Constant 'Blocked Access' pop up

Masters · December 27, 2010

I continually get a Malware Bytes pop up stating 'Successfully blocked IP access to a potentially malicious site' Type: outgoing. There are several different IP addresses that show up. This is a sample from the protection log:

11:20:28 randy IP-BLOCK 194.8.251.137 (Type: outgoing)

11:20:41 randy IP-BLOCK 194.8.251.136 (Type: outgoing)

11:20:44 randy IP-BLOCK 194.8.251.136 (Type: outgoing)

11:20:50 randy IP-BLOCK 194.8.251.136 (Type: outgoing)

11:21:02 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:05 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:11 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:23 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:26 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:32 randy IP-BLOCK 212.117.177.13 (Type: outgoing)

11:21:44 randy IP-BLOCK 194.8.251.138 (Type: outgoing)

11:21:47 randy IP-BLOCK 194.8.251.138 (Type: outgoing)

11:21:53 randy IP-BLOCK 194.8.251.138 (Type: outgoing)

11:27:11 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

11:27:14 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

11:27:20 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

11:27:32 randy IP-BLOCK 89.187.53.53 (Type: outgoing)

11:27:35 randy IP-BLOCK 89.187.53.53 (Type: outgoing)

11:27:41 randy IP-BLOCK 89.187.53.53 (Type: outgoing)

11:27:53 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

11:27:56 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

11:28:02 randy IP-BLOCK 194.60.205.222 (Type: outgoing)

These aren't all the IP address. It seams to try some for a while, then it goes to a different set. A full scan shows no viruses or malware.

Maniac · December 28, 2010

Hello Masters! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Masters · December 28, 2010

Hello Masters! Welcome to Malwarebytes' Anti-Malware Forums!
My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:
The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Thanks for helping, Borislav.

I have run the TDSSkiller application. It found one infected driver. I then rebooted as directed. Following is the log. I left out the list of drivers it scanned for easier reading.

2010/12/28 07:08:09.0848 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/28 07:08:09.0848 ====================================================

2010/12/28 07:08:09.0848 SystemInfo:

2010/12/28 07:08:09.0848

2010/12/28 07:08:09.0848 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/28 07:08:09.0848 Product type: Workstation

2010/12/28 07:08:09.0848 ComputerName: RANDY-LT

2010/12/28 07:08:09.0848 UserName: randy

2010/12/28 07:08:09.0848 Windows directory: C:\WINDOWS

2010/12/28 07:08:09.0848 System windows directory: C:\WINDOWS

2010/12/28 07:08:09.0848 Processor architecture: Intel x86

2010/12/28 07:08:09.0848 Number of processors: 1

2010/12/28 07:08:09.0848 Page size: 0x1000

2010/12/28 07:08:09.0848 Boot type: Normal boot

2010/12/28 07:08:09.0848 ====================================================

2010/12/28 07:08:10.0449 Initialize success

2010/12/28 07:08:20.0974 ====================================================

2010/12/28 07:08:20.0974 Scan started

2010/12/28 07:08:20.0974 Mode: Manual;

2010/12/28 07:08:20.0974 ====================================================

2010/12/28 07:10:26.0044 Scan finished

2010/12/28 07:10:26.0044 ====================================================

2010/12/28 07:10:26.0064 Detected object count: 1

2010/12/28 07:11:26.0040 Cdrom (a31d3f13c972a6a5cb3b15f69fa3b531) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/28 07:11:26.0040 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: a31d3f13c972a6a5cb3b15f69fa3b531, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe

2010/12/28 07:11:29.0836 Backup copy found, using it..

2010/12/28 07:11:29.0956 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot

2010/12/28 07:11:29.0956 Rootkit.Win32.TDSS.tdl3(Cdrom) - User select action: Cure

2010/12/28 07:12:20.0088 Deinitialize success

So far, there has been no pop ups. On a possibly unrelated issue, I set the Malwarebytes protection mode to on and set start with Windows. Until yesterday, this has always enabled protection on Windows start up. Now, when I boot the system, Malwarebytes protection is disabled. I have to manually start the protection. I have performed a full scan after updating the application to 1.50.1.1100 and the database to version 5405. It found no suspicious items.

Maniac · December 28, 2010

I want to see log file from Quick Scan.

Masters · December 28, 2010

I want to see log file from Quick Scan.

