemInfo:
19:06:51.0656 2200 
19:06:51.0656 2200 OS Version: 5.1.2600 ServicePack: 2.0
19:06:51.0656 2200 Product type: Workstation
19:06:51.0656 2200 ComputerName: WILLIEDINISH
19:06:51.0656 2200 UserName: willie_dinish
19:06:51.0656 2200 Windows directory: C:\WINDOWS
19:06:51.0656 2200 System windows directory: C:\WINDOWS
19:06:51.0656 2200 Processor architecture: Intel x86
19:06:51.0656 2200 Number of processors: 1
19:06:51.0656 2200 Page size: 0x1000
19:06:51.0656 2200 Boot type: Normal boot
19:06:51.0656 2200 ============================================================
19:07:09.0015 2200 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:07:09.0031 2200 Drive \Device\Harddisk1\DR3 - Size: 0x3C000000 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:07:09.0031 2200 ============================================================
19:07:09.0031 2200 \Device\Harddisk0\DR0:
19:07:09.0031 2200 MBR partitions:
19:07:09.0031 2200 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0x6F98B74
19:07:09.0031 2200 \Device\Harddisk1\DR3:
19:07:09.0031 2200 MBR partitions:
19:07:09.0031 2200 \Device\Harddisk1\DR3\Partition1: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1DFFE0
19:07:09.0031 2200 ============================================================
19:07:09.0062 2200 C: <-> \Device\Harddisk0\DR0\Partition1
19:07:09.0093 2200 ============================================================
19:07:09.0093 2200 Initialize success
19:07:09.0093 2200 ============================================================
19:07:20.0812 3548 ============================================================
19:07:20.0812 3548 Scan started
19:07:20.0812 3548 Mode: Manual; 
19:07:20.0812 3548 ============================================================
19:07:23.0359 3548 ================ Scan system memory ========================
19:07:28.0234 3548 System memory - ok
19:07:28.0234 3548 ================ Scan services =============================
19:07:28.0468 3548 98097109 - ok
19:07:28.0484 3548 Abiosdsk - ok
19:07:28.0484 3548 abp480n5 - ok
19:07:28.0562 3548 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:07:28.0562 3548 ACPI - ok
19:07:28.0625 3548 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
19:07:28.0625 3548 ACPIEC - ok
19:07:28.0640 3548 adpu160m - ok
19:07:28.0703 3548 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys
19:07:28.0718 3548 aec - ok
19:07:28.0765 3548 [ 076394A345EE5E9E3911FC0F058F4F38 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
19:07:28.0781 3548 AegisP - ok
19:07:28.0812 3548 [ 55E6E1C51B6D30E54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
19:07:28.0812 3548 AFD - ok
19:07:28.0828 3548 Aha154x - ok
19:07:28.0843 3548 aic78u2 - ok
19:07:28.0859 3548 aic78xx - ok
19:07:28.0906 3548 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
19:07:28.0906 3548 Alerter - ok
19:07:28.0953 3548 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
19:07:28.0968 3548 ALG - ok
19:07:28.0968 3548 AliIde - ok
19:07:28.0984 3548 amsint - ok
19:07:29.0031 3548 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
19:07:29.0031 3548 AppMgmt - ok
19:07:29.0046 3548 asc - ok
19:07:29.0062 3548 asc3350p - ok
19:07:29.0078 3548 asc3550 - ok
19:07:29.0234 3548 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:07:29.0296 3548 aspnet_state - ok
19:07:29.0328 3548 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:07:29.0328 3548 AsyncMac - ok
19:07:29.0343 3548 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
19:07:29.0359 3548 atapi - ok
19:07:29.0375 3548 Atdisk - ok
19:07:29.0406 3548 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:07:29.0421 3548 Atmarpc - ok
19:07:29.0453 3548 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
19:07:29.0453 3548 AudioSrv - ok
19:07:29.0531 3548 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
19:07:29.0531 3548 audstub - ok
19:07:29.0609 3548 [ 2ACF06176B9D011567D7F25B83DDD066 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
19:07:29.0609 3548 b57w2k - ok
19:07:29.0671 3548 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
19:07:29.0671 3548 Beep - ok
19:07:29.0750 3548 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll
19:07:29.0828 3548 BITS - ok
19:07:29.0890 3548 [ 4BA311473E0D8557827E6F2FE33A8095 ] brfilt C:\WINDOWS\system32\Drivers\Brfilt.sys
19:07:29.0890 3548 brfilt - ok
19:07:29.0953 3548 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
19:07:29.0953 3548 Browser - ok
19:07:30.0000 3548 [ 8E06CD96E00472C03770A697D04031C0 ] BrSerWDM C:\WINDOWS\system32\Drivers\BrSerWdm.sys
19:07:30.0000 3548 BrSerWDM - ok
19:07:30.0031 3548 [ 37E2D0B12DDF536CD64AF6EB3B580EF8 ] BrUsbMdm C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
19:07:30.0031 3548 BrUsbMdm - ok
19:07:30.0093 3548 [ 1C5F014048E5B2748C1A8AD297C50B6F ] BrUsbScn C:\WINDOWS\system32\Drivers\BrUsbScn.sys
19:07:30.0093 3548 BrUsbScn - ok
19:07:30.0359 3548 catchme - ok
19:07:30.0406 3548 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
19:07:30.0406 3548 cbidf2k - ok
19:07:30.0500 3548 [ 6163ED60B684BAB19D3352AB22FC48B2 ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:07:30.0500 3548 CCDECODE - ok
19:07:30.0515 3548 cd20xrnt - ok
19:07:30.0562 3548 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
19:07:30.0562 3548 Cdaudio - ok
19:07:30.0625 3548 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
19:07:30.0640 3548 Cdfs - ok
19:07:30.0656 3548 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:07:30.0656 3548 Cdrom - ok
19:07:30.0703 3548 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
19:07:30.0703 3548 cercsr6 - ok
19:07:30.0718 3548 Changer - ok
19:07:30.0765 3548 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
19:07:30.0765 3548 CiSvc - ok
19:07:30.0812 3548 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
19:07:30.0812 3548 ClipSrv - ok
19:07:30.0921 3548 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:07:31.0156 3548 clr_optimization_v2.0.50727_32 - ok
19:07:31.0187 3548 [ 4266BE808F85826AEDF3C64C1E240203 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:07:31.0203 3548 CmBatt - ok
19:07:31.0218 3548 CmdIde - ok
19:07:31.0234 3548 [ DF1B1A24BF52D0EBC01ED4ECE8979F50 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:07:31.0234 3548 Compbatt - ok
19:07:31.0250 3548 COMSysApp - ok
19:07:31.0265 3548 Cpqarray - ok
19:07:31.0343 3548 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
19:07:31.0343 3548 CryptSvc - ok
19:07:31.0359 3548 dac2w2k - ok
19:07:31.0359 3548 dac960nt - ok
19:07:31.0453 3548 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
19:07:31.0500 3548 DcomLaunch - ok
19:07:31.0562 3548 [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
19:07:31.0578 3548 Dhcp - ok
19:07:31.0593 3548 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
19:07:31.0593 3548 Disk - ok
19:07:31.0671 3548 [ 0659E6E0A95564F958D9DF7313F7701E ] DLABMFSM C:\WINDOWS\system32\DLA\DLABMFSM.SYS
19:07:31.0671 3548 DLABMFSM - ok
19:07:31.0687 3548 [ 8691C78908F0BD66170669DB268369F2 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
19:07:31.0687 3548 DLABOIOM - ok
19:07:31.0765 3548 [ 76167B5EB2DFFC729EDC36386876B40B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
19:07:31.0765 3548 DLACDBHM - ok
19:07:31.0828 3548 [ 5615744A1056933B90E6AC54FEB86F35 ] DLADResM C:\WINDOWS\system32\DLA\DLADResM.SYS
19:07:31.0828 3548 DLADResM - ok
19:07:31.0843 3548 [ 1AECA2AFA5005CE4A550CF8EB55A8C88 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
19:07:31.0859 3548 DLAIFS_M - ok
19:07:31.0859 3548 [ 840E7F6ABB885C72B9FFDDB022EF5B6D ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
19:07:31.0875 3548 DLAOPIOM - ok
19:07:31.0875 3548 [ 0294D18731AC05DA80132CE88F8A876B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
19:07:31.0890 3548 DLAPoolM - ok
19:07:31.0890 3548 [ 91886FED52A3F9966207BCE46CFD794F ] DLARTL_M C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
19:07:31.0906 3548 DLARTL_M - ok
19:07:31.0921 3548  [ CCA4E121D599D7D1706A30F603731E59 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
19:07:31.0921 3548 DLAUDFAM - ok
19:07:32.0015 3548 [ 7DAB85C33135DF24419951DA4E7D38E5 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
19:07:32.0015 3548 DLAUDF_M - ok
19:07:32.0031 3548 dmadmin - ok
19:07:32.0109 3548 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
19:07:32.0156 3548 dmboot - ok
19:07:32.0187 3548 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
19:07:32.0187 3548 dmio - ok
19:07:32.0218 3548 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
19:07:32.0234 3548 dmload - ok
19:07:32.0281 3548 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
19:07:32.0281 3548 dmserver - ok
19:07:32.0328 3548 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
19:07:32.0328 3548 DMusic - ok
19:07:32.0359 3548 [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
19:07:32.0359 3548 Dnscache - ok
19:07:32.0406 3548 [ AD7FC1963B152B3728E3C4F83554A576 ] dot4 C:\WINDOWS\system32\DRIVERS\Dot4.sys
19:07:32.0421 3548 dot4 - ok
19:07:32.0468 3548 [ 77CE63A8A34AE23D9FE4C7896D1DEBE7 ] Dot4Print C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
19:07:32.0468 3548 Dot4Print - ok
19:07:32.0500 3548 [ 6EC3AF6BB5B30E488A0C559921F012E1 ] dot4usb C:\WINDOWS\system32\DRIVERS\dot4usb.sys
19:07:32.0500 3548 dot4usb - ok
19:07:32.0515 3548 dpti2o - ok
19:07:32.0546 3548 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
19:07:32.0562 3548 drmkaud - ok
19:07:32.0578 3548 [ C00440385CF9F3D142917C63F989E244 ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
19:07:32.0593 3548 DRVMCDB - ok
19:07:32.0609 3548 [ 6E6AB29D3C06E64CE81FEACDA85394B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
19:07:32.0609 3548 DRVNDDM - ok
19:07:32.0671 3548 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
19:07:32.0671 3548 ERSvc - ok
19:07:32.0734 3548 [ 4712531AB7A01B7EE059853CA17D39BD ] Eventlog C:\WINDOWS\system32\services.exe
19:07:32.0750 3548 Eventlog - ok
19:07:32.0796 3548 [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem C:\WINDOWS\system32\es.dll
19:07:32.0812 3548 EventSystem - ok
19:07:33.0015 3548 [ D335183519E6814DFAB4ED3DD806A943 ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
19:07:33.0015 3548 EvtEng - ok
19:07:33.0031 3548 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
19:07:33.0046 3548 Fastfat - ok
19:07:33.0140 3548 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
19:07:33.0156 3548 FastUserSwitchingCompatibility - ok
19:07:33.0171 3548 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
19:07:33.0171 3548 Fdc - ok
19:07:33.0187 3548 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
19:07:33.0187 3548 Fips - ok
19:07:33.0203 3548 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
19:07:33.0203 3548 Flpydisk - ok
19:07:33.0218 3548 [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:07:33.0218 3548 FltMgr - ok
19:07:33.0375 3548 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:07:33.0390 3548 FontCache3.0.0.0 - ok
19:07:33.0406 3548 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:07:33.0406 3548 Fs_Rec - ok
19:07:33.0421 3548 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:07:33.0421 3548 Ftdisk - ok
19:07:33.0468 3548 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:07:33.0468 3548 Gpc - ok
19:07:33.0546 3548 [ 7D074058804AD398F93CA0A08AF83FF2 ] GTIPCI21 C:\WINDOWS\system32\DRIVERS\gtipci21.sys
19:07:33.0562 3548 GTIPCI21 - ok
19:07:33.0703 3548 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:07:33.0703 3548 helpsvc - ok
19:07:33.0781 3548 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll
19:07:33.0781 3548 HidServ - ok
19:07:33.0812 3548 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:07:33.0812 3548 hidusb - ok
19:07:33.0828 3548 hpn - ok
19:07:34.0015 3548 [ A30E97371E38EF45B0757561B2796733 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
19:07:34.0031 3548 hpqcxs08 - ok
19:07:34.0109 3548 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
19:07:34.0125 3548 HPZid412 - ok
19:07:34.0171 3548 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
19:07:34.0171 3548 HPZipr12 - ok
19:07:34.0187 3548 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
19:07:34.0187 3548 HPZius12 - ok
19:07:34.0250 3548 [ 140BA850417896B6B3322048DE280368 ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
19:07:34.0265 3548 HSFHWICH - ok
19:07:34.0390 3548 [ B2DFC168D6F7512FAEA085253C5A37AD ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
19:07:34.0500 3548 HSF_DP - ok
19:07:34.0593 3548 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
19:07:34.0593 3548 HTTP - ok
19:07:34.0656 3548 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
19:07:34.0671 3548 HTTPFilter - ok
19:07:34.0687 3548 i2omgmt - ok
19:07:34.0703 3548 i2omp - ok
19:07:34.0750 3548 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:07:34.0765 3548 i8042prt - ok
19:07:34.0875 3548 [ 737DA0BE27652C4482AC5CDE099BFCE9 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:07:34.0937 3548 ialm - ok
19:07:35.0171 3548 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:07:35.0218 3548 idsvc - ok
19:07:35.0250 3548 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
19:07:35.0250 3548 Imapi - ok
19:07:35.0296 3548 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
19:07:35.0312 3548 ImapiService - ok
19:07:35.0328 3548 ini910u - ok
19:07:35.0390 3548 [ 2D722B2B54AB55B2FA475EB58D7B2AAD ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
19:07:35.0390 3548 IntelIde - ok
19:07:35.0406 3548 [ 279FB78702454DFF2BB445F238C048D2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:07:35.0406 3548 intelppm - ok
19:07:35.0453 3548 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
19:07:35.0453 3548 Ip6Fw - ok
19:07:35.0500 3548 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:07:35.0500 3548 IpFilterDriver - ok
19:07:35.0515 3548 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:07:35.0531 3548 IpInIp - ok
19:07:35.0578 3548 [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:07:35.0578 3548 IpNat - ok
19:07:35.0609 3548 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:07:35.0609 3548 IPSec - ok
19:07:35.0656 3548 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
19:07:35.0671 3548 IRENUM - ok
19:07:35.0687 3548 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:07:35.0687 3548 isapnp - ok
19:07:35.0765 3548 [ 872D090CA5C306F62D1982BCE6302376 ] IWCA C:\WINDOWS\system32\DRIVERS\iwca.sys
19:07:35.0765 3548 IWCA - ok
19:07:35.0937 3548 [ 11C3EFB4BAC41175D03B1595DB1A4A4F ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
19:07:35.0937 3548 JavaQuickStarterService - ok
19:07:35.0968 3548 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:07:35.0984 3548 Kbdclass - ok
19:07:36.0062 3548 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:07:36.0062 3548 kbdhid - ok
19:07:36.0093 3548 [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
19:07:36.0093 3548 kmixer - ok
19:07:36.0140 3548 [ 674D3E5A593475915DC6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
19:07:36.0140 3548 KSecDD - ok
19:07:36.0203 3548 [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
19:07:36.0203 3548 lanmanserver - ok
19:07:36.0281 3548 [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
19:07:36.0281 3548 lanmanworkstation - ok
19:07:36.0296 3548 lbrtfdc - ok
19:07:36.0375 3548 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
19:07:36.0375 3548 LmHosts - ok
19:07:36.0484 3548 [ F8B823414A22DBF3BEC10DCAA5F93CD8 ] McciCMService C:\Program Files\Common Files\Motive\McciCMService.exe
19:07:36.0484 3548 McciCMService - ok
19:07:36.0578 3548 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
19:07:36.0578 3548 MDM - ok
19:07:36.0609 3548 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:07:36.0609 3548 mdmxsdk - ok
19:07:36.0640 3548 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
19:07:36.0640 3548 Messenger - ok
19:07:36.0687 3548 [ 729D83E56C29C510258A6E9E79FFDDC3 ] mf C:\WINDOWS\system32\DRIVERS\mf.sys
19:07:36.0703 3548 mf - ok
19:07:36.0703 3548 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
19:07:36.0718 3548 mnmdd - ok
19:07:36.0750 3548 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
19:07:36.0765 3548 mnmsrvc - ok
19:07:36.0796 3548 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
19:07:36.0796 3548 Modem - ok
19:07:36.0812 3548 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:07:36.0828 3548 Mouclass - ok
19:07:36.0890 3548 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:07:36.0890 3548 mouhid - ok
19:07:36.0921 3548 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
19:07:36.0921 3548 MountMgr - ok
19:07:36.0937 3548 mraid35x - ok
19:07:36.0953 3548 [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:07:36.0953 3548 MRxDAV - ok
19:07:37.0046 3548 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:07:37.0093 3548 MRxSmb - ok
19:07:37.0171 3548 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
19:07:37.0187 3548 MSDTC - ok
19:07:37.0218 3548 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
19:07:37.0234 3548 Msfs - ok
19:07:37.0234 3548 MSIServer - ok
19:07:37.0281 3548 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:07:37.0281 3548 MSKSSRV - ok
19:07:37.0296 3548 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:07:37.0296 3548 MSPCLOCK - ok
19:07:37.0312 3548 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
19:07:37.0312 3548 MSPQM - ok
19:07:37.0468 3548 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:07:37.0484 3548 mssmbios - ok
19:07:37.0546 3548 [ BF13612142995096AB084F2DB7F40F77 ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
19:07:37.0546 3548 MSTEE - ok
19:07:37.0562 3548 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
19:07:37.0562 3548 Mup - ok
19:07:37.0593 3548 [ 5C8DC6429C43DC6177C1FA5B76290D1A ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:07:37.0593 3548 NABTSFEC - ok
19:07:37.0656 3548 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
19:07:37.0656 3548 NDIS - ok
19:07:37.0703 3548 [ 520CE427A8B298F54112857BCF6BDE15 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:07:37.0718 3548 NdisIP - ok
19:07:37.0765 3548 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:07:37.0765 3548 NdisTapi - ok
19:07:37.0796 3548 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:07:37.0796 3548 Ndisuio - ok
19:07:37.0812 3548 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:07:37.0812 3548 NdisWan - ok
19:07:37.0828 3548 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
19:07:37.0828 3548 NDProxy - ok
19:07:37.0890 3548 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
19:07:37.0890 3548 Net Driver HPZ12 - ok
19:07:37.0906 3548 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
19:07:37.0906 3548 NetBIOS - ok
19:07:37.0968 3548 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
19:07:37.0984 3548 NetBT - ok
19:07:38.0046 3548 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
19:07:38.0046 3548 NetDDE - ok
19:07:38.0062 3548 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
19:07:38.0062 3548 NetDDEdsdm - ok
19:07:38.0109 3548 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
19:07:38.0125 3548 Netlogon - ok
19:07:38.0156 3548 [ 36739B39267914BA69AD0610A0299732 ] Netman C:\WINDOWS\System32\netman.dll
19:07:38.0171 3548 Netman - ok
19:07:38.0265 3548 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:07:38.0265 3548 NetTcpPortSharing - ok
19:07:38.0343 3548 [ 097722F235A1FB698BF9234E01B52637 ] Nla C:\WINDOWS\System32\mswsock.dll
19:07:38.0359 3548 Nla - ok
19:07:38.0375 3548 Normandy - ok
19:07:38.0421 3548 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
19:07:38.0421 3548 Npfs - ok
19:07:38.0453 3548 [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
19:07:38.0531 3548 Ntfs - ok
19:07:38.0546 3548 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
19:07:38.0546 3548 NtLmSsp - ok
19:07:38.0640 3548 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
19:07:38.0671 3548 NtmsSvc - ok
19:07:38.0734 3548 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
19:07:38.0734 3548 Null - ok
19:07:38.0781 3548 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:07:38.0781 3548 NwlnkFlt - ok
19:07:38.0796 3548 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:07:38.0796 3548 NwlnkFwd - ok
19:07:38.0859 3548 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
19:07:38.0875 3548 OMCI - ok
19:07:38.0921 3548 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:07:38.0937 3548 ose - ok
19:07:38.0984 3548 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
19:07:39.0000 3548 Parport - ok
19:07:39.0000 3548 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
19:07:39.0015 3548 PartMgr - ok
19:07:39.0062 3548 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
19:07:39.0062 3548 ParVdm - ok
19:07:39.0078 3548 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
19:07:39.0078 3548 PCI - ok
19:07:39.0093 3548 PCIDump - ok
19:07:39.0109 3548 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
19:07:39.0125 3548 PCIIde - ok
19:07:39.0140 3548 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:07:39.0140 3548 Pcmcia - ok
19:07:39.0156 3548 [ AA9CFA67850893FBB168B9C4E4C86952 ] PCTCore C:\WINDOWS\system32\drivers\PCTCore.sys
19:07:39.0156 3548 PCTCore - ok
19:07:39.0171 3548 PDCOMP - ok
19:07:39.0187 3548 PDFRAME - ok
19:07:39.0187 3548 PDRELI - ok
19:07:39.0203 3548 PDRFRAME - ok
19:07:39.0218 3548 perc2 - ok
19:07:39.0218 3548 perc2hib - ok
19:07:39.0281 3548 [ 4712531AB7A01B7EE059853CA17D39BD ] PlugPlay C:\WINDOWS\system32\services.exe
19:07:39.0296 3548 PlugPlay - ok
19:07:39.0312 3548 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
19:07:39.0328 3548 Pml Driver HPZ12 - ok
19:07:39.0328 3548 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
19:07:39.0343 3548 PolicyAgent - ok
19:07:39.0359 3548 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:07:39.0375 3548 PptpMiniport - ok
19:07:39.0375 3548 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
19:07:39.0390 3548 ProtectedStorage - ok
19:07:39.0406 3548 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
19:07:39.0406 3548 PSched - ok
19:07:39.0453 3548 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:07:39.0453 3548 Ptilink - ok
19:07:39.0484 3548 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:07:39.0484 3548 PxHelp20 - ok
19:07:39.0500 3548 ql1080 - ok
19:07:39.0515 3548 Ql10wnt - ok
19:07:39.0531 3548 ql12160 - ok
19:07:39.0531 3548 ql1240 - ok
19:07:39.0546 3548 ql1280 - ok
19:07:39.0578 3548 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:07:39.0593 3548 RasAcd - ok
19:07:39.0656 3548 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
19:07:39.0656 3548 RasAuto - ok
19:07:39.0703 3548 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:07:39.0703 3548 Rasl2tp - ok
19:07:39.0781 3548 [ 49B5EED5FB89D39456A2F616CCD8BA5D ] RasMan C:\WINDOWS\System32\rasmans.dll
19:07:39.0796 3548 RasMan - ok
19:07:39.0796 3548 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:07:39.0812 3548 RasPppoe - ok
19:07:39.0812 3548 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
19:07:39.0828 3548 Raspti - ok
19:07:39.0890 3548 [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:07:39.0890 3548 Rdbss - ok
19:07:39.0906 3548 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:07:39.0906 3548 RDPCDD - ok
19:07:40.0000 3548 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:07:40.0000 3548 rdpdr - ok
19:07:40.0046 3548 [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
19:07:40.0062 3548 RDPWD - ok
19:07:40.0109 3548 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
19:07:40.0125 3548 RDSessMgr - ok
19:07:40.0125 3548 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
19:07:40.0140 3548 redbook - ok
19:07:40.0171 3548 [ 15BA3BCEEB32C4279B27F5C3389E4847 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
19:07:40.0187 3548 RegSrvc - ok
19:07:40.0234 3548 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
19:07:40.0234 3548 RemoteAccess - ok
19:07:40.0281 3548 [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
19:07:40.0281 3548 RemoteRegistry - ok
19:07:40.0343 3548 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\system32\locator.exe
19:07:40.0343 3548 RpcLocator - ok
19:07:40.0406 3548 [ 24B5D53B9ACCC1E2EDCF0A878D6659D4 ] RpcSs C:\WINDOWS\System32\rpcss.dll
19:07:40.0421 3548 RpcSs - ok
19:07:40.0515 3548 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
19:07:40.0515 3548 RSVP - ok
19:07:40.0609 3548 [ 93F66FAEA8BF047D4242AC85AADA403D ] RVIEG01 C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys
19:07:40.0625 3548 RVIEG01 - ok
19:07:40.0687 3548 [ 79A647519CA3E700E9738153F788FB7D ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
19:07:40.0687 3548 S24EventMonitor - ok
19:07:40.0750 3548 [ 81AA6F0D6A2BE1C550F814B036215888 ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
19:07:40.0750 3548 s24trans - ok
19:07:40.0781 3548 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
19:07:40.0781 3548 SamSs - ok
19:07:40.0843 3548 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
19:07:40.0859 3548 SCardSvr - ok
19:07:40.0921 3548 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
19:07:40.0937 3548 Schedule - ok
19:07:41.0093 3548 [ 2881D5C135D076BCF52B0F5AD3D8DC0B ] sdAuxService C:\Program Files\Spyware Doctor\pctsAuxs.exe
19:07:41.0093 3548 sdAuxService - ok
19:07:41.0171 3548 [ 9CACA3FAD05C4B0D7967592E65B338F1 ] sdCoreService C:\Program Files\Spyware Doctor\pctsSvc.exe
19:07:41.0265 3548 sdCoreService - ok
19:07:41.0312 3548 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:07:41.0312 3548 Secdrv - ok
19:07:41.0359 3548 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
19:07:41.0359 3548 seclogon - ok
19:07:41.0390 3548 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
19:07:41.0390 3548 SENS - ok
19:07:41.0453 3548 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
19:07:41.0453 3548 serenum - ok
19:07:41.0484 3548 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
19:07:41.0500 3548 Serial - ok
19:07:41.0546 3548 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
19:07:41.0546 3548 Sfloppy - ok
19:07:41.0625 3548 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
19:07:41.0671 3548 SharedAccess - ok
19:07:41.0718 3548 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
19:07:41.0734 3548 ShellHWDetection - ok
19:07:41.0734 3548 Simbad - ok
19:07:41.0796 3548 [ 5CAEED86821FA2C6139E32E9E05CCDC9 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:07:41.0796 3548 SLIP - ok
19:07:41.0812 3548 Sparrow - ok
19:07:41.0859 3548 [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
19:07:41.0859 3548 splitter - ok
19:07:41.0890 3548 [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler C:\WINDOWS\system32\spoolsv.exe
19:07:41.0906 3548 Spooler - ok
19:07:41.0937 3548 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
19:07:41.0953 3548 sr - ok
19:07:42.0031 3548 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
19:07:42.0046 3548 srservice - ok
19:07:42.0125 3548 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
19:07:42.0140 3548 Srv - ok
19:07:42.0187 3548 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
19:07:42.0187 3548 SSDPSRV - ok
19:07:42.0265 3548 [ 305CC42945A713347F978D78566113F3 ] STAC97 C:\WINDOWS\system32\drivers\STAC97.sys
19:07:42.0281 3548 STAC97 - ok
19:07:42.0375 3548 [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc C:\WINDOWS\system32\wiaservc.dll
19:07:42.0421 3548 stisvc - ok
19:07:42.0546 3548 [ 51778FD315C9882F1CBD932743E62A72 ] stllssvr C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
19:07:42.0546 3548 stllssvr - ok
19:07:42.0578 3548 [ 284C57DF5DC7ABCA656BC2B96A667AFB ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:07:42.0593 3548 streamip - ok
19:07:42.0625 3548 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
19:07:42.0625 3548 swenum - ok
19:07:42.0656 3548 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
19:07:42.0656 3548 swmidi - ok
19:07:42.0671 3548 SwPrv - ok
19:07:42.0687 3548 symc810 - ok
19:07:42.0687 3548 symc8xx - ok
19:07:42.0703 3548 sym_hi - ok
19:07:42.0718 3548 sym_u3 - ok
19:07:42.0796 3548 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
19:07:42.0796 3548 sysaudio - ok
19:07:42.0875 3548 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
19:07:42.0875 3548 SysmonLog - ok
19:07:42.0921 3548 [ FB78839B36025AA286A51289ED28B73E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
19:07:42.0937 3548 TapiSrv - ok
19:07:42.0984 3548 [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:07:43.0031 3548 Tcpip - ok
19:07:43.0093 3548 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
19:07:43.0093 3548 TDPIPE - ok
19:07:43.0109 3548 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
19:07:43.0125 3548 TDTCP - ok
19:07:43.0171 3548 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
19:07:43.0171 3548 TermDD - ok
19:07:43.0218 3548 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
19:07:43.0250 3548 TermService - ok
19:07:43.0281 3548 [ 95746E5B1473432F3D9458940DBA6E3A ] TfFsMon C:\WINDOWS\system32\drivers\TfFsMon.sys
19:07:43.0281 3548 TfFsMon - ok
19:07:43.0343 3548 [ 02FFDD873E31C5C2D57CA87D11EC36AF ] TfNetMon C:\WINDOWS\system32\drivers\TfNetMon.sys
19:07:43.0343 3548 TfNetMon - ok
19:07:43.0343 3548 [ F8BD92251AB439383C051CE907D78CCE ] TfSysMon C:\WINDOWS\system32\drivers\TfSysMon.sys
19:07:43.0359 3548 TfSysMon - ok
19:07:43.0390 3548 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes C:\WINDOWS\System32\shsvcs.dll
19:07:43.0406 3548 Themes - ok
19:07:43.0453 3548 ThreatFire - ok
19:07:43.0500 3548 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
19:07:43.0515 3548 TlntSvr - ok
19:07:43.0515 3548 TosIde - ok
19:07:43.0562 3548 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
19:07:43.0578 3548 TrkWks - ok
19:07:43.0625 3548 [ 3858EFF2133F182A9321CF7C8F74DAD6 ] UdfReadr C:\WINDOWS\system32\drivers\UdfReadr.sys
19:07:43.0625 3548 UdfReadr - ok
19:07:43.0656 3548 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
19:07:43.0671 3548 Udfs - ok
19:07:43.0687 3548 UIUSys - ok
19:07:43.0687 3548 ultra - ok
19:07:43.0750 3548 [ BB879DCFD22926EFBEB3298129898CBB ] UnlockerDriver5 C:\Program Files\Unlocker\UnlockerDriver5.sys
19:07:43.0765 3548 UnlockerDriver5 - ok
19:07:43.0796 3548 [ CED744117E91BDC0BEB810F7D8608183 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
19:07:43.0812 3548 Update - ok
19:07:43.0843 3548 [ 8827911A8C37E40C027CBFC88E69D967 ] uploadmgr C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:07:43.0859 3548 uploadmgr - ok
19:07:43.0921 3548 [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost C:\WINDOWS\System32\upnphost.dll
19:07:43.0937 3548 upnphost - ok
19:07:44.0000 3548 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
19:07:44.0000 3548 UPS - ok
19:07:44.0078 3548 [ 45A0D14B26C35497AD93BCE7E15C9941 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
19:07:44.0078 3548 usbaudio - ok
19:07:44.0109 3548 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:07:44.0125 3548 usbccgp - ok
19:07:44.0140 3548 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:07:44.0140 3548 usbehci - ok
19:07:44.0156 3548 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:07:44.0156 3548 usbhub - ok
19:07:44.0218 3548 [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:07:44.0218 3548 usbprint - ok
19:07:44.0250 3548 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:07:44.0250 3548 usbscan - ok
19:07:44.0265 3548 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:07:44.0265 3548 USBSTOR - ok
19:07:44.0328 3548 [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:07:44.0328 3548 usbuhci - ok
19:07:44.0390 3548 [ 8968FF3973A883C49E8B564200F565B9 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
19:07:44.0390 3548 usbvideo - ok
19:07:44.0406 3548 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
19:07:44.0406 3548 VgaSave - ok
19:07:44.0421 3548 ViaIde - ok
19:07:44.0500 3548 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
19:07:44.0500 3548 VolSnap - ok
19:07:44.0546 3548 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
19:07:44.0578 3548 VSS - ok
19:07:44.0859 3548 [ F0F902220910C4FBE42A51964BD33599 ] w29n51 C:\WINDOWS\system32\DRIVERS\w29n51.sys
19:07:45.0078 3548 w29n51 - ok
19:07:45.0140 3548 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
19:07:45.0156 3548 W32Time - ok
19:07:45.0171 3548 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:07:45.0187 3548 Wanarp - ok
19:07:45.0187 3548 WDICA - ok
19:07:45.0250 3548 [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
19:07:45.0250 3548 wdmaud - ok
19:07:45.0312 3548 [ 265F534EF76832435AFBF771EC97176D ] WebClient C:\WINDOWS\System32\webclnt.dll
19:07:45.0328 3548 WebClient - ok
19:07:45.0453 3548 [ 2DC7C0B6175A0A8ED84A4F70199C93B5 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:07:45.0500 3548 winachsf - ok
19:07:45.0640 3548 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
19:07:45.0656 3548 winmgmt - ok
19:07:45.0734 3548 [ 43ED73F10DE96E0A23244BD9CF04F5C2 ] WLANKEEPER C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
19:07:45.0734 3548 WLANKEEPER - ok
19:07:45.0796 3548 [ 36678803A8030EE9A771935CFC1848BD ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
19:07:45.0796 3548 WmdmPmSN - ok
19:07:45.0890 3548 [ E8E57B0F9EB03D1AABEC28D550C75116 ] Wmi C:\WINDOWS\System32\advapi32.dll
19:07:45.0953 3548 Wmi - ok
19:07:46.0015 3548 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:07:46.0015 3548 WmiApSrv - ok
19:07:46.0109 3548 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
19:07:46.0109 3548 wscsvc - ok
19:07:46.0156 3548 [ D5842484F05E12121C511AA93F6439EC ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:07:46.0156 3548 WSTCODEC - ok
19:07:46.0203 3548 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
19:07:46.0203 3548 wuauserv - ok
19:07:46.0296 3548 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
19:07:46.0343 3548 WZCSVC - ok
19:07:46.0390 3548 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
19:07:46.0390 3548 xmlprov - ok
19:07:46.0421 3548 ================ Scan global ===============================
19:07:46.0546 3548 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
19:07:46.0640 3548 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
19:07:46.0718 3548 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
19:07:46.0781 3548 [ 4712531AB7A01B7EE059853CA17D39BD ] C:\WINDOWS\system32\services.exe
19:07:46.0796 3548 [Global] - ok
19:07:46.0796 3548 ================ Scan MBR ==================================
19:07:46.0828 3548 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
19:07:47.0296 3548 \Device\Harddisk0\DR0 - ok
19:07:47.0312 3548 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR3
19:07:55.0453 3548 \Device\Harddisk1\DR3 - ok
19:07:55.0453 3548 ================ Scan VBR ==================================
19:07:55.0468 3548 [ C670B0642E80197B8CB8AB3716B8549C ] \Device\Harddisk0\DR0\Partition1
19:07:55.0468 3548 \Device\Harddisk0\DR0\Partition1 - ok
19:07:55.0468 3548 [ EC6584F4F757CB8CE17A1987F47175F9 ] \Device\Harddisk1\DR3\Partition1
19:07:55.0468 3548 \Device\Harddisk1\DR3\Partition1 - ok
19:07:55.0484 3548 ============================================================
19:07:55.0484 3548 Scan finished
19:07:55.0484 3548 ============================================================
19:07:55.0531 3540 Detected object count: 0
19:07:55.0531 3540 Actual detected object count: 0
19:08:29.0515 2204 Deinitialize success


