Computer Hope

Software => Computer viruses and spyware => Topic started by: whathim on November 15, 2012, 05:57:51 AM

Title: Malware infection following a moment of madness
Post by: whathim on November 15, 2012, 05:57:51 AM

Computer:
Dell Vostro 430 running Windows XP Service Pack 3, Comodo firewall, AVG free.

The moment of madness:
Yesterday I attempted to download a torrent, something I’ve never done before.  The download insisted on installing what I think was a BitTorrent client.

What I did next:
I uninstalled the previously installed BitTorrent client and then followed Steps 1 to 3 here http://www.computerhope.com/forum/index.php/topic,46313.0.html - AdwCleaner and MBAM log files pasted below.

The symptoms:
Lots of alerts from Comodo firewall that I haven’t seen before such as datamngrUI.exe trying to connect to Internet – I cancelled each time.

Google Chrome default search engine setting changed and attempting to change it back on the settings page has no effect.

Comodo firewall tray icon goes yellow – double click it and it says “Comodo Application Agent is not running” and invites me to run a diagnostic, which reports no problem.  Task Manager says cmdagent.exe and cfp.exe processes are running.

The symptoms got worse:
Google Chrome stopped working altogether so I uninstalled it and then tried to reinstall from Internet.  This failed – it just hung and did nothing.

When I try to run Internet Explorer, Comodo says “DefaultTabStart.exe” is trying to connect.  I block this but then IE fails to load its home page – it just sits there “Connecting”.

Firefox runs and connects to Internet but after a while it stops responding.

When I shut down Windows from the Start Button I get a message box saying DATAMN~1 needs to end.  Then Windows says it is saving my settings but just hangs there and I have to switch off manually at the computer power button.

This morning:
Windows starts up ok.  I no longer have the Comodo tray icon but Task Manager says cmdagent.exe and cfp.exe processes are running.  I run Comodo from the desktop shortcut and immediately the yellow tray icon reappears – its same as yesterday, “Comodo Application Agent is not running”.

I fire up Internet Explorer and Comodo says DefaultTabStart.exe is trying to connect.  This time I allow it and IE starts but it opens a search engine page I don’t recognise (I suspect its same as Chrome was showing yesterday).  The search engine works and I can get to the familiar Google search page.  Then I try to open another tab intending to have another go at reinstalling Chrome but I get a red X message box entitled “iexplore.exe Application Error” and message, “The exception unknown software exception (0xc00000fd) occurred in the application at location 0x00dcd240.  Click on OK to terminate the program”.  I have to click OK three times before the message box disappears – IE continues running.  I try again, same result.

I’m out of my depth here.  I don’t know what to do next and am apprehensive about cause any more damage.  Could some kind soul please give me some guidance?

Keith

# AdwCleaner v2.007 - Logfile created 11/14/2012 at 19:44:17
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Keith Waters - DELLDESK
# Boot Mode : Normal
# Running from : C:\Downloads\Anti Malware\AdwCleaner\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : DefaultTabUpdate

***** [Files / Folders] *****

File Found : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\searchplugins\Search_Results.xml
File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
Folder Found : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Found : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\All Users\Application Data\Premium
Folder Found : C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder
Folder Found : C:\Documents and Settings\Keith Waters\Application Data\AVG Secure Search
Folder Found : C:\Documents and Settings\Keith Waters\Application Data\DefaultTab
Folder Found : C:\Documents and Settings\Keith Waters\Application Data\Media Finder
Folder Found : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]
Folder Found : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\extensions\staged
Folder Found : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\AVG Secure Search
Folder Found : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Folder Found : C:\Program Files\AVG Secure Search
Folder Found : C:\Program Files\Common Files\AVG Secure Search

***** [Registry] *****

Data Found : HKLM\..\Windows [AppInit_DLLs] = c:\progra~1\search~1\datamngr\datamngr.dll
Data Found : HKLM\..\Windows [AppInit_DLLs] = c:\progra~1\search~1\datamngr\iebho.dll
Key Found : HKCU\Software\APN DTX
Key Found : HKCU\Software\AppDataLow\Software\DefaultTab
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\DataMngr_Toolbar
Key Found : HKCU\Software\DefaultTab
Key Found : HKCU\Software\ilivid
Key Found : HKCU\Software\MediaFinder
Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Found : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\gencrawler_gc.GenCrawler
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\MF
Key Found : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\Software\Default Tab
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
Key Found : HKLM\Software\Iminent
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKU\S-1-5-21-3042826270-1079364616-2737687425-1005\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKU\S-1-5-21-3042826270-1079364616-2737687425-1005\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKU\S-1-5-21-3042826270-1079364616-2737687425-1005\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={402DD99C-B492-4911-BE7A-EAD2745BAD57}&mid=8e6fccf6b6a5ab4adbffa3b655bdfe2a-8088c5917818e80873dffa0637d0db34d5525198&lang=en&ds=AVG&pr=fr&d=2012-08-22 19:23:50&v=13.2.0.5&sap=nt

-\\ Mozilla Firefox v16.0 (en-US)

Profile name : default
File : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\prefs.js

Found : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AV[...]