Here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5406

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

12/28/2010 1:24:05 PM

mbam-log-2010-12-28 (13-24-05).txt

Scan type: Quick scan

Objects scanned: 174006

Time elapsed: 21 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Maniac · December 29, 2010

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Masters · December 29, 2010

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.
Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.
Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
Please download ComboFix from
Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Open Tools -> Options -> Main tab
Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:
[*]It is important you rename Combofix during the download, but not after.
[*]Please do not rename Combofix to other names, but only to the one indicated.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When I try to run Combo-Fix, I get the message that it can't run with CA Antivirus installed. I had removed the application using the Windows 'Remove Software' a long time ago. I looked in the registry and there are some entries there. I followed the install path to a directory in the Program Files. There is a CA directory. When I try to delete it, I get Cannot delete lic98.dll, access denied. See attachment for screen shots. Any suggestions?

Combofix_errors.doc

Maniac · December 29, 2010

Ignore the message for now. When we finish, I'll help you to clear these leftovers.

Masters · December 29, 2010

Ignore the message for now. When we finish, I'll help you to clear these leftovers.

The problem is it doesn't give me the option to proceed with the ComboFix scan until the CA Virus software is removed. I don't know what it is looking at to determine that the CA software is installed. If it is the registry entries, I could delete them. If it is something in the CA folder, I could try deleting them one at a time and leaving only those that have access denied. At this time, I think it is just the dll.

Maniac · December 29, 2010

What about in Safe Mode with Networking?

http://www.microsoft.com/resources/documen...t_failsafe.mspx

Masters · December 30, 2010

What about in Safe Mode with Networking?
http://www.microsoft.com/resources/documen...t_failsafe.mspx

I was able to remove the directory and registry entries for CA Virus Protection in safe mode. I then tried the ComboFix in safe mode. It had me download the Windows Console, it created a backup for a new start point, then it went into the scan process. At first, it shows the disk light blinking, the system clock in the sys tray advances, and items in the task bar highlight if I hover the cursor over them. After about 2 minutes, the system clock stops advancing, task bar items (including the start button) stop highlighting if I hover, the disk light goes on solid. I have let this stay this way for over 2 hours and nothing happens. The keyboard is still working, but all I can do is toggle the caps lock and the num lock. The mouse still works, but I can't select anything. If I click on the desktop, the header bar on the ComboFix window shows it is not the active window and it does if I click on the header bar. The WiFi lamp blinks as well. Even ctrl-alt-delete doesn't work. All I can do is hard boot the system. This happens in safe mode and normal mode.

Maniac · December 30, 2010

Something does not allow ComboFix to run.

Download OTL to your desktop. Otherwise, try OTL.com or OTL.scr .
Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Once OTL has completed its first scan it will save notepad copies of the scans in the folder that OTL was started from. Unless set to produce an Extras log it will only produce OTL.txt in subsequent scans.

A copy of an OTL fix log is saved in a text file at

:\_OTL\Moved Files
- in most cases this will be C:\_OTL\Moved Files

Masters · December 30, 2010

Maniac · January 3, 2011

Do you still with me?

Masters · January 3, 2011

Masters · January 3, 2011

Do you still with me?

This is the second time I have copied and pasted the OTL and Extras logs to my reply, but it keeps making a blank reply. I will now try one at a time in the next two posts.

Masters · January 3, 2011

This is the OLT Extras log:

OTL Extras logfile created on: 12/30/2010 9:20:59 AM - Run 1

OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\randy.IBS002580\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 344.00 Mb Available Physical Memory | 45.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free

Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 23.53 Gb Total Space | 2.54 Gb Free Space | 10.78% Space Free | Partition Type: NTFS

Computer Name: RANDY-LT | User Name: randy | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found

https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%ProgramFiles%\IBM\Updater\jre\bin\javaw.exe" = %ProgramFiles%\IBM\Updater\jre\bin\javaw.exe:*:enabled:Java launcher -- (IBM)

"%ProgramFiles%\IBM\Updater\jre\bin\java.exe" = %ProgramFiles%\IBM\Updater\jre\bin\java.exe:*:enabled:Java launcher -- (IBM)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:Java launcher -- (IBM)