----------



## Cookiegal (Aug 27, 2003)

Please drag ComboFix to the Recycle Bin and grab the latest version, disable security programs and run a new scan then post the log please.


----------



## wdauser (Mar 30, 2011)

I've moved all of the old copies of combofix to the recycle bin. But I can't seem to get the one we called "puppy" to move anywhere or delete still. I even have an unlocker that will delete most programs when I ask, and that's not working. Any ideas?


----------



## Cookiegal (Aug 27, 2003)

Try deleting it in safe mode.

If it still won't delete then just run that one. If it prompts to update to a later version, please allow it.


----------



## wdauser (Mar 30, 2011)

Ah! Had not thought of that. working on that now.


----------



## wdauser (Mar 30, 2011)

Ran into another issue. Still cannot seem to get combofix to install. 3 tries and have gotten the same message. Print Screen did not seem to work for some reason. Text reads:

---------------------------
Error Copying File or Folder
---------------------------
Cannot copy ComboFix[1]: Access is denied.
Make sure the disk is not full or write-protected
and that the file is not currently in use.
---------------------------
OK 
---------------------------

What should we try next?


----------



## Cookiegal (Aug 27, 2003)

Download *OTL* to your Desktop. 

Double-click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Under Custom Scans/Fixes type in *Netsvcs*
Click the Run Scan button. Do not change any other settings unless otherwise instructed. The scan won't take long. 
When the scan completes, it will open two Notepad windows called *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy and paste the contents of both of these files here in your next reply.


----------



## wdauser (Mar 30, 2011)

Logs are below. Thanks.

OTL logfile created on: 9/28/2012 6:08:33 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 571.44 Mb Available Physical Memory | 56.28% Memory free
2.39 Gb Paging File | 2.06 Gb Available in Paging File | 86.17% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.72 Gb Free Space | 31.76% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 959.72 Mb Total Space | 20.97 Mb Free Space | 2.18% Space Free | Partition Type: FAT

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2011/01/07 13:12:22 | 000,505,576 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (98097109)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/09/28 18:04:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:26 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe
[2012/09/02 22:14:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Malwarebytes' Anti-Malware
[2012/09/02 22:02:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/09/02 22:02:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/09/02 21:42:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2012/09/02 21:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2012/08/31 00:50:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent

========== Files - Modified Within 30 Days ==========

[2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/28 18:01:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/28 18:01:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/09/28 18:00:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/28 00:37:17 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/09/27 20:37:02 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 22:30:03 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:28 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe

========== Files Created - No Company Name ==========

[2012/09/23 22:21:39 | 0000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/02 20:50:50 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\miniremoval_coolwebsearch_smartkiller.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >

OTL Extras logfile created on: 9/28/2012 6:08:33 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 571.44 Mb Available Physical Memory | 56.28% Memory free
2.39 Gb Paging File | 2.06 Gb Available in Paging File | 86.17% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.72 Gb Free Space | 31.76% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 959.72 Mb Total Space | 20.97 Mb Free Space | 2.18% Space Free | Partition Type: FAT

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNetisabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNetisabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNetisabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNetisabledxpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe" = C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe:*:Enabled:Readon TV Movie Radio Player -- (Readon Technology)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1584854C-1513-40EA-96D4-493384D0A3C7}" = Readon TV Movie Radio Player 7.2.0.0
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 25
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3B124151-B6A0-492C-8838-0854B800535D}" = Creative MuVo NX-TX
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52503B4E-149A-4731-A6FF-495067EABFDC}" = TI_Inst
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6748E773-5DA0-4D19-8AA5-273B4133A09B}" = SmartSound Quicktracks for Premiere Elements 9.0
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{745877DC-8FFE-4E4C-ABBC-589B887A47D1}" = Virtual Sound Canvas DXi
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E34B40D-CFF3-11D3-8302-00A024A89C17}" = VeloMaster Lite CW
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B2C61EBB-F47C-48ba-B375-27A40F8F48F7}" = HP Deskjet All-In-One Software 9.0
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F302F4F0-588D-6501-1ACF-BE3FDCC9135D}" = Adobe Community Help
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1" = ThreatFire
"Adaptec UDF Reader" = Adaptec UDF Reader
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AMUST Registry Cleaner_is1" = AMUST Registry Cleaner
"ATT-RC" = ATT-RC Self Support Tool
"Browser Hijack Recover_is1" = Browser Hijack Recover(BHR) 3.0
"Cakewalk Home Studio 2002" = Cakewalk Home Studio 2002
"CCleaner" = CCleaner (remove only)
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.9x Modem
"doPDF 7 printer_is1" = doPDF 7.0 printer
"DreamStation DXi" = DreamStation DXi
"ESET Online Scanner" = ESET Online Scanner v3
"HijackThis" = HijackThis 1.99.0
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{52503B4E-149A-4731-A6FF-495067EABFDC}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{6748E773-5DA0-4D19-8AA5-273B4133A09B}" = SmartSound Quicktracks for Premiere Elements 9.0
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MuVo Driver" = MuVo Driver
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"P2PFilter" = P2PFilter 3.0.5
"ProInst" = Intel(R) PROSet/Wireless Software
"RealPlayer 12.0" = RealPlayer
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.3
"Spyware Doctor" = Spyware Doctor 6.0
"ST5UNST #1" = Legal Forms and Guide
"SysInfo" = Creative System Information
"Unlocker" = Unlocker 1.9.1
"VLC media player" = VideoLAN VLC media player 0.8.6c
"WIC" = Windows Imaging Component
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"MusicManager" = Music Manager

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/31/2012 1:20:39 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 455
Description = wuaueng.dll (2472) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/31/2012 1:21:08 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 489
Description = wuauclt (2472) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file 
operation will fail with error -1032 (0xfffffbf8).

Error - 8/31/2012 1:21:08 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 455
Description = wuaueng.dll (2472) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/3/2012 10:44:11 PM | Computer Name = WILLIEDINISH | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706F7 from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 9/10/2012 1:29:27 AM | Computer Name = WILLIEDINISH | Source = Application Hang | ID = 1002
Description = Hanging application realplay.exe, version 12.0.1.669, hang module 
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/23/2012 11:51:49 PM | Computer Name = WILLIEDINISH | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/25/2012 2:07:24 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 489
Description = wuauclt (3220) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file 
operation will fail with error -1032 (0xfffffbf8).

Error - 9/25/2012 2:07:24 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 455
Description = wuaueng.dll (3220) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/25/2012 2:07:34 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 489
Description = wuauclt (3220) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file 
operation will fail with error -1032 (0xfffffbf8).

Error - 9/25/2012 2:07:34 AM | Computer Name = WILLIEDINISH | Source = ESENT | ID = 455
Description = wuaueng.dll (3220) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

[ System Events ]
Error - 9/27/2012 11:36:33 PM | Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 9/27/2012 11:36:33 PM | Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 9/27/2012 11:36:33 PM | Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip

Error - 9/27/2012 11:37:49 PM | Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/27/2012 11:37:53 PM | Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/27/2012 11:40:07 PM | Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/27/2012 11:45:05 PM | Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876
Description = Driver UdfReadr.SYS has been blocked from loading.

Error - 9/27/2012 11:45:12 PM | Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 9/28/2012 7:01:09 PM | Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876
Description = Driver UdfReadr.SYS has been blocked from loading.

Error - 9/28/2012 7:01:19 PM | Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

< End of report >


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## wdauser (Mar 30, 2011)

Cookiegal, it looks like we have an issue with mbam. i have cleaned what i believe to be all copies of the program off. Even went in under safe mode and removed the folder, etc. Still got the following message. What do we try next?

---------------------------
Error Copying File or Folder
---------------------------
Cannot copy mbam-setup[1]: Access is denied.
Make sure the disk is not full or write-protected
and that the file is not currently in use.
---------------------------
OK 
---------------------------


----------



## Cookiegal (Aug 27, 2003)

That's odd.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
*mbam*
:folderfind
*mbam*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## wdauser (Mar 30, 2011)

Log is below. Thanks.