"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:Java launcher -- (IBM)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:UC Tray Icon -- (IBM Corporation, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%ProgramFiles%\IBM\Updater\jre\bin\javaw.exe" = %ProgramFiles%\IBM\Updater\jre\bin\javaw.exe:*:enabled:Java launcher -- (IBM)

"%ProgramFiles%\IBM\Updater\jre\bin\java.exe" = %ProgramFiles%\IBM\Updater\jre\bin\java.exe:*:enabled:Java launcher -- (IBM)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:Java launcher -- (IBM)

"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:Java launcher -- (IBM)

"C:\Program Files\IBM\Client Access\cwbunnav.exe" = C:\Program Files\IBM\Client Access\cwbunnav.exe:*:Enabled:cwbunnav.exe -- (IBM Corporation)

"C:\Program Files\IBM\Client Access\cwbopcon.exe" = C:\Program Files\IBM\Client Access\cwbopcon.exe:*:Enabled:cwbopcon -- (IBM Corporation)

"C:\Program Files\IBM\Client Access\JRE\bin\javaw.exe" = C:\Program Files\IBM\Client Access\JRE\bin\javaw.exe:*:Enabled:Java launcher -- (IBM)

"C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LRE3B.tmp\jre\bin\java.exe" = C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LRE3B.tmp\jre\bin\java.exe:*:Enabled:Java launcher -- File not found

"C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LREE.tmp\jre\bin\java.exe" = C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LREE.tmp\jre\bin\java.exe:*:Enabled:Java launcher -- File not found

"C:\Program Files\IBM\IBM System Planning Tool\_jvm\jre\bin\java.exe" = C:\Program Files\IBM\IBM System Planning Tool\_jvm\jre\bin\java.exe:*:Enabled:Java launcher -- File not found

"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)

"C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\javaw.exe" = C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\javaw.exe:*:Enabled:Java Platform SE binary -- File not found

"C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\notes2w.exe" = C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\notes2w.exe:*:Enabled:Lotus Notes -- File not found

"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4 -- (SEIKO EPSON CORPORATION)

"C:\Program Files\Java\jre1.6.0_07\bin\java.exe" = C:\Program Files\Java\jre1.6.0_07\bin\java.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

"C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LRE13E.tmp\jre\bin\java.exe" = C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\LRE13E.tmp\jre\bin\java.exe:*:Enabled:Java launcher -- File not found

"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe" = C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe:*:Enabled:Lotus Notes -- (IBM)

"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:UC Tray Icon -- (IBM Corporation, Inc.)

"C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\I1274472556\Windows\resource\jre\jre\bin\javaw.exe" = C:\Documents and Settings\randy.IBS002580\Local Settings\Temp\I1274472556\Windows\resource\jre\jre\bin\javaw.exe:*:Enabled:Java Platform SE binary -- File not found

"C:\Program Files\IBM\IBM System Planning Tool\jre\jre\bin\java.exe" = C:\Program Files\IBM\IBM System Planning Tool\jre\jre\bin\java.exe:*:Enabled:Java Platform SE binary -- (IBM)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- File not found

"C:\Program Files\Motorola\Software Update\msu.exe" = C:\Program Files\Motorola\Software Update\msu.exe:*:Enabled:msu -- File not found

"C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVC.exe" = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVC.exe:*:Enabled:SonicWALL Global VPN Client -- (SonicWALL, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager

"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message

"{10C69612-017B-45F5-B986-7D113D5A2EA3}" = MSN Toolbar

"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA

"{164EB883-354E-4290-AD76-67CEE65403A3}" = IBM System i Access for Windows V6R1M0

"{16906D21-0656-4F8B-9A01-C3D24B5401FC}" = Intel® PROSet for Wired Connections

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility

"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{2C42ED1E-6315-4E63-89E6-057EA114EBB8}" = MetaFrame Presentation Server Client

"{30C10EE3-EFB3-4B7A-9CDC-50790C2B5200}" = CA Licensing

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{40624553-811E-400E-B69B-38D8926A66BD}" = SonicWALL Global VPN Client

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{461D92DA-0B8C-496B-B6AA-BD0614BE0867}" = Kyocera Wireless USB Device Drivers

"{47CB8B6B-49DF-4058-AC2B-1596E3BE63EA}" = Garmin City Navigator North America 2009

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack

"{56373057-E823-4DDE-98C3-E89AEF7895B8}" = Intel® Sebring API

"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource

"{58FA5D40-E35A-47ED-8AFA-68CCC758559E}" = Garmin MapSource

"{5C0054EB-24A5-46A8-80E3-62AAA930DEFA}" = Sound Blaster Live! 24-Bit External

"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers

"{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}" = IBM 32-bit Runtime Environment for Java 2, v1.4.1

"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes

"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes

"{836670E9-61EB-4D47-9EF8-CFE936C3FE32}" = Lotus Notes 8.5.1

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8D815BF3-2399-459C-B121-49373FEFB9E8}" = IBM Update Connector

"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)

"{90520409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Viewer 2003 (English)

"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003

"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD

"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine

"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules

"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!

"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar

"{9D18F7F8-B984-4249-8512-CC621BC59F12}" = Microsoft Location Finder

"{9E384B32-59C8-46EF-BEA6-4DC8F27CDB8E}" = InstallVC90Support

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials

"{C82185E8-C27B-4EF4-2009-4444BC2C2B6D}" = Microsoft Streets & Trips 2009

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C0}" = WinZip 15.0

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{DDE34257-E4E5-49CB-BE92-337DE7C90345}" = Mobile Broadband Generic Drivers

"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime

"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features

"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers

"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center

"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"CCleaner" = CCleaner

"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem

"DAO" = DAO

"EasyEject Utility" = IBM ThinkPad EasyEject Utility

"eConfig" = IBM eConfig

"IBM System Planning Tool" = IBM System Planning Tool

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ieSpell" = ieSpell

"InstallShield_{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}" = IBM 32-bit Runtime Environment for Java 2, v1.4.1

"Lexmark_HostCD" = Lexmark Software Uninstall

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Power Features" = IBM ThinkPad Battery MaxiMiser and Power Management Features

"Power Management Driver" = IBM ThinkPad Power Management Driver

"Presentation Director" = IBM ThinkPad Presentation Director

"PROSet" = Intel® PRO Network Adapters and Drivers

"RoomEQWizard" = RoomEQWizard

"Selling Chain 3.2" = Selling Chain 3.2

"SpySweeper" = Spy Sweeper

"SysInfo" = Creative System Information

"ThinkPad Configuration" = IBM ThinkPad Configuration

"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier

"ThinkPadSoftwareInstaller" = ThinkPad Software Installer

"TrackPoint" = ThinkPad TrackPoint Driver

"VRPGRT10" = VisualAge for RPG - Run-Time V51

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"WIC" = Windows Imaging Component

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 12/27/2010 4:53:43 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 12/27/2010 7:07:40 PM | Computer Name = RANDY-LT | Source = Application Error | ID = 1000

Description = Faulting application z2ohpet8.exe, version 1.0.15.15530, faulting

module z2ohpet8.exe, version 1.0.15.15530, fault address 0x0000c551.

Error - 12/27/2010 10:35:40 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 12/27/2010 10:35:40 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 12/27/2010 10:35:40 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 12/27/2010 10:35:41 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 12/27/2010 10:35:41 PM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 12/27/2010 11:21:28 PM | Computer Name = RANDY-LT | Source = Application Error | ID = 1000

Description = Faulting application unspysweeper.exe, version 2.1.0.34, faulting

module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 12/28/2010 11:08:05 AM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 12/28/2010 11:08:05 AM | Computer Name = RANDY-LT | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ System Events ]

Error - 12/29/2010 7:59:39 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Event Log Watch service failed to start due to the following error:

%%3

Error - 12/29/2010 7:59:39 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Sansa Updater Service service failed to start due to the following

error: %%2

Error - 12/29/2010 8:22:45 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7034

Description = The IBM KCU Service service terminated unexpectedly. It has done

this 1 time(s).

Error - 12/29/2010 9:18:50 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Event Log Watch service failed to start due to the following error:

%%3

Error - 12/29/2010 9:18:50 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Sansa Updater Service service failed to start due to the following

error: %%2

Error - 12/29/2010 9:24:37 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Event Log Watch service failed to start due to the following error:

%%3

Error - 12/29/2010 9:24:37 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Sansa Updater Service service failed to start due to the following

error: %%2

Error - 12/29/2010 9:34:38 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7034

Description = The IBM KCU Service service terminated unexpectedly. It has done

this 1 time(s).