SystemLook 30.07.11 by jpshortstuff
Log created at 19:37 on 30/09/2012 by willie_dinish
Administrator - Elevation successful
========== filefind ==========
Searching for "*mbam*"
C:\mbam-error.txt ------- 109 bytes [15:39 29/12/2010] [15:39 29/12/2010] 0FD620E1BDFB3386C68E6ACFE227ADB9
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe --a---- 9502424 bytes [00:52 01/04/2012] [00:52 01/04/2012] 9032F0C0051A94D579DA061292968E32
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-04-06 (00-01-10).txt ------- 1332 bytes [05:01 06/04/2010] [05:01 06/04/2010] 76180AC182186CC420738577596165D9
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-04-10 (01-12-22).txt ------- 866 bytes [06:12 10/04/2010] [06:12 10/04/2010] 24B39A9BAAEAD2427E7722C5B5C71970
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-04-18 (22-15-48).txt ------- 1015 bytes [03:15 19/04/2010] [03:15 19/04/2010] 21CE29FB32957036F9A2EB917BA07E81
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-10-03 (19-39-46).txt ------- 1014 bytes [00:39 04/10/2010] [00:39 04/10/2010] 97C03770B136BB133B31A1E734D10647
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-11-27 (17-08-59).txt ------- 872 bytes [23:08 27/11/2010] [23:08 27/11/2010] DA0E994C84C37A42A7AEE0B1F19AADC2
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-12-01 (00-58-02).txt ------- 872 bytes [06:58 01/12/2010] [06:58 01/12/2010] 1367EF714C1C8AAE4F51881731BD4132
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-12-10 (23-31-10).txt ------- 878 bytes [05:31 11/12/2010] [05:31 11/12/2010] 2B3DC9B62452D7DE8C7DB1C3C7599852
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-12-29 (10-34-37).txt ------- 1320 bytes [16:34 29/12/2010] [16:34 29/12/2010] C56080E07B6EF15817F78BDE3DF4FC43
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-01-04 (19-51-21).txt --a---- 890 bytes [01:51 05/01/2011] [01:51 05/01/2011] 2EE2BF514E6AD9A566C594AEA8ACD034
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-05-11 (21-06-09).txt --a---- 905 bytes [02:06 12/05/2011] [02:06 12/05/2011] 085B22A7836188EEC275B0A0BCE8C0F1
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-03-31 (19-55-45).txt --a---- 1900 bytes [01:05 01/04/2012] [01:05 01/04/2012] 2D6B5CC5C781B8DA3141C2011FFEF5A7
C:\WINDOWS\Prefetch\MBAM-SETUP-1.62.0.1300.EXE-1EF73DCF.pf --a---- 23256 bytes [03:01 03/09/2012] [03:13 03/09/2012] 58CDC728E4272705F125F2D4B41192F4
C:\WINDOWS\Prefetch\MBAM-SETUP-1.62.0.1300.TMP-0C35323D.pf --a---- 30516 bytes [03:01 03/09/2012] [03:01 03/09/2012] 0172FAB421D408510F25F7308BDFA977
C:\WINDOWS\Prefetch\MBAM-SETUP-1.62.0.1300.TMP-124A32F1.pf --a---- 30386 bytes [03:13 03/09/2012] [03:13 03/09/2012] B945C2F35724B41A4C675C1D070E3E1A
C:\WINDOWS\Prefetch\MBAM-SETUP.EXE-2FF3CB54.pf --a---- 23184 bytes [04:03 27/08/2012] [04:07 27/08/2012] 6B594494AB77392C67ECFB95B807275B
C:\WINDOWS\Prefetch\MBAM-SETUP.TMP-03C023C3.pf --a---- 21260 bytes [04:03 27/08/2012] [04:03 27/08/2012] D2F8C001BBCA6A2BCE008A7DB9740D59
C:\WINDOWS\Prefetch\MBAM-SETUP.TMP-1DA24E39.pf --a---- 31482 bytes [04:07 27/08/2012] [04:07 27/08/2012] 9E41F7520A001DA7F46F6A349D6919C6
C:\WINDOWS\Prefetch\MBAM.EXE-0D37CDF0.pf --a---- 2172 bytes [04:09 27/08/2012] [04:09 27/08/2012] 2AC976F19496A89E0B3C2F75485E200F
C:\WINDOWS\Prefetch\MBAM.EXE-181A1F9F.pf --a---- 38408 bytes [03:15 03/09/2012] [03:19 03/09/2012] 6E5F4A0D7A324BBB54AC81997F9963FF
C:\WINDOWS\Prefetch\MBAMGUI.EXE-17BFFE8F.pf --a---- 14564 bytes [04:07 27/08/2012] [04:07 27/08/2012] 1986830631F24CACBC60736676B850C3
========== folderfind ==========
Searching for "*mbam*"
No folders found.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

I would like you to export a registry key for me please.

Go to *Start *- *Run *and copy and paste the following then click OK:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy"*

You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.


----------



## wdauser (Mar 30, 2011)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]


----------



## Cookiegal (Aug 27, 2003)

Are you sure that's all it contains? There should be much more than that.


----------



## wdauser (Mar 30, 2011)

Ran twice now. Have a print of the text file, but no way to attach it seems. What next?

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]


----------



## wdauser (Mar 30, 2011)

Should I try to install mbam in safe mode w/networking? Or do we need to go in another direction on this issue of the file we're looking for?


----------



## Cookiegal (Aug 27, 2003)

Let's try fixing the dimsntfy registry key first. 

I'm attaching a Fixdimsntfy.zip file. Save it to your desktop. Unzip it (extract the file) and double-click the Fixdimsntfy.reg file and allow it to merge into the registry.

Then reboot the machine and let me know if any problems remain.


----------



## wdauser (Mar 30, 2011)

Fix installed and new log generated. What's next?

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
"Asynchronous"=dword:00000001
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,69,00,6d,00,73,00,6e,00,74,00,66,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"


----------



## wdauser (Mar 30, 2011)

Hang on...Just tried to download mbam and got the same message....

---------------------------
Error Copying File or Folder
---------------------------
Cannot copy mbam-setup[1]: Access is denied.
Make sure the disk is not full or write-protected
and that the file is not currently in use.
---------------------------
OK 
---------------------------

Also had something weird happen with winrar. I reinstalled it in safe mode and now i'm getting this message....

---------------------------
C:\Program Files\WinRAR\WinRAR.exe
---------------------------
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
---------------------------
OK 
---------------------------

Am I in a bad situation here? What can we do? Did I move too fast? I appreciate all of your help.


----------



## Cookiegal (Aug 27, 2003)

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *


----------



## wdauser (Mar 30, 2011)

Initally ran into the same error message that we have been seeing when i requested to 'save' the program to the desktop. On my 2nd try i chose 'run' and the program actually ran! Was able to create this log. but program would not save to desktop. interesing?

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-03 22:28:42
-----------------------------
22:28:42.906 OS Version: Windows 5.1.2600 Service Pack 2
22:28:42.906 Number of processors: 1 586 0xD08
22:28:42.906 ComputerName: WILLIEDINISH UserName: 
22:28:43.609 Initialize success
22:32:49.000 AVAST engine defs: 12100302
22:33:04.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:33:04.921 Disk 0 Vendor: WDC_WD600VE-75HDT1 11.07D11 Size: 57231MB BusType: 3
22:33:04.953 Disk 0 MBR read successfully
22:33:04.953 Disk 0 MBR scan
22:33:05.015 Disk 0 Windows XP default MBR code
22:33:05.015 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
22:33:05.046 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57137 MB offset 176715
22:33:05.062 Disk 0 scanning sectors +117194175
22:33:05.156 Disk 0 scanning C:\WINDOWS\system32\drivers
22:33:19.296 Service scanning
22:34:00.046 Modules scanning
22:34:14.781 Disk 0 trace - called modules:
22:34:14.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
22:34:15.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f85030]
22:34:15.187 3 CLASSPNP.SYS[f754805b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fc7d98]
22:34:15.984 AVAST engine scan C:\WINDOWS
22:34:26.203 AVAST engine scan C:\WINDOWS\system32
22:37:55.015 AVAST engine scan C:\WINDOWS\system32\drivers
22:38:11.843 AVAST engine scan C:\Documents and Settings\willie_dinish
22:58:04.171 AVAST engine scan C:\Documents and Settings\All Users
22:59:37.843 Scan finished successfully
23:28:46.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\willie_dinish\Desktop\MBR.dat"
23:28:46.312 The log file has been saved successfully to "C:\Documents and Settings\willie_dinish\Desktop\aswMBR.txt"


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## wdauser (Mar 30, 2011)

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 9/29/2012
Time: 5:55:03 PM
User: N/A
Computer: WILLIEDINISH
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 9/29/2012
Time: 5:55:03 PM
User: N/A
Computer: WILLIEDINISH
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 9/29/2012
Time: 5:55:03 PM
User: N/A
Computer: WILLIEDINISH
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 9/29/2012
Time: 5:55:03 PM
User: N/A
Computer: WILLIEDINISH
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 9/29/2012
Time: 5:54:57 PM
User: N/A
Computer: WILLIEDINISH
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 9/29/2012
Time: 12:36:05 PM
User: N/A
Computer: WILLIEDINISH
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18928, fault address 0x001f1098.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 6d 73 68 74 in msht
0038: 6d 6c 2e 64 6c 6c 20 38 ml.dll 8
0040: 2e 30 2e 36 30 30 31 2e .0.6001.
0048: 31 38 39 32 38 20 61 74 18928 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 31 66 31 30 39 38 001f1098
0060: 0d 0a ..

Event Type: Error
Event Source: ESENT
Event Category: Logging/Recovery 
Event ID: 455
Date: 9/25/2012
Time: 1:07:34 AM
User: N/A
Computer: WILLIEDINISH
Description:
wuaueng.dll (3220) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: ESENT
Event Category: General 
Event ID: 489
Date: 9/25/2012
Time: 1:07:34 AM
User: N/A
Computer: WILLIEDINISH
Description:
wuauclt (3220) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: ESENT
Event Category: Logging/Recovery 
Event ID: 455
Date: 9/25/2012
Time: 1:07:24 AM
User: N/A
Computer: WILLIEDINISH
Description:
wuaueng.dll (3220) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: ESENT
Event Category: General 
Event ID: 489
Date: 9/25/2012
Time: 1:07:24 AM
User: N/A
Computer: WILLIEDINISH
Description:
wuauclt (3220) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/4/2012
Time: 7:22:31 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/4/2012
Time: 7:21:40 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/3/2012
Time: 10:16:48 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/3/2012
Time: 10:15:59 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/3/2012
Time: 10:04:55 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/3/2012
Time: 10:04:13 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync 
Event ID: 16
Date: 10/3/2012
Time: 12:12:28 AM
User: N/A
Computer: WILLIEDINISH
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 30 sult=0x0
0010: 30 30 30 30 30 30 30 20 0000000 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 30 30 30 30 30 30 ={000000
0028: 30 30 2d 30 30 30 30 2d 00-0000-
0030: 30 30 30 30 2d 30 30 30 0000-000
0038: 30 2d 30 30 30 30 30 30 0-000000
0040: 30 30 30 30 30 30 7d 20 000000} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 30 Number=0
0058: 20 00 .

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/2/2012
Time: 9:16:23 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/2/2012
Time: 9:15:33 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/2/2012
Time: 9:12:49 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:10:36 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:09:12 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:08:29 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:08:24 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:06:50 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 10/2/2012
Time: 9:06:09 PM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
intelppm
OMCI
TfFsMon
TfSysMon
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:05:47 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/2/2012
Time: 9:05:14 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/2/2012
Time: 9:04:19 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/2/2012
Time: 7:09:43 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/2/2012
Time: 7:08:52 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 8:02:52 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 8:02:07 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 5:15:54 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 5:15:09 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 2:08:13 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 2:07:33 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 2:05:48 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:57:12 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:56:56 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:54:57 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:54:18 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:54:11 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:53:09 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 10/1/2012
Time: 1:52:18 PM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
Tcpip
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 1:52:18 PM
User: N/A
Computer: WILLIEDINISH
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 1:52:18 PM
User: N/A
Computer: WILLIEDINISH
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 1:52:18 PM
User: N/A
Computer: WILLIEDINISH
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 1:52:18 PM
User: N/A
Computer: WILLIEDINISH
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 1:52:01 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 1:50:28 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 9:56:05 AM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 9:55:25 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 9:48:21 AM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 9:44:20 AM
User: WILLIEDINISH\Administrator
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 9:44:01 AM
User: WILLIEDINISH\Administrator
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/1/2012
Time: 9:43:52 AM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 10/1/2012
Time: 9:43:45 AM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
Tcpip
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 9:43:45 AM
User: N/A
Computer: WILLIEDINISH
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 9:43:45 AM
User: N/A
Computer: WILLIEDINISH
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 9:43:45 AM
User: N/A
Computer: WILLIEDINISH
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/1/2012
Time: 9:43:45 AM
User: N/A
Computer: WILLIEDINISH
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 9:41:56 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 9:35:34 AM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 9:34:55 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 9:20:41 AM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 9:20:01 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 10/1/2012
Time: 1:18:20 AM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 10/1/2012
Time: 1:17:36 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]


----------



## Cookiegal (Aug 27, 2003)

Please run OTS again and post the new log.


----------



## wdauser (Mar 30, 2011)

I got this dreaded error message again when attempting to install OTS. Went and installed it in safe mode. Back in normal mode, the OTS program will not respond. How should we proceed? Should I uninstall OTS again? 

Still have OTL installed. Is that a usable alternative for the log we need? 

Any assistance is appreciated. Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Yes, see if you can get OTL to run please.


----------



## wdauser (Mar 30, 2011)

OTL logfile created on: 10/7/2012 12:01:36 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 524.10 Mb Available Physical Memory | 51.62% Memory free
2.39 Gb Paging File | 2.00 Gb Available in Paging File | 83.80% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 18.00 Gb Free Space | 32.26% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 7.45 Gb Total Space | 0.00 Gb Free Space | 0.01% Space Free | Partition Type: FAT32

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2011/01/07 13:12:22 | 000,505,576 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2006/08/18 13:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (98097109)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/22 14:08:16 | 000,000,110 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/28 18:04:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:26 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe

========== Files - Modified Within 30 Days ==========

[2012/10/07 11:52:11 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/07 11:51:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/07 11:51:25 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/07 11:51:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/07 01:37:01 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/07 01:28:21 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/07 01:24:37 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/06 20:37:03 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/05 22:23:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/05 21:39:37 | 000,646,656 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\OTS.exe
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 22:30:03 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:28 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe

========== Files Created - No Company Name ==========

[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/07 01:24:17 | 000,000,438 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/07 01:24:14 | 000,000,434 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/05 21:39:35 | 000,646,656 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\OTS.exe
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >


----------



## Cookiegal (Aug 27, 2003)

I would like you to run SystemLook again (please refer back to post no. 48 for instructions) but using the following script. Then post the log please.


```
:dir
C:\Documents and Settings\willie_dinish\No
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
C:\Documents and Settings\All Users\Application Data\8kUL5H5g
```


----------



## wdauser (Mar 30, 2011)

New systemlook log


SystemLook 30.07.11 by jpshortstuff
Log created at 15:01 on 07/10/2012 by willie_dinish
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\willie_dinish\No - Unable to find folder.
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g - Unable to find folder.
C:\Documents and Settings\All Users\Application Data\8kUL5H5g - Unable to find folder.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

That's odd because they are showing in the OTL log. Can you see them yourself if you navigate to those folders? You will have to unhide files/folders in order to see the Local Settings and Application Data folders.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and then click "Apply to all folders". Click "Apply" then "OK".


----------



## wdauser (Mar 30, 2011)

Yes, the files appear to be located in the right place
"C:\Documents and Settings\willie_dinish\No
C:\Documents and Settings\willie_dinish\Local Settings\Application Data

I also found the following:
C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes 
Folder data is from earlier this year.

What do we do next?


----------



## Cookiegal (Aug 27, 2003)

Please open each of these folders and let me know the names of the files they contain:

C:\Documents and Settings\willie_dinish\*No*

C:\Documents and Settings\willie_dinish\Local Settings\Application Data\*8kUL5H5g*

C:\Documents and Settings\All Users\Application Data\*8kUL5H5g*


----------



## wdauser (Mar 30, 2011)

Cookiegal,

Each of the folders appears to only hold limited data (0 bytes or only the 1 file). I have succeeded with print screen this time and saved the prints to a cloud folder. Please find the links enclosed with the file information.

I hope this works. https://docs.google.com/open?id=0BzXDE9gn6t8mUGdaeDdYTnpKTkk

https://docs.google.com/open?id=0BzXDE9gn6t8mYzNpd3VfS0tKRWM

https://docs.google.com/open?id=0BzXDE9gn6t8maGl3TmhQMEJEVnc

https://docs.google.com/open?id=0BzXDE9gn6t8mUFZabjF0TTU2QzQ

http://mhtml:file://C:\Documents an...op\Folder Data.mht!FolderData_files/frame.htm

https://docs.google.com/open?id=0BzXDE9gn6t8meXZWQlRIRVZZUTg


----------



## Cookiegal (Aug 27, 2003)

Sorry, I didn't realize they were files and not folders. Please run SystemLook again with this script.


```
:filefind
C:\Documents and Settings\willie_dinish\No
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
C:\Documents and Settings\All Users\Application Data\8kUL5H5g
```


----------



## wdauser (Mar 30, 2011)

SystemLook 30.07.11 by jpshortstuff
Log created at 21:46 on 08/10/2012 by willie_dinish
Administrator - Elevation successful
========== filefind ==========
Searching for "C:\Documents and Settings\willie_dinish\No"
No files found.
Searching for "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g"
No files found.
Searching for "C:\Documents and Settings\All Users\Application Data\8kUL5H5g"
No files found.
-= EOF =-


----------



## wdauser (Mar 30, 2011)

Cookiegal,

This evening while browsing, I saw it! I almost freaked out but i just stayed calm. I hope that this is not a return infection, but here's what happened....

My computer appeared to shutdown. Then a screen came up and notified me that suspect material had been found on my machine (!) and that in order to get back to my main screen I had to rush to the store, get a $200.00 moneypack card, and enter that code into this screen within 48 hours in order to get my computer back. It had an FBI logo, my IP Address, and everything. I could have run screaming, but I know this is malware. I was absoultely sure of it. I shut down the machine. Reboot, machine is on for 2 minutes and I get the same process! Damn, this is something really ugly!

I rebooted the machine again in safe mode and ran tdsskiller to see if it could catch anything, but nothing came up. I let the machine run for about 15 minutes in safe mode. No nasty "pay me now" screen. Also, on my reboot (just after the horror show) I noticed that treatfire never launched. 

I've shut the machine down and I am leaving this message using my 2nd computer, which is ancient.

So, is there something out there that kills this horrible creature? And I'm wondering if it's got to be done in safe mode, or something I can download my 2nd machine, put on a flash drive and use like an innoculation? 

Any help is appreciated. And if I messed something up, my apologies. You can imagine my shock! It's been getting better and now this. 

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Please boot to safe mode with networking by tapping the F8 key before Windows loads and selecting "safe mode with networking" from the boot options.

Then download and save the *Emsisoft Emergency Kit* to your desktop from the link below:

http://download1.emsisoft.com/EmsisoftEmergencyKit.zip

Please note that this is a large downloaded, so please be patient while it downloads. 

Right-click on the *EmsisoftEmergencyKit.zip* file and select *Extract All*, which will start the Windows compressed file extraction wizard. Follow the steps to extract the file and the Emergency Kit will be extracted to a folder called EmsisoftEmergencyKit on your desktop. Please double-click on the *EmsisoftEmergencyKit* folder to open it.

Then, double-click on the *Start.exe* button to launch the program.

Please click on the Emergency Kit *Scanner* option. When you do that, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it by clicking on the *Run *or *Yes *buttons. You will now be shown an update screen prompting you to check for an update. Please click on *Yes *and allow the program to download any updates. Then click on the *Back to Security Status *link which will take you to the main screen.

Click on the *Scan PC* option in the navigation menu on the left hand side.

Select the *Deep Scan *option if it's not already selected and then click on the *Scan *button.

When the scan is completed, you may see an alert box saying that you have a high-risk infection. If you see this alert, please click on the Close button which should take you to the scan results screen.

Please post the log in your next reply for analysis. Do NOT quarantine anything until instructed to do please.


----------



## wdauser (Mar 30, 2011)

Emsisoft Emergency Kit - Version 2.0
Last update: 10/9/2012 8:09:00 PM
Scan settings:
Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\
Scan archives: On
ADS Scan: On
Scan start: 10/9/2012 8:10:15 PM
c:\documents and settings\willie_dinish\start menu\programs\startup\ctfmon.lnk detected: Trace.File.screenlocker!E1
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0001.dta detected: Win32.SuspectCrc!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0005.dta detected: Trojan.Crypt!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0002.dta detected: Trojan.Crypt!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0003.dta detected: Win32.SuspectCrc!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0010.dta detected: Trojan.Win32.Alureon!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0011.dta detected: Trojan.Crypt.BUA!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0004.dta detected: Trojan.Win64.Olmarik!E1
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0014.dta detected: Win32.SuspectCrc!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0009.dta detected: MBR.Alureon!E2
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\tdlfs0000\tsk0006.dta detected: Trojan.Win64.Alureon.AMN!E1
C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\mbr0000\tsk0001.dta detected: Rootkit.Boot.Cidox!E2
C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP837\A1050615.exe detected: Trojan.Win32.Agent!E1
C:\Program Files\WinRAR\Default.SFX detected: Trojan.Win32.3Proxy!E1
C:\Documents and Settings\willie_dinish\Desktop\CF_UNINST.EXE detected: Trojan-Spy.Win32.Banker!E2
C:\Documents and Settings\willie_dinish\Desktop\OTS.exe detected: Trojan.Win32.Swisyn.cneu.AMN!E1
Scanned 559492
Found 16
Scan end: 10/9/2012 11:16:10 PM
Scan time: 3:05:55


----------



## wdauser (Mar 30, 2011)

I'm also seeing a program that I'm pretty sure I did NOT download. Please find the information from the properties page listed below:

Program: 139d2e78

Type of File: Application
Description: COMODO Internet Security

Location: C:\Documents and Settings\willie_dinish\My Documents
Size: 394 KB (403,968 bytes)
Size on Disk: 394 KB (403,968 bytes)

Created: Yesterday, October 09, 2012, 12:16:59 AM
Modified: Yesterday, October 09, 2012, 12:16:59 AM
Accessed: Today, October 10, 2012, 12:16:55 AM

File Version: 5.10.31649.2253


I don't recall us having any discussion about such a program. I noted the icon when I started to install Emsisoft. I thought it was strange. I also noted that this is created just before I had the ugly incident happen with the malware. Any ideas on this? It seems suspect to me. I have not actually opened the file or accessed it in any way other than the properties tab, since it seems to be out of place.

BTW: I'm leaving the computer turned on until I note a next reply. I want to try to act on this as quickly as possible.


----------



## Cookiegal (Aug 27, 2003)

Run Emsisoft again and only select this one (the rest are already quarantined and flase positives):
*
c:\documents and settings\willie_dinish\start menu\programs\startup\ctfmon.lnk*

Click on the *Quarantine Selected Objects* button which will remove the infection and place it in quarantine.

Comodo Internet Security is a valid product but the file looks suspicious. Please provide the location of the file.

Delete this file manually:

C:\Documents and Settings\willie_dinish\My Documents\*139d2e78.exe*

Please run OTL again and post the new log.


----------



## wdauser (Mar 30, 2011)

OTL logfile created on: 10/10/2012 6:24:20 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 663.30 Mb Available Physical Memory | 65.33% Memory free
2.39 Gb Paging File | 2.16 Gb Available in Paging File | 90.34% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 18.71 Gb Free Space | 33.53% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 7.45 Gb Total Space | 0.00 Gb Free Space | 0.01% Space Free | Partition Type: FAT32

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/14 04:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2006/08/18 13:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (98097109)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (52066997)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/22 14:08:16 | 000,000,110 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/09 00:17:15 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/28 18:04:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com

========== Files - Modified Within 30 Days ==========

[2012/10/10 18:23:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/10 18:23:22 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/10 18:23:18 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/10 18:23:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/09 00:31:31 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad
[2012/10/09 00:30:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/09 00:17:15 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/09 00:16:55 | 000,169,472 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll
[2012/10/08 22:37:06 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/07 20:37:05 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/07 15:29:05 | 000,003,267 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/07 01:24:37 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/05 22:23:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 22:30:03 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com

========== Files Created - No Company Name ==========

[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/09 00:17:39 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad
[2012/10/09 00:16:55 | 000,169,472 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll
[2012/10/07 15:29:03 | 000,003,267 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/07 01:24:17 | 000,000,438 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/07 01:24:14 | 000,000,434 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57315$] -> Error: Cannot create file handle -> Unknown point type
< End of report >


----------



## wdauser (Mar 30, 2011)

Log with Netsrvcs

OTL logfile created on: 10/10/2012 6:46:38 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 446.67 Mb Available Physical Memory | 43.99% Memory free
2.39 Gb Paging File | 1.94 Gb Available in Paging File | 81.14% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 18.71 Gb Free Space | 33.53% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 7.45 Gb Total Space | 0.00 Gb Free Space | 0.01% Space Free | Partition Type: FAT32

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2011/01/07 13:12:22 | 000,505,576 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2006/08/18 13:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (98097109)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (52066997)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/22 14:08:16 | 000,000,110 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/09 00:17:15 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/28 18:04:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com

========== Files - Modified Within 30 Days ==========

[2012/10/10 18:37:10 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/10 18:23:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/10 18:23:22 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/10 18:23:18 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/10 18:23:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/09 00:31:31 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad
[2012/10/09 00:30:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/09 00:17:15 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/09 00:16:55 | 000,169,472 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll
[2012/10/07 20:37:05 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/07 15:29:05 | 000,003,267 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/07 01:24:37 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/05 22:23:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 22:30:03 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com

========== Files Created - No Company Name ==========

[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/09 00:17:39 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad
[2012/10/09 00:16:55 | 000,169,472 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll
[2012/10/07 15:29:03 | 000,003,267 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/07 01:24:17 | 000,000,438 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/07 01:24:14 | 000,000,434 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57315$] -> Error: Cannot create file handle -> Unknown point type
< End of report >


----------



## Cookiegal (Aug 27, 2003)

Do you know what these scheduled tasks relate to?

C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job


----------



## Cookiegal (Aug 27, 2003)

Also, what generally appears as your E drive?


----------



## wdauser (Mar 30, 2011)

Cookiegal said:


> Do you know what these scheduled tasks relate to?
> 
> C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
> C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job


No I am not familiar with these.


----------



## wdauser (Mar 30, 2011)

My E: is usually my flash drive.


----------



## Cookiegal (Aug 27, 2003)

Please run OTL again. Under the *Custom Scans/Fixes* box at the bottom paste in the following:


```
:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (98097109)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (52066997)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
[2012/10/09 00:17:15 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/09 00:31:31 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad
[2012/10/09 00:30:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
[2012/10/09 00:17:15 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2012/10/09 00:16:55 | 000,169,472 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Next, please do the following using ComboFix.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\$NtUninstallKB57315$
C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job
C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job

DirLook::
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
C:\Documents and Settings\All Users\Application Data\8kUL5H5g
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Finally, insert your flash drive and then do the following.

I'm attaching a MountPoints Diagnostic.zip file to this post. Save it to your desktop. Unzjip it and double click the MountPoints Diagnostic.bat file and let it run. It will create a report in Notepad named Diagnostic.txt. Please upload the Diagnostic.txt file as an attachment.


----------



## wdauser (Mar 30, 2011)

========== OTL ==========
Service 98097109 stopped successfully!
Service 98097109 deleted successfully!
Service 52066997 stopped successfully!
Service 52066997 deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
Starting removal of ActiveX control {BDEE1959-AB6B-4745-A29B-F492861102CC}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BDEE1959-AB6B-4745-A29B-F492861102CC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDEE1959-AB6B-4745-A29B-F492861102CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BDEE1959-AB6B-4745-A29B-F492861102CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDEE1959-AB6B-4745-A29B-F492861102CC}\ not found.
C:\Documents and Settings\All Users\Application Data\lsass.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad moved successfully.
C:\WINDOWS\tasks\ReclaimerUpdateFiles_willie_dinish.job moved successfully.
File C:\Documents and Settings\All Users\Application Data\lsass.exe not found.
C:\Documents and Settings\willie_dinish\My Documents\3c28b0e4.dll moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 10112012_190729


----------



## wdauser (Mar 30, 2011)

OTL logfile created on: 10/11/2012 7:12:08 PM - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 665.04 Mb Available Physical Memory | 65.50% Memory free
2.39 Gb Paging File | 2.16 Gb Available in Paging File | 90.48% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 18.21 Gb Free Space | 32.64% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 7.45 Gb Total Space | 0.00 Gb Free Space | 0.01% Space Free | Partition Type: FAT32

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2011/10/28 22:21:20 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2010/01/14 16:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/14 04:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/05/12 01:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2003/04/09 18:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2006/08/18 13:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/22 14:08:16 | 000,000,110 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/11 19:07:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/28 18:04:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe

========== Files - Modified Within 30 Days ==========

[2012/10/11 19:11:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/11 19:11:07 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/11 19:11:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/11 19:10:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/11 01:37:11 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/11 01:25:10 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/10 20:37:03 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/05 22:23:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/28 18:04:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe

========== Files Created - No Company Name ==========

[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/07 01:24:14 | 000,000,434 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< netsrvcs >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57315$] -> Error: Cannot create file handle -> Unknown point type
< End of report >


----------



## wdauser (Mar 30, 2011)

Cookiegal,

I was able to finally get combofix to download to the desktop. I was still unable to get it to work in "normal" mode. I just received a series of error messages as the software attempted to run. And was forced to abort the software. Again (3rd time?) Should I try safe mode? Or something else?


----------



## Cookiegal (Aug 27, 2003)

Please run OTL again. Under the *Custom Scans/Fixes* box at the bottom paste in the following:


```
:OTL
[2012/10/11 01:25:10 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job

:Files
C:\WINDOWS\$NtUninstallKB57315$
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


----------



## wdauser (Mar 30, 2011)

OTL uninstalled after the fix ran. I let the machine sit for 30 mins waiting for something more to happen, nothing did. I have rebooted, but I'm not sure how to proceed. Should i reinstall OTL in safe mode?


----------



## Cookiegal (Aug 27, 2003)

Yes please. Reinstall it and run it again and then post that log.


----------



## wdauser (Mar 30, 2011)

========== OTL ==========
File C:\WINDOWS\tasks\ReclaimerUpdateXML_willie_dinish.job not found.
========== FILES ==========
Folder move failed. C:\WINDOWS\$NtUninstallKB57315$ scheduled to be moved on reboot.

OTL by OldTimer - Version 3.2.69.0 log created on 10132012_001849
Files\Folders moved on Reboot...
Folder move failed. C:\WINDOWS\$NtUninstallKB57315$ scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...


----------



## Cookiegal (Aug 27, 2003)

That is the log from the fix that was run. I would like to see a log from a new run please.

Also, please do the following:

Please download GMER from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.*

Open the ark.txt file and copy and paste the contents of the log here please.


----------



## wdauser (Mar 30, 2011)

Ran into a little issue yesterday, so reran today.

OTL logfile created on: 10/13/2012 10:56:56 PM - Run 6
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 803.27 Mb Available Physical Memory | 79.11% Memory free
2.39 Gb Paging File | 2.30 Gb Available in Paging File | 96.47% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.70 Gb Free Space | 31.73% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 7.45 Gb Total Space | 0.92 Gb Free Space | 12.40% Space Free | Partition Type: FAT32

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Stopped] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Stopped] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/22 14:08:16 | 000,000,110 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/13 00:14:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/11 19:40:41 | 004,766,830 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/11 19:07:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe

========== Files - Modified Within 30 Days ==========

[2012/10/13 22:55:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/13 22:55:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/13 22:37:07 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/13 22:14:26 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/13 22:14:24 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/12 22:23:01 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/12 20:37:18 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/11 19:40:41 | 004,766,830 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Netflix DVD Queue.pdf
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe

========== Files Created - No Company Name ==========

[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57315$] -> -> Unknown point type
< End of report >


----------



## wdauser (Mar 30, 2011)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-14 17:29:33
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600VE-75HDT1 rev.11.07D11
Running: ulq070b6.exe; Driver: C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\pwriipoc.sys

log file turned out to be pretty big. log should be attached in the file. I also placed to a file on googledocs. let me know if you cannot access. https://docs.google.com/open?id=0BzXDE9gn6t8mQXFVSkwtWnlOSlU

thanks for your help.
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\$NtUninstallKB57315$\2431274761 0 bytes
File C:\WINDOWS\$NtUninstallKB57315$\2431274761\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57315$\2431274761\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57315$\364823651 0 bytes
---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

1. Please *download* *The Avenger2* by Swandog46 to your *Desktop*.
Right-click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *Avenger* folder to your desktop
2. Copy all the text contained in the code box below to your clipboard by highlighting it and pressing (*Ctrl+C*):


```
Folders to delete:
C:\WINDOWS\$NtUninstallKB57315$
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the Avenger folder and *start The Avenger program* by clicking on its icon.

 Right-click on the window under *Input script here:*, and select Paste.
 You can also paste the text copied to the clipboard into this window by pressing (*Ctrl+V*).
 Click on *Execute* 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*) 
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *C:\avenger.txt* into your reply *along with a fresh OTL log *.


----------



## wdauser (Mar 30, 2011)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not open folder "C:\WINDOWS\$NtUninstallKB57315$"
Deletion of folder "C:\WINDOWS\$NtUninstallKB57315$" failed!
Status: 0xc0000279

Completed script processing.
*******************
Finished! Terminate.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *and then copy and paste the following the following command there and click OK:


```
cmd /c swxcacls "C:\WINDOWS\$NtUninstallKB57315$" /reset /q
```
You will see the black DOS-type window open briefly and then close.

Then try running Avenger again and post the new log.


----------



## wdauser (Mar 30, 2011)

Copied and ran the command. Rebooted the machine. Suspended TreatFire, Suspended SpyBot.

Then Re-ran Avenger. Log below. Non response it seems. OTL log also below.

What do we try next?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not open folder "C:\WINDOWS\$NtUninstallKB57315$"
Deletion of folder "C:\WINDOWS\$NtUninstallKB57315$" failed!
Status: 0xc0000279

Completed script processing.
*******************
Finished! Terminate.

OTL logfile created on: 10/15/2012 8:21:40 PM - Run 7
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 802.36 Mb Available Physical Memory | 79.02% Memory free
2.39 Gb Paging File | 2.31 Gb Available in Paging File | 96.59% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.54 Gb Free Space | 31.44% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Stopped] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/07/04 14:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Stopped] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/05/25 20:36:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/15 20:01:15 | 000,000,000 | ---D | C] -- C:\Avenger
[2012/10/15 19:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\avenger
[2012/10/13 00:14:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/11 19:40:41 | 004,766,830 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/11 19:07:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/16 20:08:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

========== Files - Modified Within 30 Days ==========

[2012/10/15 20:21:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/15 20:20:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/15 20:15:59 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/15 20:15:54 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/15 19:39:50 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/15 19:37:06 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/14 20:37:02 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/14 19:11:40 | 000,257,733 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\ark.pdf
[2012/10/14 12:52:15 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 12:35:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 12:34:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/12 22:23:01 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/10/11 19:40:41 | 004,766,830 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/10 21:08:33 | 000,012,490 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\2011_Alabama_Form_40V.pdf
[2012/10/10 20:59:26 | 000,009,998 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\2011_Federal_Form_4868.pdf
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/07 15:29:05 | 000,003,267 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:43 | 000,662,710 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Netflix DVD Queue.pdf
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf

========== Files Created - No Company Name ==========

[2012/10/15 19:39:47 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/14 19:11:20 | 000,257,733 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\ark.pdf
[2012/10/14 12:52:11 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 12:35:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 12:34:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/10 21:08:33 | 000,012,490 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\2011_Alabama_Form_40V.pdf
[2012/10/10 20:54:46 | 000,009,998 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\2011_Federal_Form_4868.pdf
[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/07 15:29:03 | 000,003,267 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Mom's Info.pdf
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 12:22:32 | 000,662,710 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Netflix DVD Queue.pdf
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< netsrvcs >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57315$] -> -> Unknown point type
< End of report >


----------



## wdauser (Mar 30, 2011)

Probably should mention that Avenger would only extract while in safe mode. It ran fine in normal mode both times. OTL was run in safe mode as it will not respond in normal mode at the moment. 

Thanks.


----------



## Cookiegal (Aug 27, 2003)

OK, let's try this:

Please download *GrantPerms.zip*

Save to the Desktop.

Unzip the file (Right-click - Extract all...) then follow the prompts.

In the new folder that appears, double-click _GrantPerms.exe _

Copy and paste the following in the blank area:

*C:\WINDOWS\$NtUninstallKB57315$*

Click: *Unlock*

When done click OK and close the tool.

Then run Avenger again with the same command and post the log.


----------



## wdauser (Mar 30, 2011)

1st try. Forgot to suspend threatfire and spybot. 2nd try those programs suspended, so 2 tries tonight and the following result:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not open folder "C:\WINDOWS\$NtUninstallKB57315$"
Deletion of folder "C:\WINDOWS\$NtUninstallKB57315$" failed!
Status: 0xc0000279

Completed script processing.
*******************
Finished! Terminate.

What do we try next?


----------



## Cookiegal (Aug 27, 2003)

Try Avenger again with this script:


```
Folders to delete:
C:\WINDOWS\$NtUninstallKB57315$\2431274761
C:\WINDOWS\$NtUninstallKB57315$\364823651
```


----------



## wdauser (Mar 30, 2011)

New log below:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not open folder "C:\WINDOWS\$NtUninstallKB57315$\2431274761"
Deletion of folder "C:\WINDOWS\$NtUninstallKB57315$\2431274761" failed!
Status: 0xc0000279

Error: could not open folder "C:\WINDOWS\$NtUninstallKB57315$\364823651"
Deletion of folder "C:\WINDOWS\$NtUninstallKB57315$\364823651" failed!
Status: 0xc0000279

Completed script processing.
*******************
Finished! Terminate.

I had this idea about trying combofix in safe mode. But i'm not sure. What do we try next?


----------



## Cookiegal (Aug 27, 2003)

I thought we already tried ComboFix in safe mode. If not, then yes, let's try that.


----------



## wdauser (Mar 30, 2011)

I see a noted in post 89 where I finally got the software to download to the desktop. And a mention about running it in safe mode, but it looks like we stepped past that and got into some other issues. 

Should I try it using your instructions in post #85? And should I be aware of any issues if the software reboots the machine?

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Yes, please follow the instructions in post no. 85.

Just be sure you have anything important backed up as you should have had from the start.


----------



## wdauser (Mar 30, 2011)

We've got a log.

ComboFix 12-10-11.03 - willie_dinish 10/18/2012 18:49:23.4.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.811 [GMT -5:00]
Running from: c:\documents and settings\willie_dinish\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\willie_dinish\Desktop\CFScript.txt
.
FILE ::
"c:\windows\$NtUninstallKB57315$"
"c:\windows\tasks\ReclaimerUpdateFiles_willie_dinish.job"
"c:\windows\tasks\ReclaimerUpdateXML_willie_dinish.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
c:\windows\$NtUninstallKB57315$
c:\windows\$NtUninstallKB57315$\364823651
.
.
((((((((((((((((((((((((( Files Created from 2012-09-19 to 2012-10-19 )))))))))))))))))))))))))))))))
.
.
2012-10-12 00:07 . 2012-10-12 00:07 -------- d-----w- C:\_OTL
2012-10-01 22:20 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-10-01 19:33 . 2012-10-01 19:33 -------- d-----w- c:\program files\Windows Media Connect 2
2012-10-01 19:28 . 2012-10-01 19:30 -------- d-----w- c:\windows\system32\drivers\UMDF
2012-10-01 14:43 . 2012-10-01 14:44 -------- d-----w- c:\documents and settings\Administrator.WILLIEDINISH.000
2012-09-29 23:48 . 2012-09-29 23:50 -------- d-----w- c:\documents and settings\willie_dinish\Application Data\Thinstall
2012-09-29 23:48 . 2012-09-29 23:48 -------- d-----w- c:\documents and settings\willie_dinish\Local Settings\Application Data\Thinstall
2012-09-27 05:23 . 2012-09-27 05:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-25 00:47 . 2008-04-14 00:11 19456 ----a-w- c:\windows\system32\dimsntfy.dll
2012-09-21 00:58 . 2012-09-21 00:58 -------- d-----w- C:\_OTS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\8kUL5H5g ----
.
.
---- Directory of c:\documents and settings\willie_dinish\Local Settings\Application Data\8kUL5H5g ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-08 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-29 273528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
2005-11-22 00:22 135168 ----a-w- c:\windows\system32\RegCompact.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.2.0.0\\internettv.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2010 12:18 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/10/2010 1:55 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/10/2010 1:55 AM 59664]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [10/9/2012 8:02 PM 17904]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 4:26 PM 80384]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/10/2010 1:55 AM 33552]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/3/2010 7:50 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/3/2010 7:50 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/3/2010 7:50 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/3/2010 7:50 PM 10368]
S3 Normandy;Normandy SR2; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4242950646.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-10-19 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
- c:\documents and settings\willie_dinish\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-05 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-66303549.sys
AddRemove-Cakewalk Home Studio 2002 - c:\progra~1\Cakewalk\CAKEWA~1\UNWISE.EXE
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\willie_dinish\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-18 19:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\RegCompact.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
.
- - - - - - - > 'lsass.exe'(1064)
c:\program files\ThreatFire\TFWAH.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\windows\system32\ieframe.dll
c:\program files\ThreatFire\TFNI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\ThreatFire\TFService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-10-18 19:24:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-19 00:23
ComboFix2.txt 2011-05-26 01:50
ComboFix3.txt 2011-05-19 06:36
.
Pre-Run: 20,030,472,192 bytes free
Post-Run: 21,676,826,624 bytes free
.
- - End Of File - - 84AD60A854D9FE265091AB24160D39C8


----------



## wdauser (Mar 30, 2011)

Diagnostic Report
Thu 10/18/2012 20:04:44.54

Mountpoints > Drives subkeys: 
------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2741f2c1-7a62-11dd-9c9c-806d6172696f}]
"BaseClass"="Drive"
~~~~~~~~~~~~~~~~~~~~~~~~~ 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2741f2c2-7a62-11dd-9c9c-806d6172696f}]
"BaseClass"="Drive"
~~~~~~~~~~~~~~~~~~~~~~~~~ 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3cb6cfb4-899c-11dd-8f49-00166f493803}]
"BaseClass"="Drive"
~~~~~~~~~~~~~~~~~~~~~~~~~ 
No Autorun files found in C:\WINDOWS 
No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

No Autorun files found in root of D:

No Autorun files found in root of E:

What do we do next?


----------



## Cookiegal (Aug 27, 2003)

That's great. ComboFix got it.

Please run GMER again and post the new log.


----------



## wdauser (Mar 30, 2011)

Got a pretty big gmer log. Could not get it to fit into attachment parameters, so I've put into a google docs post. Please let me know if either of these is not accessible to you.
https://docs.google.com/open?id=0BzXDE9gn6t8mQlNWOHVhV2VOS2s

Thanks for your help. What's next?


----------



## Cookiegal (Aug 27, 2003)

Please just upload it as an attachment here.

I'm signing off for the night so will check back in the morning.

In the meantime, how's the machine behaving?


----------



## wdauser (Mar 30, 2011)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-19 20:11:45
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600VE-75HDT1 rev.11.07D11

All right. Got the attachment to work. Machine seems to be in much better state. Every window in IE is giving me a prompt. I forgot I had this setting on the software. Thanks a ton for your help.

What's the next step?


----------



## Cookiegal (Aug 27, 2003)

This looks good now. 

There are a couple of leftovers to remove again with ComboFix.