Error - 12/29/2010 11:18:50 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Event Log Watch service failed to start due to the following error:

%%3

Error - 12/29/2010 11:18:50 PM | Computer Name = RANDY-LT | Source = Service Control Manager | ID = 7000

Description = The Sansa Updater Service service failed to start due to the following

error: %%2

< End of report >

Masters · January 3, 2011

This is the OTL log:

OTL logfile created on: 12/30/2010 9:20:59 AM - Run 1

OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\randy.IBS002580\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 344.00 Mb Available Physical Memory | 45.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free

Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 23.53 Gb Total Space | 2.54 Gb Free Space | 10.78% Space Free | Partition Type: NTFS

Computer Name: RANDY-LT | User Name: randy | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\randy.IBS002580\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe (IBM Corp)

PRC - C:\Program Files\IBM\Lotus\Notes\nsd.exe (IBM)

PRC - C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (Lenovo Group Limited)

PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

PRC - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe (SonicWALL, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBUA.EXE (SEIKO EPSON CORPORATION)

PRC - C:\WINDOWS\system32\1XConfig.exe (Intel)

PRC - C:\WINDOWS\system32\S24EvMon.exe (Intel Corporation )

PRC - C:\WINDOWS\system32\RegSrvc.exe (Intel Corporation)

PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)

PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)

PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)

PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()

PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ()

PRC - C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe (Creative Technology Ltd)

PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)

PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc.)

PRC - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe ()

PRC - C:\IBMTOOLS\utils\ibmprc.exe (IBM Corp.)

PRC - C:\WINDOWS\system32\ibmpmsvc.exe ()

PRC - C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe (IBM Corp.)

PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

PRC - C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)

PRC - C:\WINDOWS\system32\TpKmpSvc.exe ()

PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe (IBM Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\randy.IBS002580\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (SansaService) -- C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe File not found

SRV - (PsaSrv) -- C:\WINDOWS\System32\PsaSrv.exe File not found

SRV - (LogWatch) -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe File not found

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

SRV - (CA_LIC_SRVR) -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe File not found

SRV - (CA_LIC_CLNT) -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe File not found

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (Cwbrxd) -- C:\WINDOWS\cwbrxd.exe (IBM Corporation)

SRV - (Multi-user Cleanup Service) -- C:\Program Files\IBM\Lotus\Notes\ntmulti.exe (IBM Corp)

SRV - (Lotus Notes Diagnostics) -- C:\Program Files\IBM\Lotus\Notes\nsd.exe (IBM)

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

SRV - (SWGVCSvc) -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe (SonicWALL, Inc.)

SRV - (OKI OPHC DCS Loader) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE (Oki Data Corporation)

SRV - (S24EventMonitor) -- C:\WINDOWS\system32\S24EvMon.exe (Intel Corporation )

SRV - (RegSrvc) -- C:\WINDOWS\system32\RegSrvc.exe (Intel Corporation)

SRV - (QCONSVC) -- C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)

SRV - (IBM Rapid Restore Ultra Service) -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe ()

SRV - (IBMPMSVC) -- C:\WINDOWS\system32\ibmpmsvc.exe ()

SRV - (TpKmpSVC) -- C:\WINDOWS\system32\TpKmpSvc.exe ()

SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

========== Driver Services (SafeList) ==========

DRV - (vsdatant) -- C:\WINDOWS\System32\vsdatant.sys File not found

DRV - (SMNDIS5) -- C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS File not found

DRV - (PCTINDIS5) -- C:\WINDOWS\System32\PCTINDIS5.SYS File not found

DRV - (PCASp50) -- C:\WINDOWS\System32\Drivers\PCASp50.sys File not found

DRV - (Nmea) -- C:\WINDOWS\System32\DRIVERS\pctnullport.sys File not found

DRV - (motmodem) -- C:\WINDOWS\System32\DRIVERS\motmodem.sys File not found

DRV - (MotDev) -- C:\WINDOWS\System32\DRIVERS\motodrv.sys File not found

DRV - (motccgpfl) -- C:\WINDOWS\System32\DRIVERS\motccgpfl.sys File not found

DRV - (motccgp) -- C:\WINDOWS\System32\DRIVERS\motccgp.sys File not found

DRV - (kwkxusb) -- C:\WINDOWS\System32\DRIVERS\kwusb2k.sys File not found

DRV - (catchme) -- C:\DOCUME~1\RANDY~1.IBS\LOCALS~1\Temp\catchme.sys File not found

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)

DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)

DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)

DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)

DRV - (swmsflt) -- C:\WINDOWS\System32\drivers\swmsflt.sys ()

DRV - (Tp4Track) -- C:\WINDOWS\system32\drivers\tp4track.sys (Lenovo Group Limited)

DRV - (SWIPsec) -- C:\WINDOWS\system32\drivers\SWIPsec.sys (SonicWALL, Inc.)