Open Notepad and copy and paste the text in the code box below into it:


```
Folder::
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
C:\Documents and Settings\All Users\Application Data\8kUL5H5g
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Also, let's see if you still have trouble with MalwareBytes. If it's still installed please uninstall it via the Control Panel - Add or Remove Programs. Then run the MBAM-Clean utilities to remove any remnants.

http://helpdesk.malwarebytes.org/en...o-completely-remove-malwarebytes-anti-malware

If the utility doesn't reboot the machine please do so. Then do the following:

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## wdauser (Mar 30, 2011)

ComboFix 12-10-11.03 - willie_dinish 10/20/2012 20:55:22.5.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.800 [GMT -5:00]
Running from: c:\documents and settings\willie_dinish\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\willie_dinish\Desktop\cfscript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-12 00:07 . 2012-10-12 00:07 -------- d-----w- C:\_OTL
2012-10-01 22:20 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-10-01 19:33 . 2012-10-01 19:33 -------- d-----w- c:\program files\Windows Media Connect 2
2012-10-01 19:28 . 2012-10-01 19:30 -------- d-----w- c:\windows\system32\drivers\UMDF
2012-10-01 14:43 . 2012-10-01 14:44 -------- d-----w- c:\documents and settings\Administrator.WILLIEDINISH.000
2012-09-29 23:48 . 2012-09-29 23:50 -------- d-----w- c:\documents and settings\willie_dinish\Application Data\Thinstall
2012-09-29 23:48 . 2012-09-29 23:48 -------- d-----w- c:\documents and settings\willie_dinish\Local Settings\Application Data\Thinstall
2012-09-27 05:23 . 2012-09-27 05:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-25 00:47 . 2008-04-14 00:11 19456 ----a-w- c:\windows\system32\dimsntfy.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-08 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-29 273528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
2005-11-22 00:22 135168 ----a-w- c:\windows\system32\RegCompact.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.2.0.0\\internettv.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2010 12:18 AM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2010 12:17 AM 348752]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/10/2010 1:55 AM 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/10/2010 1:55 AM 59664]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [10/9/2012 8:02 PM 17904]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/3/2010 7:50 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/3/2010 7:50 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/3/2010 7:50 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/3/2010 7:50 PM 10368]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 4:26 PM 80384]
S3 Normandy;Normandy SR2; [x]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/10/2010 1:55 AM 33552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4242950646.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-10-21 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
- c:\documents and settings\willie_dinish\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-05 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-20 21:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\RegCompact.dll
.
- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-10-20 21:10:59
ComboFix-quarantined-files.txt 2012-10-21 02:10
ComboFix2.txt 2012-10-19 00:24
ComboFix3.txt 2011-05-26 01:50
ComboFix4.txt 2011-05-19 06:36
.
Pre-Run: 20,911,087,616 bytes free
Post-Run: 21,589,913,600 bytes free
.
- - End Of File - - 5DD89B7E308D573522D9C0EECA3F29E3

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.10.21.01
Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
willie_dinish :: WILLIEDINISH [administrator]
10/20/2012 9:34:18 PM
mbam-log-2012-10-20 (21-34-18).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235675
Time elapsed: 5 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Both programs were run in safe mode. They were both non-responsive in normal mode. Thanks for your help.

What do we do next?


----------



## Cookiegal (Aug 27, 2003)

Please run OTL again but this time change the File Age to 90 days on the main screen before running the scan.


----------



## wdauser (Mar 30, 2011)

OTL logfile created on: 10/22/2012 7:06:25 PM - Run 8
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 719.81 Mb Available Physical Memory | 70.89% Memory free
2.39 Gb Paging File | 2.24 Gb Available in Paging File | 93.68% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 19.40 Gb Free Space | 34.77% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 13:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Normandy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/10/10 00:28:14 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Stopped] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/01/14 16:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 16:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 16:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 11:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 16:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 05:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 15:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 15:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 15:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 16:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 20:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Stopped] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 22:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011/05/14 21:42:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2011/06/05 02:03:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/10/28 22:23:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/10/18 19:07:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\RegCompact: DllName - (RegCompact.dll) - C:\WINDOWS\System32\RegCompact.dll (AMUST Software)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 09:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 90 Days ==========

[2012/10/22 18:43:14 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/10/20 21:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/20 21:21:44 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/10/20 21:21:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/20 21:20:13 | 009,544,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\willie_dinish\Desktop\mbam-setup.exe
[2012/10/20 21:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/10/18 20:03:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Mountpoints Diagnostic
[2012/10/16 19:23:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\GrantPerms
[2012/10/15 20:01:15 | 000,000,000 | ---D | C] -- C:\Avenger
[2012/10/15 19:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\avenger
[2012/10/13 00:14:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/11 19:40:41 | 004,766,830 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/11 19:07:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/09 20:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit
[2012/10/02 21:08:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy
[2012/10/01 14:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 14:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 14:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 13:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 09:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/30 00:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 18:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/27 00:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 21:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 19:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/15 18:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 18:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:26 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe
[2012/09/02 22:02:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/09/02 22:02:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/09/02 21:42:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2012/09/02 21:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2012/08/25 01:23:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\syncdb
[2012/08/21 19:39:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun

========== Files - Modified Within 90 Days ==========

[2012/10/22 18:46:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/22 18:45:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/22 18:38:01 | 000,000,444 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/21 22:37:04 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/10/21 20:37:05 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/10/20 21:24:34 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/20 21:20:13 | 009,544,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\willie_dinish\Desktop\mbam-setup.exe
[2012/10/18 19:51:04 | 000,001,223 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Mountpoints Diagnostic.zip
[2012/10/18 19:07:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/16 20:34:00 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/10/16 19:17:54 | 000,450,985 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\GrantPerms.zip
[2012/10/15 19:39:50 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/14 19:11:40 | 000,257,733 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\ark.pdf
[2012/10/14 12:52:15 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 12:35:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 12:34:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/13 00:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/11 19:40:41 | 004,766,830 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\ComboFix.exe
[2012/10/09 19:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/03 23:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 14:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 14:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 14:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/26 20:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 22:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 19:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 22:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 18:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 21:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 21:41:28 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe
[2012/08/25 13:53:49 | 000,248,696 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
========== Files Created - No Company Name ==========

[2012/10/20 21:24:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/18 19:51:04 | 000,001,223 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Mountpoints Diagnostic.zip
[2012/10/16 19:17:52 | 000,450,985 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\GrantPerms.zip
[2012/10/15 19:39:47 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/14 19:11:20 | 000,257,733 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\ark.pdf
[2012/10/14 12:52:11 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 12:35:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 12:34:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/09 19:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/07 01:24:32 | 000,000,444 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
[2012/10/03 23:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 20:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 22:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\look.pdf
[2012/10/01 14:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 14:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 09:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/23 22:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 22:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 18:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/02 20:50:50 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\miniremoval_coolwebsearch_smartkiller.exe
[2012/04/22 21:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 19:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 23:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/19 00:47:19 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/19 00:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/19 00:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/19 00:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/19 00:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/04 18:35:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\No
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
[2010/03/31 22:01:56 | 000,017,480 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8kUL5H5g
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 18:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 20:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 14:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/20 00:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2004/08/04 05:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< netsrvcs >
< End of report >


----------



## Cookiegal (Aug 27, 2003)

Are you still not able to run MalwareBytes in normal mode? If not, what happens when you try?


----------



## wdauser (Mar 30, 2011)

Still no. When clicked the message reads: Run-time error "48": file not found: mbam. Or when double clicked I get the response of a blank stare or being behind a brick wall. 

This is the same response that I get from programs like OTL, combofix (when I doesn't altogether fail), etc.

What do we try next?


----------



## Cookiegal (Aug 27, 2003)

Do you have your Windows installation CD?


----------



## wdauser (Mar 30, 2011)

unfortunately, no. machine was gifted to me preloaded. and i was not provided an installation cd.


----------



## Cookiegal (Aug 27, 2003)

Try running chkdsk.

Click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take a while, so run it when you don't need to use the computer for something else.

To view results log:

Go to *Start *- *Run *and type in *eventvwr.msc*, and hit enter.
When Event Viewer opens, click on "Application", then scroll down to "Winlogon" and double-click on it to open it up. This is the log created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.


----------



## wdauser (Mar 30, 2011)

Log enclosed below.

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 10/25/2012
Time: 7:50:13 PM
User: N/A
Computer: WILLIEDINISH
Description:
Checking file system on C:
The type of the file system is NTFS.
A disk check has been scheduled.
Windows will now check the disk. 
Cleaning up minor inconsistencies on the drive.
Cleaning up 163 unused index entries from index $SII of file 0x9.
Cleaning up 163 unused index entries from index $SDH of file 0x9.
Cleaning up 163 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
58508729 KB total disk space.
38595600 KB in 71580 files.
25880 KB in 5979 indexes.
0 KB in bad sectors.
204781 KB in use by the system.
65536 KB occupied by the log file.
19682468 KB available on disk.
4096 bytes in each allocation unit.
14627182 total allocation units on disk.
4920617 allocation units available on disk.
Internal Info:
a0 02 02 00 02 2f 01 00 7a b3 01 00 00 00 00 00 ...../..z.......
20 07 00 00 02 00 00 00 64 04 00 00 00 00 00 00 .......d.......
10 12 24 05 00 00 00 00 9a bd ac 5f 00 00 00 00 ..$........_....
0a 02 d6 0e 00 00 00 00 66 0a c5 aa 06 00 00 00 ........f.......
4e 51 6c 10 02 00 00 00 08 8e 56 37 09 00 00 00 NQl.......V7....
99 9e 36 00 00 00 00 00 90 38 07 00 9c 17 01 00 ..6......8......
00 00 00 00 00 40 b0 33 09 00 00 00 5b 17 00 00 [email protected]....[...
Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Please run SystemLook again with this script:


```
:dir
C:\Documents and Settings\All Users\Application Data
C:\Documents and Settings\willie_dinish\Local Settings\Application Data

:filefind
services.exe
```


----------



## wdauser (Mar 30, 2011)

SystemLook 30.07.11 by jpshortstuff
Log created at 20:34 on 26/10/2012 by willie_dinish
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\All Users\Application Data - Parameters: "(none)"
---Files---
8kUL5H5g ---hs-- 17480 bytes [03:01 01/04/2010] [04:43 06/04/2010]
desktop.ini --ahs-- 62 bytes [09:34 04/09/2008] [09:34 04/09/2008]
hpzinstall.log ------- 800 bytes [22:00 29/04/2009] [00:04 22/05/2009]
---Folders---
Adobe d------ [19:48 04/09/2008]
CanonBJ d--h--- [21:02 17/06/2009]
Common Files d--h--- [03:02 03/09/2012]
CyberLink d------ [02:58 13/09/2008]
Dell d------ [19:35 04/09/2008]
eFax Messenger 4.4 Output d------ [02:48 07/04/2010]
Hewlett-Packard d------ [22:03 29/04/2009]
iBpIcFc06510 d------ [07:30 09/02/2011]
InstallShield d------ [19:40 04/09/2008]
Intel d------ [19:09 04/09/2008]
Malwarebytes d------ [02:53 06/04/2010]
MFAData d------ [03:02 03/09/2012]
Microsoft d---s-- [09:33 04/09/2008]
Motive d------ [00:21 21/07/2011]
MSScanAppDataDir d------ [21:52 12/05/2009]
NCH Software d------ [07:45 07/02/2010]
NCH Swift Sound d------ [07:47 07/02/2010]
Office Genuine Advantage d------ [23:52 15/09/2012]
PC Tools d------ [06:55 10/04/2010]
Readon d------ [00:43 15/06/2010]
Real d------ [02:23 07/03/2010]
regid.1986-12.com.adobe d------ [04:08 23/08/2011]
SmartSound Software Inc d------ [04:00 23/08/2011]
Sonic d------ [19:39 04/09/2008]
Spybot - Search & Destroy d------ [14:50 29/03/2010]
Sun d------ [21:07 12/09/2010]
TVU Networks d------ [23:38 24/01/2010]
Windows Genuine Advantage d------ [03:30 30/05/2011]
C:\Documents and Settings\willie_dinish\Local Settings\Application Data - Parameters: "(none)"
---Files---
8kUL5H5g ---hs-- 17480 bytes [03:01 01/04/2010] [04:43 06/04/2010]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini --a---- 72704 bytes [01:11 13/09/2008] [20:02 06/02/2011]
GDIPFONTCACHEV1.DAT --a---- 65448 bytes [18:20 09/09/2008] [01:34 17/10/2012]
IconCache.db --ah--- 4304612 bytes [05:01 29/10/2011] [06:32 26/10/2012]
PUTTY.RND --a---- 600 bytes [00:31 21/07/2011] [00:31 21/07/2011]
---Folders---
Adobe d------ [20:03 06/11/2008]
AMUST d------ [21:20 18/05/2010]
Deployment d------ [05:21 16/02/2012]
FLVService d------ [23:51 03/02/2010]
Google d------ [04:38 28/08/2010]
Help d------ [21:30 09/06/2009]
Identities d------ [20:36 15/04/2009]
mdnslib d------ [23:51 03/02/2010]
Microsoft d------ [15:05 04/09/2008]
MicroVision Applications d------ [03:25 15/12/2011]
PowerDVD DX d------ [19:35 04/09/2008]
Programs d------ [05:22 16/02/2012]
Readon_Technology d------ [00:10 21/02/2010]
Real d------ [19:37 10/01/2011]
Roxio d------ [19:42 04/09/2008]
Thinstall d------ [23:48 29/09/2012]
TVU Networks d------ [03:05 06/02/2011]
WMTools Downloaded Files d------ [01:58 08/09/2008]
========== filefind ==========
Searching for "services.exe"
C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe --a---- 110592 bytes [02:59 02/06/2011] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe --a---- 110592 bytes [02:59 02/06/2011] [11:06 06/02/2009] 020CEAAEDC8EB655B6506B8C70D53BB6
C:\WINDOWS\$NtUninstallKB956572$\services.exe -----c- 108032 bytes [02:40 03/06/2011] [10:00 04/08/2004] C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\ERDNT\cache\services.exe --a---- 110592 bytes [03:32 05/05/2011] [10:22 06/02/2009] 4712531AB7A01B7EE059853CA17D39BD
C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe --a---- 110592 bytes [02:59 02/06/2011] [17:14 06/02/2009] 37561F8D4160D62DA86D24AE41FAE8DE
C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe --a---- 110592 bytes [02:59 02/06/2011] [10:22 06/02/2009] 4712531AB7A01B7EE059853CA17D39BD
C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe --a---- 110592 bytes [02:59 02/06/2011] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe --a---- 110592 bytes [02:59 02/06/2011] [11:06 06/02/2009] 020CEAAEDC8EB655B6506B8C70D53BB6
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe --a---- 108544 bytes [00:16 24/11/2008] [00:12 14/04/2008] 0E776ED5F7CC9F94299E70461B7B8185
C:\WINDOWS\system32\services.exe --a---- 110592 bytes [04:15 30/05/2011] [10:22 06/02/2009] 4712531AB7A01B7EE059853CA17D39BD
C:\WINDOWS\system32\dllcache\services.exe --a--c- 110592 bytes [04:15 30/05/2011] [10:22 06/02/2009] 4712531AB7A01B7EE059853CA17D39BD
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Please download *RogueKiller* by Tigzy and save it to your desktop.
Allow the download if prompted by your security software and please close all your other browser windows.
Double-click *RogueKiller.exe* to run it.
If it does not run, please try a few times, If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com
Wait for *PreScan* to finish, Then Accept the EULA.
Click on the *Scan* button in the upper right. Wait for it to finish.
Once completed, a log called *RKreport[1].txt* will be created on the desktop. It can also be accessed via the *Report* button.
Please copy and paste the contents of that log in your next reply.
When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click *Yes*.


----------



## wdauser (Mar 30, 2011)

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : willie_dinish [Admin rights]
Mode : Scan -- Date : 10/28/2012 13:50:31
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x80619F0E -> HOOKED (TfSysMon.sys @ 0xF72E3A1C)
SSDT[63] : NtDeleteKey @ 0x8061A3AA -> HOOKED (TfSysMon.sys @ 0xF72E3C10)
SSDT[65] : NtDeleteValueKey @ 0x8061A57A -> HOOKED (TfSysMon.sys @ 0xF72E3CB6)
SSDT[119] : NtOpenKey @ 0x8061B2B0 -> HOOKED (TfSysMon.sys @ 0xF72E390C)
SSDT[247] : NtSetValueKey @ 0x806185BA -> HOOKED (TfSysMon.sys @ 0xF72E3E52)
SSDT[257] : NtTerminateProcess @ 0x805C8778 -> HOOKED (TfSysMon.sys @ 0xF72E5B30)
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD600VE-75HDT1 +++++
--- User ---
[MBR] 0f02d079f3aaf41417765b572fba8081
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 57137 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt


----------



## Cookiegal (Aug 27, 2003)

Please run HijackThis again and post the new log.


----------



## wdauser (Mar 30, 2011)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:33:14 PM, on 10/29/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - 
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 6941 bytes


----------



## Cookiegal (Aug 27, 2003)

You don't appear to have any anti-virus software on this machine unless I'm missing it. If so, what are you using?

Let's try this:

Please go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Uncheck everything there so it doesn't startup. Then reboot and let me know if you can use programs in normal mode please.


----------



## wdauser (Mar 30, 2011)

You are correct. I do not have antivirus software. This was part of my goals along with finding out what was going nuts with the machine. Log will follow.


----------



## wdauser (Mar 30, 2011)

Sorry, no log. Programs still will not start.

Combofix still gives error and must choose abort. OTL does not respond.

Malwarebytes: Run Time Error '48': File not found: mbcore


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## wdauser (Mar 30, 2011)

Dr Web Log:

compat.dll;C:\Documents and Settings\willie_dinish\Application Data\Real\Update\setup3.14\ui_data\inst_config;Trojan.MulDrop3.45443;Deleted.; 
A1055864.dll;C:\System Volume Information\_restore{95DD4A65-A9AD-4190-B034-DD4CB81D6A99}\RP841;Trojan.MulDrop3.45443;Deleted.;

tsk0000.dta;C:\TDSSKiller_Quarantine\27.09.2012_00.21.27\mbr0000\mbr0000;Trojan.Tdlphaze.1;Incurable.Moved.;

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:14:27 PM, on 11/2/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - 
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 5935 bytes


----------



## Cookiegal (Aug 27, 2003)

Please run SystemLook again with the following script:


```
:filefind
*8kUL5H5g*
*KB57315*

:folderfind
*KB57315*

:dir
C:\Documents and Settings\All Users\Application Data\iBpIcFc06510
C:\Documents and Settings\All Users\Application Data\Common Files
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Programs
c:\documents and settings\willie_dinish\local settings\application data\microsoft\windows
C:\Documents and Settings\willie_dinish
C:\WINDOWS\System32\syncdb
C:\Documents and Settings\LocalService\Application Data\AdobeUM
```


----------



## wdauser (Mar 30, 2011)

SystemLook 30.07.11 by jpshortstuff
Log created at 22:33 on 03/11/2012 by willie_dinish
Administrator - Elevation successful
========== filefind ==========
Searching for "*8kUL5H5g*"
C:\Documents and Settings\All Users\Application Data\8kUL5H5g ---hs-- 17480 bytes [03:01 01/04/2010] [04:43 06/04/2010] 8C001C437B856A30E38246190E7FBFF0
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g ---hs-- 17480 bytes [03:01 01/04/2010] [04:43 06/04/2010] 8C001C437B856A30E38246190E7FBFF0
C:\Documents and Settings\willie_dinish\Templates\8kUL5H5g ---hs-- 17480 bytes [03:01 01/04/2010] [04:43 06/04/2010] 8C001C437B856A30E38246190E7FBFF0
Searching for "*KB57315*"
No files found.
========== folderfind ==========
Searching for "*KB57315*"
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB57315$ d------ [23:42 18/10/2012]
C:\_OTL\MovedFiles\10122012_183615\C_WINDOWS\$NtUninstallKB57315$ d--hs-- [23:36 12/10/2012]
C:\_OTL\MovedFiles\10132012_001849\C_WINDOWS\$NtUninstallKB57315$ d--hs-- [05:18 13/10/2012]
========== dir ==========
C:\Documents and Settings\All Users\Application Data\iBpIcFc06510 - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
C:\Documents and Settings\All Users\Application Data\Common Files - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Programs - Parameters: "(none)"
---Files---
None found.
---Folders---
Google d------ [05:22 16/02/2012]
c:\documents and settings\willie_dinish\local settings\application data\microsoft\windows - Parameters: "(none)"
---Files---
UsrClass.dat --a---- 524288 bytes [03:30 21/06/2010] [05:27 03/11/2012]
UsrClass.dat.LOG --ah--- 237568 bytes [15:05 04/09/2008] [03:30 04/11/2012]
---Folders---
None found.
C:\Documents and Settings\willie_dinish - Parameters: "(none)"
---Files---
defogger_reenable --a---- 0 bytes [17:35 14/10/2012] [17:35 14/10/2012]
hpothb07.dat ---h--- 0 bytes [23:34 21/05/2009] [23:34 21/05/2009]
hpothb07.tif ---h--- 0 bytes [23:34 21/05/2009] [23:34 21/05/2009]
No --a---- 0 bytes [23:35 04/01/2011] [23:35 04/01/2011]
ntuser.dat --a---- 7864320 bytes [03:30 21/06/2010] [05:27 03/11/2012]
ntuser.dat.LOG --ah--- 565248 bytes [15:05 04/09/2008] [03:33 04/11/2012]
ntuser.ini ---hs-- 178 bytes [15:05 04/09/2008] [05:27 03/11/2012]
---Folders---
Application Data dr-h--- [15:05 04/09/2008]
Cookies d--hs-- [15:05 04/09/2008]
Desktop d------ [15:05 04/09/2008]
DoctorWeb d------ [00:55 01/11/2012]
Favorites dr----- [15:05 04/09/2008]
IECompatCache d--hs-- [20:57 21/07/2011]
IETldCache d--hs-- [05:45 14/07/2011]
Local Settings d--h--- [15:05 04/09/2008]
LocalLow d------ [23:38 24/01/2010]
My Documents dr----- [15:05 04/09/2008]
NetHood d--h--- [15:05 04/09/2008]
PrintHood d--h--- [15:05 04/09/2008]
PrivacIE d--hs-- [01:03 15/07/2011]
Recent dr-h--- [05:13 30/09/2012]
SendTo dr-h--- [15:05 04/09/2008]
Start Menu dr----- [15:05 04/09/2008]
Templates d--h--- [15:05 04/09/2008]
UserData d--hs-- [20:19 15/04/2009]
C:\WINDOWS\System32\syncdb - Parameters: "(none)"
---Files---
.pref --a---- 595 bytes [06:23 25/08/2012] [06:23 25/08/2012]
---Folders---
None found.
C:\Documents and Settings\LocalService\Application Data\AdobeUM - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Go to the forum *here* and upload this (these) file(s):

*C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g
C:\Documents and Settings\willie_dinish\No *

Here are the directions for uploading the file:

Just register to create an account then click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

Please be sure to include a link to this thread as well.


----------



## wdauser (Mar 30, 2011)

Cookiegal,

The response thus far is that this file--*C:\Documents and Settings\willie_dinish\No --* is empty.

I cannot find the other file--*C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g--* at all. Would I find it in safe mode? I was unable to present this file for review on the other forum and i'm not sure what to do next.

How should we proceed?


----------



## Cookiegal (Aug 27, 2003)

It's hidden so you'll have to unhide files/folders:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Now click "Apply to all folders". Click "Apply" then "OK".


----------



## wdauser (Mar 30, 2011)

Cookiegal,

I forgot to mention that I searched for the file by unhiding files/folders. I'm still challenged though, as the file does not seem to exist. I'm not sure how to handle presenting the file to the other forum when the file is not present. I'm not sure how to proceed.

Also, I I forgot to share the link on our topic to the spykiller forum with you. Please find that link here: http://thespykiller.co.uk/index.php?topic=10005.0

I apologize for being so confused and I thank you for your help.


----------



## Cookiegal (Aug 27, 2003)

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

Then you should be able to see the file.


----------



## wdauser (Mar 30, 2011)

I was able to locate the file and have posted the update to the spykiller forum. 

Thanks for your help!


----------



## dvk01 (Dec 14, 2002)

C:\Documents and Settings\willie_dinish\Local Settings\Application Data\8kUL5H5g is a damaged fake AV file 
it should be removed, but isn't capable of running


----------



## Cookiegal (Aug 27, 2003)

Thanks Derek.


----------



## Cookiegal (Aug 27, 2003)

Please delete all of these files manually:

C:\Documents and Settings\All Users\Application Data\*8kUL5H5g *
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\*8kUL5H5g*
C:\Documents and Settings\willie_dinish\Templates\*8kUL5H5g*
C:\Documents and Settings\willie_dinish\*No*

How are things with the system now?


----------



## wdauser (Mar 30, 2011)

Cookiegal said:


> Please delete all of these files manually:
> 
> C:\Documents and Settings\All Users\Application Data\*8kUL5H5g *
> C:\Documents and Settings\willie_dinish\Local Settings\Application Data\*8kUL5H5g*
> ...


Things seem to we working rather well. It's curious that i'm still getting the same response from those same programs after our efforts. Hoping the we can resolve that, since with winrar nonresponse is a bit annoying. I know that this may take some time. But I am eager to get some antivirus on the system.

Thanks a ton for your help with this effort.

What's next?


----------



## Cookiegal (Aug 27, 2003)

You should install an anti-virus program.


----------



## Cookiegal (Aug 27, 2003)

Let's run ComboFix again. Please remove the one your currently have on the desktop by dragging it to the Recycle Bin. Then grab the latest version, disable security programs and post the new log. It might be best to do this before installing an anti-virus program but go ahead and install one right after please.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## wdauser (Mar 30, 2011)

Working on combofix. What would be your recommendation for antivirus software?


----------



## Cookiegal (Aug 27, 2003)

Microsoft Security Essentials is highly recommended if you want a free one. Otherwise, I'd go with Eset Smart Security or Kaspersky Internet Security.


----------



## wdauser (Mar 30, 2011)

Went with the MS Product. Will this interfere with any of the other programs that we've put on the machine? I'm still working with the programs that we have installed thus far. Do i need to remove/uninstall anything?


----------



## Cookiegal (Aug 27, 2003)

No. You will have to disable it to run ComboFix though.


----------



## wdauser (Mar 30, 2011)

Thanks. And I ran combofix with no problem in safe mode. It will not respond in normal mode. Log is below.

ComboFix 12-11-20.02 - willie_dinish 11/20/2012 20:42:21.6.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.790 [GMT -6:00]
Running from: c:\documents and settings\willie_dinish\Desktop\puppy.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-21 to 2012-11-21 )))))))))))))))))))))))))))))))
.
.
2012-11-03 01:14 . 2012-11-03 01:14 388096 ----a-r- c:\documents and settings\willie_dinish\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-01 00:55 . 2012-11-02 03:14 -------- d-----w- c:\documents and settings\willie_dinish\DoctorWeb
2012-10-30 00:38 . 2012-10-30 00:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-30 00:32 . 2012-10-30 00:32 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 00:38 . 2011-06-09 00:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 00:54 . 2012-10-21 02:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-08 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-29 273528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
2005-11-22 00:22 135168 ----a-w- c:\windows\system32\RegCompact.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-06-08 06:30 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2004-05-12 06:03 1038336 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
2010-01-14 21:08 378128 ----a-w- c:\program files\ThreatFire\TFTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-10-29 03:21 273528 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.2.0.0\\internettv.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/8/2010 11:18 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/8/2010 11:17 PM 348752]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/10/2010 12:55 AM 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/10/2010 12:55 AM 59664]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [10/9/2012 7:02 PM 17904]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/3/2010 6:50 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/3/2010 6:50 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/3/2010 6:50 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/3/2010 6:50 PM 10368]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 3:26 PM 80384]
S3 Normandy;Normandy SR2; [x]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/10/2010 12:55 AM 33552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4242950646.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-21 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
- c:\documents and settings\willie_dinish\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-05 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-20 20:57
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\RegCompact.dll
.
- - - - - - - > 'explorer.exe'(628)
c:\windows\system32\WININET.dll
.
Completion time: 2012-11-20 21:00:04
ComboFix-quarantined-files.txt 2012-11-21 02:59
ComboFix2.txt 2012-10-21 02:11
ComboFix3.txt 2012-10-19 00:24
ComboFix4.txt 2011-05-26 01:50
ComboFix5.txt 2012-11-21 02:39
.
Pre-Run: 17,992,421,376 bytes free
Post-Run: 19,909,091,328 bytes free
.
- - End Of File - - 82D354872C0EA6326AFF390E56237502


----------



## Cookiegal (Aug 27, 2003)

I recommend uninstalling the AMUST registry cleaner.

Open Notepad and copy and paste the text in the code box below into it:


```
Driver:
Normandy
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


----------



## wdauser (Mar 30, 2011)

ComboFix 12-11-20.02 - willie_dinish 11/21/2012 22:34:03.7.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.782 [GMT -6:00]
Running from: c:\documents and settings\willie_dinish\Desktop\puppy.exe
Command switches used :: c:\documents and settings\willie_dinish\Desktop\cfscript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-10-22 to 2012-11-22 )))))))))))))))))))))))))))))))
.
.
2012-11-03 01:14 . 2012-11-03 01:14 388096 ----a-r- c:\documents and settings\willie_dinish\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-01 00:55 . 2012-11-02 03:14 -------- d-----w- c:\documents and settings\willie_dinish\DoctorWeb
2012-10-30 00:38 . 2012-10-30 00:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-30 00:32 . 2012-10-30 00:32 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 00:38 . 2011-06-09 00:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 00:54 . 2012-10-21 02:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-08 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-29 273528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
2005-11-22 00:22 135168 ----a-w- c:\windows\system32\RegCompact.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-06-08 06:30 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2004-05-12 06:03 1038336 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
2010-01-14 21:08 378128 ----a-w- c:\program files\ThreatFire\TFTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-10-29 03:21 273528 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.2.0.0\\internettv.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/8/2010 11:18 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/8/2010 11:17 PM 348752]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/10/2010 12:55 AM 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/10/2010 12:55 AM 59664]
S1 A2DDA;A2 Direct Disk Access Support Driver;\??\c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys --> c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [?]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/3/2010 6:50 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/3/2010 6:50 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/3/2010 6:50 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/3/2010 6:50 PM 10368]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 3:26 PM 80384]
S3 Normandy;Normandy SR2; [x]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/10/2010 12:55 AM 33552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4242950646.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-22 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_willie_dinish.job
- c:\documents and settings\willie_dinish\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-05 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HijackThis - c:\documents and settings\willie_dinish\Desktop\hijackthis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-21 22:45
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\RegCompact.dll
.
- - - - - - - > 'explorer.exe'(1784)
c:\windows\system32\WININET.dll
.
Completion time: 2012-11-21 22:47:51
ComboFix-quarantined-files.txt 2012-11-22 04:47
ComboFix2.txt 2012-11-21 03:00
ComboFix3.txt 2012-10-21 02:11
ComboFix4.txt 2012-10-19 00:24
ComboFix5.txt 2012-11-22 04:32
.
Pre-Run: 19,538,718,720 bytes free
Post-Run: 19,733,389,312 bytes free
.
- - End Of File - - 60012306916A439F61E307B2CE773EB0


----------



## Cookiegal (Aug 27, 2003)

Sorry, my mistake. Please run ComboFix again as above but with this corrected script:


```
Driver::
Normandy
```
Did you uninstall the AMUST registry cleaner?


----------



## wdauser (Mar 30, 2011)

I have uninstalled the AMUST Registry Cleaner. New log is enclosed below.

ComboFix 12-11-20.02 - willie_dinish 11/26/2012 18:42:19.8.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.782 [GMT -6:00]
Running from: c:\documents and settings\willie_dinish\Desktop\puppy.exe
Command switches used :: c:\documents and settings\willie_dinish\Desktop\cfscript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\willie_dinish\Local Settings\Application Data\Help\Google\lgxkhivmf.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NORMANDY
-------\Service_Normandy
.
.
((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))
.
.
2012-11-24 00:27 . 2012-11-24 00:27 -------- d-----w- c:\program files\Common Files\xing shared
2012-11-03 01:14 . 2012-11-03 01:14 388096 ----a-r- c:\documents and settings\willie_dinish\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-01 00:55 . 2012-11-02 03:14 -------- d-----w- c:\documents and settings\willie_dinish\DoctorWeb
2012-10-30 00:38 . 2012-10-30 00:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-30 00:32 . 2012-10-30 00:32 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-24 00:26 . 2008-09-04 19:34 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-11-24 00:26 . 2008-09-04 19:34 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-10-30 00:38 . 2011-06-09 00:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 00:54 . 2012-10-21 02:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-08 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-11-24 296096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-06-08 06:30 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2004-05-12 06:03 1038336 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
2010-01-14 21:08 378128 ----a-w- c:\program files\ThreatFire\TFTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-11-24 00:26 296096 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.2.0.0\\internettv.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/8/2010 11:18 PM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/10/2010 12:55 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/10/2010 12:55 AM 59664]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 3:26 PM 80384]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/10/2010 12:55 AM 33552]
S1 A2DDA;A2 Direct Disk Access Support Driver;\??\c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys --> c:\documents and settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/3/2010 6:50 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/3/2010 6:50 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/3/2010 6:50 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/3/2010 6:50 PM 10368]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2009-12-06 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4242950646.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
- c:\documents and settings\willie_dinish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-16 05:21]
.
2012-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 20:27]
.
2012-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Google - c:\documents and settings\willie_dinish\Local Settings\Application Data\Help\Google\lgxkhivmf.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-26 18:57
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
.
- - - - - - - > 'lsass.exe'(1064)
c:\program files\ThreatFire\TFWAH.dll
.
- - - - - - - > 'explorer.exe'(1032)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\windows\system32\ieframe.dll
c:\program files\ThreatFire\TFNI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\SCardSvr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\ThreatFire\TFService.exe
.
**************************************************************************
.
Completion time: 2012-11-26 19:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-27 01:10
ComboFix2.txt 2012-11-22 04:47
ComboFix3.txt 2012-11-21 03:00
ComboFix4.txt 2012-10-21 02:11
ComboFix5.txt 2012-11-27 00:33
.
Pre-Run: 19,113,250,816 bytes free
Post-Run: 19,503,755,264 bytes free
.
- - End Of File - - 1B74DC7CA938FCAC08F46901E6619D45


----------



## Cookiegal (Aug 27, 2003)

I assume you're still having the same problem?

Please run OTL again and post the new logs.


----------



## wdauser (Mar 30, 2011)

Yes, still have the same response from OTL, Combofix, WinRar and, MalwareBytes.

OTL log is below.

OTL logfile created on: 11/28/2012 6:15:10 PM - Run 9
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 789.73 Mb Available Physical Memory | 77.78% Memory free
2.39 Gb Paging File | 2.30 Gb Available in Paging File | 96.19% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.33 Gb Free Space | 31.06% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 1.86 Gb Total Space | 0.02 Gb Free Space | 0.97% Space Free | Partition Type: FAT

Computer Name: WILLIEDINISH | User Name: willie_dinish | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2012/10/12 23:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
PRC - [2009/01/07 11:40:56 | 000,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/07 15:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2010/01/14 15:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/01/21 12:08:06 | 001,095,560 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 11:40:56 | 000,348,752 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\puppy\catchme.sys -- (catchme)
DRV - File not found [Kernel | System | Stopped] -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2010/01/14 15:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/01/14 15:08:28 | 000,051,984 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/01/14 15:08:28 | 000,033,552 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2009/04/03 10:18:26 | 000,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2006/08/18 12:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 12:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 12:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 12:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 12:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 12:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 12:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 12:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 09:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 09:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/03/10 15:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/10/21 14:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2004/08/31 07:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/23 13:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/12 07:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 04:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/06/17 14:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 14:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 14:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/03 15:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 13:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 13:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/04/13 19:16:38 | 000,187,992 | ---- | M] (Roland) [Kernel | Auto | Stopped] -- C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -- (RVIEG01)
DRV - [2000/02/22 21:38:22 | 000,206,272 | ---- | M] (Adaptec) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\udfreadr.sys -- (UdfReadr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..\SearchScopes\{25248024-2802-4245-BC73-0D8C8C2CAFDE}: "URL" = http://www.google.com/search?q={sea...startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/11/23 18:27:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/11/23 18:27:21 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/11/26 18:55:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1801674531-1532298954-2146899641-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1734B3D3-F475-4AE0-A718-EFF5F30521D5}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/04 08:46:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 90 Days ==========

[2012/11/26 18:53:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/11/26 18:40:29 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/11/23 18:27:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2012/11/23 18:27:03 | 000,198,864 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2012/11/23 18:26:29 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2012/11/23 18:26:29 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2012/11/23 18:26:27 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2012/11/23 18:26:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RealNetworks
[2012/11/20 20:37:16 | 005,004,421 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\puppy.exe
[2012/11/17 19:11:37 | 011,088,872 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\mseinstall.exe
[2012/10/31 18:55:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\DoctorWeb
[2012/10/30 22:01:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2012/10/29 18:38:56 | 000,696,760 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/29 18:32:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/10/29 18:32:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\HiJackThis
[2012/10/28 12:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\My Documents\RK_Quarantine
[2012/10/20 20:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/20 20:21:44 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/10/20 20:21:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/20 20:20:13 | 009,544,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\willie_dinish\Desktop\mbam-setup.exe
[2012/10/18 19:03:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\My Documents\Mountpoints Diagnostic
[2012/10/16 18:23:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\My Documents\GrantPerms
[2012/10/15 19:01:15 | 000,000,000 | ---D | C] -- C:\Avenger
[2012/10/12 23:14:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/11 18:07:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/09 19:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\My Documents\EmsisoftEmergencyKit
[2012/10/01 13:35:57 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/10/01 13:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/10/01 13:28:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/10/01 12:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Start Menu\Programs\WinRAR
[2012/10/01 12:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2012/10/01 08:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/09/29 23:13:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\willie_dinish\Recent
[2012/09/29 17:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Thinstall
[2012/09/29 17:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\willie_dinish\Application Data\Thinstall
[2012/09/26 23:23:40 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/26 20:09:20 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/20 18:58:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2012/09/15 17:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/09/15 17:45:31 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 20:00:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 20:41:26 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe
[2012/09/02 21:02:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/09/02 21:02:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/09/02 20:42:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2012/09/02 20:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

========== Files - Modified Within 90 Days ==========

[2012/11/28 18:12:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/28 18:08:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/28 00:37:47 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job
[2012/11/27 23:11:10 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/11/27 23:11:01 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/11/27 20:37:20 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job
[2012/11/26 18:55:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/11/23 18:28:13 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2012/11/23 18:27:03 | 000,198,864 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2012/11/23 18:26:29 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2012/11/23 18:26:29 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2012/11/23 18:26:27 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2012/11/20 20:37:16 | 005,004,421 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\puppy.exe
[2012/11/17 19:11:37 | 011,088,872 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\mseinstall.exe
[2012/11/16 00:17:41 | 000,018,686 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\Phone November 2012 Payment.pdf
[2012/11/04 23:59:56 | 000,074,593 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\AL Power Nov 2012 Payment 1.pdf
[2012/11/04 15:07:54 | 000,016,723 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\thespykiller.co.uk user agreement.pdf
[2012/11/04 08:21:49 | 000,514,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/04 08:21:49 | 000,086,852 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/02 19:14:05 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\HiJackThis.lnk
[2012/11/01 23:14:12 | 000,000,381 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\DrWeb.csv
[2012/10/31 18:47:36 | 097,832,232 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\drweb-cureit.exe
[2012/10/31 18:20:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/10/29 18:38:56 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/29 18:38:56 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/10/29 18:31:35 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\HiJackThis.msi
[2012/10/28 12:47:48 | 001,580,544 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\RogueKiller.exe
[2012/10/23 18:24:36 | 000,000,075 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Application Data\mbam.context.scan
[2012/10/20 20:24:34 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/20 20:20:13 | 009,544,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\willie_dinish\Desktop\mbam-setup.exe
[2012/10/18 18:51:04 | 000,001,223 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Mountpoints Diagnostic.zip
[2012/10/16 19:34:00 | 000,002,683 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Readon TV Movie Radio Player.lnk
[2012/10/16 18:17:54 | 000,450,985 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\GrantPerms.zip
[2012/10/15 18:39:50 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/14 18:11:40 | 000,257,733 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\ark.pdf
[2012/10/14 11:52:15 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 11:35:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 11:34:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/12 23:14:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\willie_dinish\Desktop\OTL.exe
[2012/10/09 18:53:58 | 201,828,427 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/03 22:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 19:53:35 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 21:15:36 | 000,003,213 | ---- | M] () -- C:\Documents and Settings\willie_dinish\My Documents\look.pdf
[2012/10/01 13:36:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 13:34:38 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/10/01 13:34:38 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/10/01 13:28:18 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 12:55:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 08:30:30 | 001,517,376 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/29 18:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/26 19:56:50 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\willie_dinish\Desktop\tdsskiller.exe
[2012/09/23 21:21:40 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/19 18:22:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 21:38:36 | 000,640,144 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 17:47:49 | 003,514,358 | ---- | M] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/15 17:45:41 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\willie_dinish\Desktop\MGADiag.exe
[2012/09/10 20:00:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\willie_dinish\Desktop\dds.com
[2012/09/09 20:41:28 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\willie_dinish\Desktop\SysInfo.exe

========== Files Created - No Company Name ==========

[2012/11/23 18:37:04 | 000,000,294 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/11/23 18:37:02 | 000,000,302 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job
[2012/11/23 18:28:13 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2012/11/16 00:17:35 | 000,018,686 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\Phone November 2012 Payment.pdf
[2012/11/04 23:59:54 | 000,074,593 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\AL Power Nov 2012 Payment 1.pdf
[2012/11/04 15:07:49 | 000,016,723 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\thespykiller.co.uk user agreement.pdf
[2012/11/01 23:14:12 | 000,000,381 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\DrWeb.csv
[2012/10/31 18:47:29 | 097,832,232 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\drweb-cureit.exe
[2012/10/29 18:32:43 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\HiJackThis.lnk
[2012/10/29 18:31:30 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\HiJackThis.msi
[2012/10/28 12:47:48 | 001,580,544 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\RogueKiller.exe
[2012/10/23 18:24:36 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\mbam.context.scan
[2012/10/20 20:24:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/18 18:51:04 | 000,001,223 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Mountpoints Diagnostic.zip
[2012/10/16 18:17:52 | 000,450,985 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\GrantPerms.zip
[2012/10/15 18:39:47 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\avenger.zip
[2012/10/14 18:11:20 | 000,257,733 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\ark.pdf
[2012/10/14 11:52:11 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\ulq070b6.exe
[2012/10/14 11:35:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\willie_dinish\defogger_reenable
[2012/10/14 11:34:57 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Defogger.exe
[2012/10/09 18:53:51 | 201,828,427 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\EmsisoftEmergencyKit.zip
[2012/10/03 22:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\MBR.dat
[2012/10/02 19:53:33 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\Fixdimsntfy.zip
[2012/10/01 21:15:33 | 000,003,213 | ---- | C] () -- C:\Documents and Settings\willie_dinish\My Documents\look.pdf
[2012/10/01 13:28:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/10/01 13:28:16 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/10/01 12:55:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WinRAR.lnk
[2012/10/01 08:30:15 | 001,517,376 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\wrar420.exe
[2012/09/23 21:21:39 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\SystemLook.exe
[2012/09/16 21:38:31 | 000,640,144 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\www.bleepingcomputer.com_combofix_how-to-use-combofix.pdf
[2012/09/15 17:47:49 | 003,514,358 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\WVCheck.exe
[2012/09/02 19:50:50 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Desktop\miniremoval_coolwebsearch_smartkiller.exe
[2012/04/22 20:27:05 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Application Data\.backup.dm
[2011/07/20 18:31:39 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND
[2011/05/29 22:16:04 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/05/18 23:47:19 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/18 23:47:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/18 23:47:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/18 23:47:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/18 23:47:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/21 17:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.tif
[2009/05/21 17:34:05 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\willie_dinish\hpothb07.dat
[2008/09/12 19:11:07 | 000,072,704 | ---- | C] () -- C:\Documents and Settings\willie_dinish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/02/09 13:59:50 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/08/19 23:38:42 | 001,494,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 04:01:53 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2004/08/04 04:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< netsrvcs >
< End of report >


----------



## Cookiegal (Aug 27, 2003)

Download and run the following tool to help allow other programs to run. _(Courtesy of BleepingComputer.com)_
There are 4 different versions. If one of them won't run then download and try to run the other one. Do not reboot after running this program.

Vista and Win7 users need to right click and choose *Run as Admin* 
*You only need to get one of them to run, not all of them.*

rkill.exe
rkill.com
rkill.scr
rkill.pif

After doing the above let me know if you can run ComboFix in normal mode.


----------



## Cookiegal (Aug 27, 2003)

In addition to the above, please do the following:

You should still have SystemLook so please run it with the following script:

```
:dir
C:\Documents and Settings\LocalService
C:\Documents and Settings\NetworkService
```


----------



## wdauser (Mar 30, 2011)

Systemlook log.

SystemLook 30.07.11 by jpshortstuff
Log created at 20:22 on 30/11/2012 by willie_dinish
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\LocalService - Parameters: "(none)"
---Files---
NTUSER.DAT --a---- 237568 bytes [14:52 04/09/2008] [06:40 30/11/2012]
ntuser.dat.LOG --ah--- 45056 bytes [14:52 04/09/2008] [00:39 01/12/2012]
ntuser.ini ---hs-- 178 bytes [14:52 04/09/2008] [13:40 25/08/2012]
---Folders---
Application Data d------ [14:52 04/09/2008]
Cookies d--hs-- [05:05 22/11/2012]
Desktop d------ [03:14 03/09/2012]
Favorites dr----- [10:01 25/08/2012]
IETldCache d--hs-- [05:45 14/07/2011]
Local Settings d--h--- [14:52 04/09/2008]
Start Menu d------ [04:33 11/04/2010]
C:\Documents and Settings\NetworkService - Parameters: "(none)"
---Files---
NTUSER.DAT --a---- 237568 bytes [14:51 04/09/2008] [06:40 30/11/2012]
ntuser.dat.LOG --ah--- 53248 bytes [14:51 04/09/2008] [00:39 01/12/2012]
ntuser.ini ---hs-- 178 bytes [14:52 04/09/2008] [16:36 29/12/2010]
---Folders---
Application Data d------ [14:51 04/09/2008]
Cookies d--hs-- [01:14 28/11/2012]
Favorites dr----- [02:08 11/08/2012]
IETldCache d--hs-- [01:52 11/08/2012]
Local Settings d--h--- [14:51 04/09/2008]
-= EOF =-


----------



## wdauser (Mar 30, 2011)

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/30/2012 08:26:32 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity: 
* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]
Searching for Missing Digital Signatures: 
* No issues found.
Checking HOSTS File: 
* HOSTS file entries found: 
127.0.0.1 localhost
Program finished at: 11/30/2012 08:28:41 PM
Execution time: 0 hours(s), 2 minute(s), and 9 seconds(s)


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *and copy and paste the following then click OK:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs"*

You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.


----------



## wdauser (Mar 30, 2011)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,72,00,70,00,63,00,73,00,73,00,00,00
"ObjectName"="NT AUTHORITY\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000010
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,02,00,00,00,60,ea,00,00
"ServiceSidType"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

Are you still having problems running the programs in normal mode?


----------



## wdauser (Mar 30, 2011)

Yes. Combofix, Malwarebytes, OTL, Winrar are all unresponsive unless in safe mode. How do we proceed? Would you recommend uninstalling? There are quite a few programs on the desktop.


----------



## Cookiegal (Aug 27, 2003)

Those are the only four programs that are unresponsive?

Do you have any other accounts with administrator privileges that you could log into?

If not, try creating a new account with Administrator privileges and see if you can run those programs with the new account.


----------



## wdauser (Mar 30, 2011)

I am only running the admin and myself as users on this machine. I will try creating another user to see what's going on with the program.

In the meantime, I somehow came across from piece of trash browser addon called DealCabby and I want it gone. Any ideas on getting rid of this one?



Name: DealCabby
Publisher: AdPeak, Inc
Type: Browser Helper Object
Version: Not available
File date: 
Date last accessed: Today, December 03, 2012, 19 minutes ago
Class ID: {0B4A07CF-45EB-4B10-B6BB-35568A2F89BE}
Use count: 16
Block count: 0
File: dealcabby_20121029030001.dll
Folder: C:\Documents and Settings\willie_dinish\Local Settings\Application Data\dealcabby\ie


----------



## Cookiegal (Aug 27, 2003)

Let's see if this will get it.

Please download AdwCleaner from here to your desktop

Run AdwCleaner and select "Search" (do not select "Delete" at this time)

Once the scan is finished it will ask to reboot so please allow this.

After the reboot a log will be produced. Please copy and paste the log into your next reply.


----------



## wdauser (Mar 30, 2011)

# AdwCleaner v2.011 - Logfile created 12/04/2012 at 20:00:44
# Updated 02/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : willie_dinish - WILLIEDINISH
# Boot Mode : Normal
# Running from : C:\Documents and Settings\willie_dinish\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****
Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found : C:\Documents and Settings\willie_dinish\Application Data\Babylon
Folder Found : C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Babylon
***** [Registry] *****
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=110803&tt=4812_8&babsrc=NT_ss&mntrId=24bbe2e700000000000000166f493803
*************************
AdwCleaner[R1].txt - [1105 octets] - [04/12/2012 20:00:44]
########## EOF - C:\AdwCleaner[R1].txt - [1165 octets] ##########


----------



## Cookiegal (Aug 27, 2003)

Please run Adwcleaner again and this time select the "delete" option and then post the resulting log.


----------



## wdauser (Mar 30, 2011)

# AdwCleaner v2.011 - Logfile created 12/04/2012 at 20:43:10
# Updated 02/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : willie_dinish - WILLIEDINISH
# Boot Mode : Normal
# Running from : C:\Documents and Settings\willie_dinish\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\willie_dinish\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\willie_dinish\Local Settings\Application Data\Babylon
***** [Registry] *****
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=110803&tt=4812_8&babsrc=NT_ss&mntrId=24bbe2e700000000000000166f493803 --> hxxp://www.google.com
*************************
AdwCleaner[R1].txt - [1234 octets] - [04/12/2012 20:00:44]
AdwCleaner[S2].txt - [1214 octets] - [04/12/2012 20:43:10]
########## EOF - C:\AdwCleaner[S2].txt - [1274 octets] ##########


----------



## wdauser (Mar 30, 2011)

Cookiegal,

I created the new user and i noted the following:
-Malwarebytes-Present on the desktop as an option, but "blank" icon. Would not respond to double-click.
-Winrar-Present only on the ALL Programs list, but "blank" icon. Would not respond to anything.
-Combofix-Not present anywhere.
-OTL-Not present anywhere.

I have generated a print screen of these observances, but I can't seem to get it to attach--kind of large file--

Will this be enough information or will i need to do installation/uninstallation of these programs on this new profile? 

How do we proceed?


----------



## Cookiegal (Aug 27, 2003)

Try uninstalling MalwareBytes first and then run the MBAM Clean tool afterwards then reboot the machine if the tool doesn't do it automatically.

http://helpdesk.malwarebytes.org/en...o-completely-remove-malwarebytes-anti-malware

Then try installing it using the new account and try updating and running it as well.


----------



## wdauser (Mar 30, 2011)

It looks like it worked. Here is the log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.12.07.01
Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Test Bot :: WILLIEDINISH [administrator]
Protection: Disabled
12/6/2012 8:07:02 PM
mbam-log-2012-12-06 (20-52-25).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282586
Time elapsed: 14 minute(s), 54 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TVU Networks (Trojan.Agent) -> Data: rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW -> No action taken.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\willie_dinish\Local Settings\temp\0.2617862251044394 (Trojan.Happili) -> No action taken.
C:\Documents and Settings\willie_dinish\Local Settings\temp\B.tmp (Trojan.Agent.MRGGen) -> No action taken.
C:\Documents and Settings\willie_dinish\Local Settings\temp\yzqugy\yzqugy.dll (Trojan.Agent) -> No action taken.
(end)


----------



## Cookiegal (Aug 27, 2003)

Allow it to fix everything it found.


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.


----------



## Cookiegal (Aug 27, 2003)

Then see if you can install ComboFix with the new account and run a scan.


----------



## wdauser (Mar 30, 2011)

Came across an interesting prompt when logging into my "willie_dinish" profile; prompt stated that the profile did not have permission to the MalwareBytes software, and it would be disabled. This appears to be the case. 

Should I try to approach some of the software issues by reinstalling/installing as the administrator? 

Will work on these new items requested as well.

Thanks for your help.


----------



## wdauser (Mar 30, 2011)

Just realized that this program will only respond in safe mode. In normal mode, on both users, the program is not accessbile. New log is below.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.12.07.01
Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Test Bot :: WILLIEDINISH [administrator]
Protection: Disabled
12/7/2012 9:01:27 AM
mbam-log-2012-12-07 (09-01-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281593
Time elapsed: 14 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TVU Networks (Trojan.Agent) -> Data: rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\willie_dinish\Local Settings\temp\0.2617862251044394 (Trojan.Happili) -> Quarantined and deleted successfully.
C:\Documents and Settings\willie_dinish\Local Settings\temp\B.tmp (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\willie_dinish\Local Settings\temp\yzqugy\yzqugy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
(end)


----------



## Cookiegal (Aug 27, 2003)

Is your "willie_dinish" account still showing that it has administrator privileges?

Did you run ATF Cleaner?

What is the exact message you get when trying to run MBAM please.


----------



## wdauser (Mar 30, 2011)

I'm not so sure that I know where to find the Admin privileges on my user profile. Any assistance here is appreciated.

I have run the ATF Cleaner now. I'm not sure about the results. Once completed, I installed combofix on the new profile. Combofix would not run on the new profile in normal mode.

That nasty note from malwarebytes came up while the "willie_dinish" profile was running in safe mode, after the installation to the new profile. I am checking to see if it will show up again, and I'll post as soon as I can.

Would solving the privileges issue (if there is one) resolve some of these issues? 

Thanks for your help.


----------



## wdauser (Mar 30, 2011)

Cookiegal,

The error with MBAM has not reappeared. The message showed up upon reboot of the main 'Willie" profile and I was unable to bypass it without clicking on it. I failed to write it down. Apologies. But I have had the following results while attempting to rerun the program. 

"Willie" Profile Regular Mode: No response.
"Willie" Proifile Safe mode: Runs without issue.
New Profile Regular Mode: Run Time Error 48: File not found: mbamcore
New Profile Safe Mode: Runs without issue.

I have had a new error message pop up on my "Willie" Profile Regular Mode. 

It reads as follows: Error Message: RUNDLL: Error loading C: Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll
The specified module could not be found

I believe this file was cleaned with the mbam cleaning that was just completed. 

How do we proceed?


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:regfind
yzqugy
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## wdauser (Mar 30, 2011)

SystemLook 30.07.11 by jpshortstuff
Log created at 17:54 on 08/12/2012 by willie_dinish
Administrator - Elevation successful
========== regfind ==========
Searching for "yzqugy"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TVU Networks"="rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW"
[HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"TVU Networks"="rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW"
-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## wdauser (Mar 30, 2011)

OTS logfile created on: 12/10/2012 9:04:18 PM - Run 1
OTS by OldTimer - Version 3.1.47.2 Folder = C:\Documents and Settings\willie_dinish\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 794.00 Mb Available Physical Memory | 78.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 17.74 Gb Free Space | 31.79% Space Free | Partition Type: NTFS
Drive D: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 1.86 Gb Total Space | 0.02 Gb Free Space | 0.97% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILLIEDINISH
Current User Name: willie_dinish
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/12/10 21:00:23 | 000,646,656 | ---- | M] (OldTimer Tools)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
zcfgsvc.exe -> C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe -> [2004/09/07 15:08:02 | 000,389,120 | ---- | M] (Intel Corporation)

[Modules - No Company Name]
[Win32 Services - Safe List]
(MBAMService) MBAMService [Auto | Stopped] -> C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -> [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation)
(MBAMScheduler) MBAMScheduler [Auto | Stopped] -> C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -> [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation)
(ThreatFire) ThreatFire [Auto | Stopped] -> C:\Program Files\ThreatFire\TFService.exe -> [2010/01/14 15:08:12 | 000,070,928 | ---- | M] (PC Tools)
(WLANKEEPER) WLANKEEPER [Auto | Stopped] -> C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -> [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel® Corporation)

[Driver Services - Safe List]
(MBAMSwissArmy) MBAMSwissArmy [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mbamswissarmy.sys -> [2012/12/07 20:18:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation)
(MBAMProtector) MBAMProtector [File_System | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mbam.sys -> [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation)
(TfSysMon) TfSysMon [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\drivers\TfSysMon.sys -> [2010/01/14 15:08:30 | 000,059,664 | ---- | M] (PC Tools)
(TfFsMon) TfFsMon [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\drivers\TfFsMon.sys -> [2010/01/14 15:08:28 | 000,051,984 | ---- | M] (PC Tools)
(TfNetMon) TfNetMon [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\TfNetMon.sys -> [2010/01/14 15:08:28 | 000,033,552 | ---- | M] (PC Tools)
(DLADResM) DLADResM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLADResM.SYS -> [2006/08/18 12:18:08 | 000,009,400 | ---- | M] (Roxio)
(DLABMFSM) DLABMFSM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLABMFSM.SYS -> [2006/08/18 12:17:46 | 000,035,096 | ---- | M] (Roxio)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -> [2006/08/18 12:17:44 | 000,097,848 | ---- | M] (Roxio)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -> [2006/08/18 12:17:44 | 000,094,648 | ---- | M] (Roxio)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -> [2006/08/18 12:17:42 | 000,026,008 | ---- | M] (Roxio)
(DLABOIOM) DLABOIOM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLABOIOM.SYS -> [2006/08/18 12:17:40 | 000,032,472 | ---- | M] (Roxio)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -> [2006/08/18 12:17:38 | 000,104,472 | ---- | M] (Roxio)
(DLAPoolM) DLAPoolM [File_System | Auto | Stopped] -> C:\WINDOWS\system32\DLA\DLAPoolM.SYS -> [2006/08/18 12:17:38 | 000,014,520 | ---- | M] (Roxio)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLACDBHM.SYS -> [2006/08/11 09:35:18 | 000,012,920 | ---- | M] (Roxio)
(DLARTL_M) DLARTL_M [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLARTL_M.SYS -> [2006/08/11 09:35:16 | 000,028,184 | ---- | M] (Roxio)
(STAC97) SigmaTel C-Major Audio [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\STAC97.sys -> [2005/03/10 15:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.)
(w29n51) Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\w29n51.sys -> [2004/10/21 14:56:04 | 003,210,496 | ---- | M] (Intel® Corporation)
(s24trans) WLAN Transport [Kernel | Auto | Stopped] -> C:\WINDOWS\system32\drivers\s24trans.sys -> [2004/08/31 07:53:04 | 000,011,354 | ---- | M] (Intel Corporation)
(b57w2k) Broadcom NetXtreme 57xx Gigabit Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\b57xp32.sys -> [2004/08/23 13:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation)
(IWCA) Intel Wireless Connection Agent Miniport for Win XP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\iwca.sys -> [2004/08/12 07:44:04 | 000,234,496 | ---- | M] (Intel Corporation)
(mf) mf [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mf.sys -> [2004/08/04 04:00:00 | 000,063,744 | ---- | M] (Microsoft Corporation)
(HSFHWICH) HSFHWICH [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\HSFHWICH.sys -> [2004/06/17 14:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\HSF_CNXT.sys -> [2004/06/17 14:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.)
(HSF_DP) HSF_DP [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\HSF_DP.sys -> [2004/06/17 14:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.)
(GTIPCI21) GTIPCI21 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\gtipci21.sys -> [2004/05/03 15:26:16 | 000,080,384 | ---- | M] (Texas Instruments)
(OMCI) OMCI [Kernel | System | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -> [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation)
(BrUsbScn) Brother MFC USB Scanner driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\BrUsbScn.sys -> [2001/08/17 13:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.)
(brfilt) Brother MFC Filter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\BrFilt.sys -> [2001/08/17 13:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.)
(RVIEG01) VSC Engine [Kernel | Auto | Stopped] -> C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys -> [2001/04/13 19:16:38 | 000,187,992 | ---- | M] (Roland)
(UdfReadr) UdfReadr [File_System | System | Stopped] -> C:\WINDOWS\System32\drivers\udfreadr.sys -> [2000/02/22 21:38:22 | 000,206,272 | ---- | M] (Adaptec)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\: Main\\"Start Page" -> http://www.google.com/ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> -> 
HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT] -> [2012/11/23 18:27:21 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F} -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT] -> [2012/11/23 18:27:21 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2012/11/26 18:55:52 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 00:56:50 | 000,063,136 | ---- | M] (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2012/11/23 18:27:13 | 000,426,736 | ---- | M] (RealPlayer)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"TkBellExe" -> C:\program files\real\realplayer\update\realsched.exe ["C:\program files\real\realplayer\update\realsched.exe" -osboot] -> [2012/11/23 18:26:23 | 000,296,096 | ---- | M] (RealNetworks, Inc.)
< Run [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"SpybotSD TeaTimer" -> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> [2004/05/12 00:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited)
"TVU Networks" -> [rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW] -> File not found
< Administrator.WILLIEDINISH.000 Startup Folder > -> C:\Documents and Settings\Administrator.WILLIEDINISH.000\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< Test Bot Startup Folder > -> C:\Documents and Settings\Test Bot\Start Menu\Programs\Startup -> 
< willie_dinish Startup Folder > -> C:\Documents and Settings\willie_dinish\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoCDBurning" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"HonorAutoRunSetting" -> [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoLogOff" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1002 domain(s) found. -> 
free_aol.com [http] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 18 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab [QuickTime Plugin Control] -> 
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab [Windows Genuine Advantage Validation Tool] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306725428453 [WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306725414078 [MUWebControl Class] -> 
{6F15128C-E66A-490C-B848-5000B5ABEEAC} [HKLM] -> https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab [HP Download Manager] -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos-beta/OnlineScanner.cab [OnlineScanner Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
{BDEE1959-AB6B-4745-A29B-F492861102CC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab [Java Plug-in 1.6.0_25] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1734B3D3-F475-4AE0-A718-EFF5F30521D5}\\DhcpNameServer -> 192.168.1.254 (Intel(R) PRO/Wireless 2200BG Network Connection) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> C:\WINDOWS\system32\userinit.exe -> [2004/08/04 04:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> C:\WINDOWS\System32\igfxsrvc.dll -> [2005/02/15 08:02:58 | 000,348,160 | ---- | M] (Intel Corporation)
IntelWireless -> C:\Program Files\Intel\Wireless\Bin\LgNotify.dll -> [2004/09/07 15:08:06 | 000,110,592 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe" -> C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe [C:\Program Files\Readon Technology\Readon TV Movie Radio Player 7.2.0.0\internettv.exe:*:Enabled:Readon TV Movie Radio Player] -> [2010/06/12 19:44:06 | 001,659,904 | ---- | M] (Readon Technology)
"C:\Program Files\Real\RealPlayer\realplay.exe" -> C:\Program Files\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer] -> [2012/11/23 18:26:28 | 000,499,352 | ---- | M] (RealNetworks, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2008/09/04 08:46:43 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* ->