DRV - (SWVNIC) -- C:\WINDOWS\system32\drivers\SWVNIC.sys (SonicWALL, Inc.)

DRV - (VNA) -- C:\WINDOWS\system32\drivers\vna.sys (Check Point Software Technologies)

DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)

DRV - (cm_net) -- C:\WINDOWS\system32\drivers\cm_net.sys (C-motech Co.,Ltd.)

DRV - (cm_ser) -- C:\WINDOWS\system32\drivers\cm_ser.sys (C-motech Co.,Ltd.)

DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)

DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)

DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)

DRV - (NSCIRDA) -- C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (amdagp) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (tap0801) -- C:\WINDOWS\system32\drivers\tap0801.sys (The OpenVPN Project)

DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Windows ® 2000 DDK provider)

DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)

DRV - (ibmfilter) -- C:\WINDOWS\system32\drivers\ibmfilter.sys (IBM)

DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)

DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)

DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)

DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)

DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)

DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)

DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)

DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)

DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)

DRV - (w22n51) Intel® -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel

Maniac · January 4, 2011

Run OTL.exe
Under Custom Scans/Fixes post the following script:

:files
C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp

:Commands
[purity]
[emptytemp]

Then click the Run Fix button at the top
Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
Please post that log in your next reply.

Masters · January 4, 2011

Run OTL.exe
Under Custom Scans/Fixes post the following script:
:files
C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp

:Commands
[purity]
[emptytemp]
Then click the Run Fix button at the top
Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
Please post that log in your next reply.

Here is the log. I had to run it in safe mode as it just locked up in standard mode.

All processes killed

========== FILES ==========

C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} folder moved successfully.

C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} folder moved successfully.

C:\WINDOWS\000001_.tmp moved successfully.

C:\WINDOWS\003255_.tmp moved successfully.

C:\WINDOWS\msdownld.tmp folder moved successfully.

C:\WINDOWS\System32\CONFIG.TMP moved successfully.

C:\WINDOWS\System32\winsrc.dll.tmp moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: Lisa

->Temp folder emptied: 668 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 49990 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 48835489 bytes

->Flash cache emptied: 12028 bytes

User: randy.IBS002580

->Temp folder emptied: 242043686 bytes

->Temporary Internet Files folder emptied: 431653711 bytes

->Java cache emptied: 125512085 bytes

->Apple Safari cache emptied: 1044480 bytes

->Flash cache emptied: 168781 bytes

User: RANDY~1~IBS

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 72839208 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 9916514 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33171 bytes

RecycleBin emptied: 167424 bytes

Total Files Cleaned = 889.00 mb

OTL by OldTimer - Version 3.2.18.2 log created on 01042011_131828

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Maniac · January 5, 2011

Post a new fresh OTL log.

Masters · January 5, 2011

Post a new fresh OTL log.

It didn't create the OTL Extras.txt file this time. Following is the OTL.txt output.

OTL logfile created on: 1/5/2011 3:30:04 PM - Run 2

OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\randy.IBS002580\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 418.00 Mb Available Physical Memory | 55.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free

Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 23.53 Gb Total Space | 3.07 Gb Free Space | 13.06% Space Free | Partition Type: NTFS

Computer Name: RANDY-LT | User Name: randy | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\randy.IBS002580\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe (IBM Corp)

PRC - C:\Program Files\IBM\Lotus\Notes\nsd.exe (IBM)

PRC - C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (Lenovo Group Limited)

PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

PRC - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe (SonicWALL, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe (Adobe Systems Incorporated)

PRC - C:\WINDOWS\system32\1XConfig.exe (Intel)

PRC - C:\WINDOWS\system32\S24EvMon.exe (Intel Corporation )

PRC - C:\WINDOWS\system32\RegSrvc.exe (Intel Corporation)

PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)

PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)

PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)

PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()

PRC - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)