[Registry - Additional Scans - Safe List]
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ -> 
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2004/12/14 03:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated)
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> [2003/04/09 17:21:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.)
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ -> 
ctfmon.exe hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> -> File not found
ISUSPM Startup hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -> [2004/07/27 15:50:42 | 000,221,184 | ---- | M] (InstallShield Software Corporation)
QuickTime Task hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\QuickTime\qttask.exe -> [2011/06/08 00:30:06 | 000,421,888 | ---- | M] (Apple Inc.)
SpybotSD TeaTimer hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -> [2004/05/12 00:03:00 | 001,038,336 | ---- | M] (Safer Networking Limited)
SunJavaUpdateSched hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Common Files\Java\Java Update\jusched.exe -> [2011/01/07 12:12:22 | 000,253,672 | ---- | M] (Sun Microsystems, Inc.)
ThreatFire hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\ThreatFire\TFTray.exe -> [2010/01/14 15:08:16 | 000,378,128 | ---- | M] (PC Tools)
TkBellExe hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\program files\real\realplayer\update\realsched.exe -> [2012/11/23 18:26:23 | 000,296,096 | ---- | M] (RealNetworks, Inc.)
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state -> 
"bootini" -> 0 -> 
"services" -> 0 -> 
"startup" -> 2 -> 
"system.ini" -> 0 -> 
"win.ini" -> 0 -> 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
6to4 -> -> File not found
Ias -> -> File not found
Iprip -> -> File not found
Irmon -> -> File not found
NWCWorkstation -> -> File not found
Nwsapagent -> -> File not found
WmdmPmSp -> -> File not found
*MultiFile Done* -> -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 12/4/2012 11:13:50 PM Computer Name = WILLIEDINISH | Source = MsiInstaller | ID = 11706 -> Description = Product: Microsoft Office Professional Edition 2003 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM.
Application [ Error ] 12/4/2012 11:21:36 PM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module dealcabby_20121029030001.dll, version 0.0.0.0, fault address 0x00001b73.
Application [ Error ] 12/5/2012 12:16:31 AM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module yzqugy.dll, version 3.5.0.3025, fault address 0x00001230.
Application [ Error ] 12/5/2012 11:00:55 PM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module yzqugy.dll, version 3.5.0.3025, fault address 0x00001230.
Application [ Error ] 12/5/2012 11:09:26 PM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18928, fault address 0x00095952.
Application [ Error ] 12/5/2012 11:36:40 PM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x20468b3d.
Application [ Error ] 12/6/2012 8:47:05 PM Computer Name = WILLIEDINISH | Source = pctsSvc.exe | ID = 0 -> Description = 
Application [ Error ] 12/7/2012 11:18:53 AM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application notepad.exe, version 5.1.2600.2180, faulting module shell32.dll, version 6.0.2900.3402, fault address 0x00076c8c.
Application [ Error ] 12/7/2012 11:13:26 PM Computer Name = WILLIEDINISH | Source = Application Hang | ID = 1002 -> Description = Hanging application TeaTimer.exe, version 1.3.0.12, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/10/2012 11:10:35 AM Computer Name = WILLIEDINISH | Source = Application Error | ID = 1000 -> Description = Faulting application realplay.exe, version 15.0.6.14, faulting module rpcl3260.dll, version 15.0.6.14, fault address 0x00042889.
System [ Error ] 12/10/2012 7:25:13 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000 -> Description = The Upload Manager service failed to start due to the following error: %%1079
System [ Error ] 12/10/2012 9:05:12 PM Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876 -> Description = Driver UdfReadr.SYS has been blocked from loading.
System [ Error ] 12/10/2012 9:05:22 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7000 -> Description = The Upload Manager service failed to start due to the following error: %%1079
System [ Error ] 12/10/2012 10:52:40 PM Computer Name = WILLIEDINISH | Source = Application Popup | ID = 876 -> Description = Driver UdfReadr.SYS has been blocked from loading.
System [ Error ] 12/10/2012 10:53:09 PM Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
System [ Error ] 12/10/2012 10:54:04 PM Computer Name = WILLIEDINISH | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load: Fips intelppm OMCI TfFsMon TfSysMon
System [ Error ] 12/10/2012 10:56:39 PM Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
System [ Error ] 12/10/2012 10:56:42 PM Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
System [ Error ] 12/10/2012 10:56:42 PM Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
System [ Error ] 12/10/2012 10:56:42 PM Computer Name = WILLIEDINISH | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/12/10 21:00:12 | 000,646,656 | ---- | C] (OldTimer Tools)
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2012/12/07 20:18:15 | 000,040,776 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> C:\Documents and Settings\willie_dinish\Application Data\Malwarebytes -> [2012/12/07 20:12:06 | 000,000,000 | ---D | C]
32788R22FWJFW -> C:\32788R22FWJFW -> [2012/12/07 19:09:30 | 000,000,000 | ---D | C]
ATF-Cleaner.exe -> C:\Documents and Settings\willie_dinish\Desktop\ATF-Cleaner.exe -> [2012/12/07 18:25:52 | 000,050,688 | ---- | C] (Atribune.org)
Malwarebytes' Anti-Malware -> C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2012/12/06 19:58:03 | 000,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2012/12/06 19:58:02 | 000,000,000 | ---D | C]
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2012/12/06 19:57:58 | 000,022,856 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2012/12/06 19:57:58 | 000,000,000 | ---D | C]
mbam-clean-1.60.2.0003.exe -> C:\Documents and Settings\willie_dinish\Desktop\mbam-clean-1.60.2.0003.exe -> [2012/12/06 19:05:58 | 000,080,456 | ---- | C] (Malwarebytes Corporation)
TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2012/12/06 18:46:42 | 000,000,000 | ---D | C]
RK_Quarantine -> C:\Documents and Settings\willie_dinish\Desktop\RK_Quarantine -> [2012/12/02 23:02:59 | 000,000,000 | ---D | C]
RECYCLER -> C:\RECYCLER -> [2012/12/02 11:48:16 | 000,000,000 | -HSD | C]
temp -> C:\WINDOWS\temp -> [2012/11/26 18:53:14 | 000,000,000 | ---D | C]
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2012/11/26 18:40:29 | 000,060,416 | ---- | C] (NirSoft)
xing shared -> C:\Program Files\Common Files\xing shared -> [2012/11/23 18:27:28 | 000,000,000 | ---D | C]
rmoc3260.dll -> C:\WINDOWS\System32\rmoc3260.dll -> [2012/11/23 18:27:03 | 000,198,864 | ---- | C] (RealNetworks, Inc.)
pndx5016.dll -> C:\WINDOWS\System32\pndx5016.dll -> [2012/11/23 18:26:29 | 000,006,656 | ---- | C] (RealNetworks, Inc.)
pndx5032.dll -> C:\WINDOWS\System32\pndx5032.dll -> [2012/11/23 18:26:29 | 000,005,632 | ---- | C] (RealNetworks, Inc.)
pncrt.dll -> C:\WINDOWS\System32\pncrt.dll -> [2012/11/23 18:26:27 | 000,272,896 | ---- | C] (Progressive Networks)
RealNetworks -> C:\Documents and Settings\All Users\Start Menu\Programs\RealNetworks -> [2012/11/23 18:26:27 | 000,000,000 | ---D | C]
puppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\puppy.exe -> [2012/11/20 20:37:16 | 005,004,421 | R--- | C] (Swearware)
mseinstall.exe -> C:\Documents and Settings\willie_dinish\Desktop\mseinstall.exe -> [2012/11/17 19:11:37 | 011,088,872 | ---- | C] (Microsoft Corporation)

[Files/Folders - Modified Within 30 Days]
OTS.exe -> C:\Documents and Settings\willie_dinish\Desktop\OTS.exe -> [2012/12/10 21:00:23 | 000,646,656 | ---- | M] (OldTimer Tools)
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2012/12/10 20:53:12 | 000,002,206 | ---- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2012/12/10 20:52:28 | 000,002,048 | --S- | M] ()
GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003UA.job -> [2012/12/10 20:37:08 | 000,001,010 | ---- | M] ()
GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1532298954-2146899641-1003Core.job -> [2012/12/10 20:37:08 | 000,000,958 | ---- | M] ()
RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/12/10 19:27:32 | 000,000,294 | ---- | M] ()
RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/12/10 19:27:29 | 000,000,302 | ---- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2012/12/07 20:18:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation)
ATF-Cleaner.exe -> C:\Documents and Settings\willie_dinish\Desktop\ATF-Cleaner.exe -> [2012/12/07 18:25:53 | 000,050,688 | ---- | M] (Atribune.org)
Malwarebytes Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk -> [2012/12/06 20:03:31 | 000,000,784 | ---- | M] ()
mbam-clean-1.60.2.0003.exe -> C:\Documents and Settings\willie_dinish\Desktop\mbam-clean-1.60.2.0003.exe -> [2012/12/06 19:05:59 | 000,080,456 | ---- | M] (Malwarebytes Corporation)
New User Print Screen.pdf -> C:\Documents and Settings\willie_dinish\Desktop\New User Print Screen.pdf -> [2012/12/04 21:23:59 | 000,322,955 | ---- | M] ()
adwcleaner.exe -> C:\Documents and Settings\willie_dinish\Desktop\adwcleaner.exe -> [2012/12/04 19:58:48 | 000,540,743 | ---- | M] ()
extensions.sqlite -> C:\extensions.sqlite -> [2012/12/02 22:09:39 | 000,000,000 | ---- | M] ()
d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2012/12/02 19:34:06 | 000,001,324 | ---- | M] ()
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2012/11/26 18:55:52 | 000,000,027 | ---- | M] ()
RealPlayer.lnk -> C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk -> [2012/11/23 18:28:13 | 000,000,747 | ---- | M] ()
rmoc3260.dll -> C:\WINDOWS\System32\rmoc3260.dll -> [2012/11/23 18:27:03 | 000,198,864 | ---- | M] (RealNetworks, Inc.)
pndx5016.dll -> C:\WINDOWS\System32\pndx5016.dll -> [2012/11/23 18:26:29 | 000,006,656 | ---- | M] (RealNetworks, Inc.)
pndx5032.dll -> C:\WINDOWS\System32\pndx5032.dll -> [2012/11/23 18:26:29 | 000,005,632 | ---- | M] (RealNetworks, Inc.)
pncrt.dll -> C:\WINDOWS\System32\pncrt.dll -> [2012/11/23 18:26:27 | 000,272,896 | ---- | M] (Progressive Networks)
puppy.exe -> C:\Documents and Settings\willie_dinish\Desktop\puppy.exe -> [2012/11/20 20:37:16 | 005,004,421 | R--- | M] (Swearware)
mseinstall.exe -> C:\Documents and Settings\willie_dinish\Desktop\mseinstall.exe -> [2012/11/17 19:11:37 | 011,088,872 | ---- | M] (Microsoft Corporation)
Phone November 2012 Payment.pdf -> C:\Documents and Settings\willie_dinish\My Documents\Phone November 2012 Payment.pdf -> [2012/11/16 00:17:41 | 000,018,686 | ---- | M] ()

[Files - No Company Name]
Malwarebytes Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk -> [2012/12/06 20:03:31 | 000,000,784 | ---- | C] ()
New User Print Screen.pdf -> C:\Documents and Settings\willie_dinish\Desktop\New User Print Screen.pdf -> [2012/12/04 21:23:59 | 000,322,955 | ---- | C] ()
adwcleaner.exe -> C:\Documents and Settings\willie_dinish\Desktop\adwcleaner.exe -> [2012/12/04 19:58:48 | 000,540,743 | ---- | C] ()
extensions.sqlite -> C:\extensions.sqlite -> [2012/12/02 22:09:39 | 000,000,000 | ---- | C] ()
RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/11/28 19:29:36 | 000,000,294 | ---- | C] ()
RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1532298954-2146899641-1003.job -> [2012/11/23 18:37:02 | 000,000,302 | ---- | C] ()
RealPlayer.lnk -> C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk -> [2012/11/23 18:28:13 | 000,000,747 | ---- | C] ()
Phone November 2012 Payment.pdf -> C:\Documents and Settings\willie_dinish\My Documents\Phone November 2012 Payment.pdf -> [2012/11/16 00:17:35 | 000,018,686 | ---- | C] ()
mbam.context.scan -> C:\Documents and Settings\willie_dinish\Application Data\mbam.context.scan -> [2012/10/23 18:24:36 | 000,000,075 | ---- | C] ()
.backup.dm -> C:\Documents and Settings\willie_dinish\Application Data\.backup.dm -> [2012/04/22 20:27:05 | 000,000,272 | ---- | C] ()
PUTTY.RND -> C:\Documents and Settings\willie_dinish\Local Settings\Application Data\PUTTY.RND -> [2011/07/20 18:31:39 | 000,000,600 | ---- | C] ()
dcache.bin -> C:\WINDOWS\System32\dcache.bin -> [2011/05/29 22:16:04 | 000,001,788 | ---- | C] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2011/05/18 23:47:19 | 000,256,000 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2011/05/18 23:47:19 | 000,208,896 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2011/05/18 23:47:19 | 000,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2011/05/18 23:47:19 | 000,080,412 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2011/05/18 23:47:19 | 000,068,096 | ---- | C] ()

[Alternate Data Streams]
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2
< End of report >


----------



## Cookiegal (Aug 27, 2003)

Were you able to run that program in normal mode without any problems?

I'm sorry but I can't use the log pasted like that. That's why the instructions said to upload it as an attachment. Otherwise, you'll have to copy and paste it again and encase it in code tags. Because the board software inserts spaces in long lines and an added space will cause any fix to not work properly.


----------



## wdauser (Mar 30, 2011)

OTS was unresponsive in normal mode. Could not be installed in normal mode. Continues to be unresponsive in normal mode. Works fine in safe mode.

Apologizes on the attachment. I did not get all of the instructions somehow. Please find the enclosed.

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\] > -> HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "TVU Networks" -> [rundll32.exe "C:\Documents and Settings\willie_dinish\Local Settings\Application Data\WMTools Downloaded Files\TVU Networks\yzqugy.dll",CreateTzanShellW]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {BDEE1959-AB6B-4745-A29B-F492861102CC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> ctfmon.exe hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
[Alternate Data Streams]
NY -> @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## wdauser (Mar 30, 2011)

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1801674531-1532298954-2146899641-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TVU Networks deleted successfully.
Starting removal of ActiveX control {BDEE1959-AB6B-4745-A29B-F492861102CC}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BDEE1959-AB6B-4745-A29B-F492861102CC}\Contains\Files\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BDEE1959-AB6B-4745-A29B-F492861102CC}\DownloadInformation\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDEE1959-AB6B-4745-A29B-F492861102CC}\ not found.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 deleted successfully.
[Empty Temp Folders]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.WILLIEDINISH
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.WILLIEDINISH.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 771 bytes

User: Test Bot
->Temp folder emptied: 28095 bytes
->Temporary Internet Files folder emptied: 14544047 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1319 bytes

User: willie_dinish
->Temp folder emptied: 66772 bytes
->Temporary Internet Files folder emptied: 1100999786 bytes
->Java cache emptied: 11959410 bytes
->Flash cache emptied: 9652953 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 306024 bytes

Total Files Cleaned = 1,085.00 mb

[EMPTYFLASH]

User: Administrator

User: Administrator.WILLIEDINISH

User: Administrator.WILLIEDINISH.000
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Test Bot
->Flash cache emptied: 0 bytes

User: willie_dinish
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: Administrator.WILLIEDINISH

User: Administrator.WILLIEDINISH.000

User: All Users

User: Default User

User: LocalService
->Java cache emptied: 0 bytes

User: NetworkService
->Java cache emptied: 0 bytes

User: Test Bot
->Java cache emptied: 0 bytes

User: willie_dinish
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 12122012_193400


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## wdauser (Mar 30, 2011)

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/10/2012
Time: 9:10:35 AM
User: N/A
Computer: WILLIEDINISH
Description:
Faulting application realplay.exe, version 15.0.6.14, faulting module rpcl3260.dll, version 15.0.6.14, fault address 0x00042889.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 72 65 61 ure rea
0018: 6c 70 6c 61 79 2e 65 78 lplay.ex
0020: 65 20 31 35 2e 30 2e 36 e 15.0.6
0028: 2e 31 34 20 69 6e 20 72 .14 in r
0030: 70 63 6c 33 32 36 30 2e pcl3260.
0038: 64 6c 6c 20 31 35 2e 30 dll 15.0
0040: 2e 36 2e 31 34 20 61 74 .6.14 at
0048: 20 6f 66 66 73 65 74 20 offset 
0050: 30 30 30 34 32 38 38 39 00042889
0058: 0d 0a ..

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:28:50 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date:  12/13/2012
Time: 7:27:19 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:26:58 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:25:32 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:25:11 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:24:38 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:24:13 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:22:51 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:22:30 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 12/13/2012
Time: 7:22:09 PM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
intelppm
OMCI
TfFsMon
TfSysMon
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:21:59 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:21:31 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/13/2012
Time: 7:21:26 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/13/2012
Time: 7:20:29 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 12/13/2012
Time: 6:53:15 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/13/2012
Time: 6:52:40 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 12/13/2012
Time: 12:23:37 AM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/13/2012
Time: 12:21:36 AM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 12/12/2012
Time: 9:02:56 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/12/2012
Time: 9:02:15 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync 
Event ID: 16
Date: 12/12/2012
Time: 7:46:35 PM
User: N/A
Computer: WILLIEDINISH
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 30 sult=0x0
0010: 30 30 30 30 30 30 30 20 0000000 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 30 30 30 30 30 30 ={000000
0028: 30 30 2d 30 30 30 30 2d 00-0000-
0030: 30 30 30 30 2d 30 30 30 0000-000
0038: 30 2d 30 30 30 30 30 30 0-000000
0040: 30 30 30 30 30 30 7d 20 000000} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 30 Number=0
0058: 20 00 .

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 12/12/2012
Time: 7:45:14 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/12/2012
Time: 7:44:35 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:43:37 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 12/12/2012
Time: 7:42:44 PM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
intelppm
OMCI
TfFsMon
TfSysMon
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:42:21 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:41:47 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/12/2012
Time: 7:40:53 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 12/12/2012
Time: 7:39:40 PM
User: N/A
Computer: WILLIEDINISH
Description:
The Upload Manager service failed to start due to the following error: 
The account specified for this service is different from the account specified for other services running in the same process. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/12/2012
Time: 7:39:00 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:38:00 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:33:35 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:30:16 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:30:04 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:29:53 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:26:24 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:26:10 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:25:52 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:25:29 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:25:01 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:24:44 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:24:17 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:24:12 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:23:50 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:23:07 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:22:35 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:22:24 PM
User: WILLIEDINISH\willie_dinish
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 12/12/2012
Time: 7:20:37 PM
User: N/A
Computer: WILLIEDINISH
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
intelppm
OMCI
TfFsMon
TfSysMon
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/12/2012
Time: 7:19:47 PM
User: NT AUTHORITY\SYSTEM
Computer: WILLIEDINISH
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 876
Date: 12/12/2012
Time: 7:18:47 PM
User: N/A
Computer: WILLIEDINISH
Description:
Driver UdfReadr.SYS has been blocked from loading.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 10 00 02 00 74 00 ......t.
0008: 00 00 00 00 6c 03 00 c0 ....l..À
0010: 00 00 00 00 6c 03 00 c0 ....l..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 66 e3 d9 7d ef 34 4f 40 fãÙ}ï[email protected]
0030: bf 69 57 4a 81 54 ba 5d ¿iWJTº]


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## wdauser (Mar 30, 2011)

Had to run hijackthis in safe mode. Log is below.

32 Bit HP CIO Components Installer
Adaptec UDF Reader
Adobe AIR
Adobe AIR
Adobe Community Help
Adobe Community Help
Adobe Reader 7.0
ATT-RC Self Support Tool
Broadcom Gigabit Integrated Controller
Browser Hijack Recover(BHR) 3.0
CCleaner (remove only)
C-Major Audio
Conexant D110 MDC V.9x Modem
Creative MuVo NX-TX
Creative System Information
Dell ResourceCD
DivX Web Player
doPDF 7.0 printer
DreamStation DXi
ESET Online Scanner v3
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Deskjet All-In-One Software 9.0
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 25
Legal Forms and Guide
Malwarebytes Anti-Malware version 1.65.1.1000
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mToolkit
MuVo Driver
mWlsSafe
mXML
mZConfig
P2PFilter 3.0.5
PowerDVD
Readon TV Movie Radio Player 7.2.0.0
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SmartSound Quicktracks for Premiere Elements 9.0
SmartSound Quicktracks for Premiere Elements 9.0
Sonic Activation Module
Spybot - Search & Destroy 1.3
Texas Instruments PCIxx21/x515 drivers.
ThreatFire
Unlocker 1.9.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VeloMaster Lite CW
VideoLAN VLC media player 0.8.6c
Virtual Sound Canvas DXi
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR 4.20 (32-bit)


----------



## Cookiegal (Aug 27, 2003)

I asked my colleagues for their opinions and it was suggested to uninstall ThreatFire and SpyBot Search & Destroy as these programs are probably interfering with the running of the programs. I thought I had already tried that but as the thread is getting long I forgot about it.

Uninstall those programs as a test and reboot after uninstalling as some components will likely only be removed on reboot. Do a quick test of those programs but restrict Internet usage until you get an anti-virus program installed. You won't be able to install Microsoft Security Essentials until you get SP3 on there but in the meantime you can download something else like Avast as you will need some protection.

Let me know how this goes please.


----------



## wdauser (Mar 30, 2011)

I have uninstalled ThreatFire. Since removal, the unresponsive programs (OTS, OTL, Combofix, Malwarebytes, etc.) are now responding in normal mode. I have tested each of them at least 3 times now and get affirmative results from each of the programs. This is obviously a major improvement. NOTE: At the uninstall completion, I noted that the Threatfire program opened a webpage and stated somethng to the effect of this being a "retired" program. I did not get to read the whole message (and haven't had a chance to go back and check this) before the computer rebooted. 

Do you think that the age/status of Threatfire could have contributed to the issues that we have been dealing with?

Next, Still have spybot installed. I know that uninstall has been recommended. Shoud I continue to uninstall this program? It does not appear to be conflicting with other programs. But, It does seem to be running a bit of amateur hour, and by that I mean it's still informing when items have changed (i.e., Threatfire is no longer available to the startup profile).

Finally, i did download a MS protection program about a month ago. I have not installed it or attempted to use it. I will remove it from my system at this time, based upon your recommendation above. You may or may not recall that my machine was a gift and I do not have an install disk, which was part of an issue early on with this antivirus program issue. Would this be a good time to address the issue of MS SP3? Also, Would this be a good time to uninstall/remove any other programs that could be causing problems? 

I will download and install Avast as soon as possible.

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

ThreatFire has indeed been retired as of October 11th, 2012 as you can see near the bottom of this page:

http://www.pctools.com/kb/article/latest-release-and-download-information-324.html

ThreatFire was responsible for blocking those programs but you did have a rootkit infection which we took care of.

I would uninstall SpyBot Search & Destroy and keep MalwareBytes.

What MS protection program are you referring to?

You definitely need to get SP3 on there but there are some steps to follow which are outlined in this article:

http://support.microsoft.com/kb/950717

How are things running on this machine now?


----------



## wdauser (Mar 30, 2011)

Happy New Year.

Machine is running well. I have uninstalled Spybot and ThreatFire. I'm still reading up on Windows SP3 and Avast.

Both appear to be rather large downloads. Could you recommend a safe place to download Avast? Everything that I could find was very commercial for this software.

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Here's the link to download from the Avast.com site (click the "Download" button at the bottom of the first column):

http://www.avast.com/en-ca/free-antivirus-download


----------



## wdauser (Mar 30, 2011)

Machine is still running well. I have been doing a bit of research and a lot of file moving since our last discussion. Found out that I might really need to move to MicroSoft Service XP Service Pack 3. In my research, though I did not succeed in filing SP3 for laptops. Any assistance on this would be appreciated.

Thanks.


----------



## Cookiegal (Aug 27, 2003)

Here's a link describing how to prepare to install SP3:

http://technet.microsoft.com/en-us/library/cc507836.aspx

and here's a link to download SP3:

http://www.microsoft.com/en-us/download/details.aspx?id=24


----------