-\\ Google Chrome v23.0.1271.64

File : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [8793 octets] - [14/11/2012 19:44:17]

########## EOF - C:\AdwCleaner[R1].txt - [8853 octets] ##########


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.14.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Keith Waters :: DELLDESK [administrator]

14/11/2012 19:50:44
mbam-log-2012-11-14 (19-50-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 276405
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID\{C1ED9DA0-AFD0-4b90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCR\TypeLib\{1FDC0B61-91AC-4157-9B27-CAD9A09AB67E} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCR\BrowserConnection.Loader.1 (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCR\BrowserConnection.Loader (PUP.Datamngr) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKCR\gencrawler_gc.GenCrawler (Trojan.Downloader) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKCR\CLSID\{f34c9277-6577-4dff-b2d7-7d58092f272f} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> Data: Search-Results Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f34c9277-6577-4dff-b2d7-7d58092f272f} (PUP.Datamngr) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Program Files\Search Results Toolbar\Datamngr\BrowserConnection.dll (PUP.Datamngr) -> Delete on reboot.
C:\Documents and Settings\Keith Waters\Application Data\Media Finder\Extensions\gencrawler_gc.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll (PUP.Datamngr) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith Waters\My Documents\Downloads\SaveAs (1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith Waters\My Documents\Downloads\SaveAs.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

(end)

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 15, 2012, 01:33:59 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Remove the Adware:

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

*********************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here  (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 15, 2012, 03:34:23 PM

Thanks for replying Dave and thanks for your excellent instructions.

On my first attempt at running adwCleaner.exe, the run dialog appeared but not the adwCleaner UI.  Task manager showed an adwcleaner.exe process.  I killed this and tried again and this time adwCleaner appeared.  I clicked “Delete” as instructed.  Then downloaded and ran ComboFix after disabling AVG (Comodo alerted several times so I accepted each one).  See both logs below.

Keith


# AdwCleaner v2.007 - Logfile created 11/15/2012 at 21:24:52
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Keith Waters - DELLDESK
# Boot Mode : Normal
# Running from : C:\Downloads\Anti Malware\AdwCleaner\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : DefaultTabUpdate

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\extensions\[email protected]
File Deleted : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\searchplugins\Search_Results.xml
File Deleted : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\searchplugins\search-here.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Media Finder
Folder Deleted : C:\Documents and Settings\Keith Waters\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Keith Waters\Application Data\DefaultTab
Folder Deleted : C:\Documents and Settings\Keith Waters\Application Data\Media Finder
Folder Deleted : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]
Folder Deleted : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Program Files\AVG Secure Search

***** [Registry] *****

Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~1\search~1\datamngr\datamngr.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~1\search~1\datamngr\iebho.dll
Key Deleted : HKCU\Software\APN DTX
Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\MediaFinder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\MF
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={402DD99C-B492-4911-BE7A-EAD2745BAD57}&mid=8e6fccf6b6a5ab4adbffa3b655bdfe2a-8088c5917818e80873dffa0637d0db34d5525198&lang=en&ds=AVG&pr=fr&d=2012-08-22 19:23:50&v=13.2.0.5&sap=nt --> hxxp://www.google.com

-\\ Mozilla Firefox v16.0 (en-US)

Profile name : default
File : C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\prefs.js

C:\Documents and Settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AV[...]
Deleted : user_pref("browser.startup.homepage", "hxxp://www.searchnu.com/406");
Deleted : user_pref("extensions.50a3b30f8a925.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("extensions.defaulttab.config", "{\"status\": \"ok\", \"config\": {\"dns_error_handling\":[...]
Deleted : user_pref("extensions.enabledAddons", "[email protected]:2.1,{5384767E-00D9-40E9-B72F-9CC39D655D6[...]
Deleted : user_pref("keyword.URL", "hxxp://dts.search-results.com/sr?src=ffb&gct=ds&appid=157&systemid=406&apn[...]
Deleted : user_pref("sweetim.toolbar.previous.browser.search .defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search .selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startu p.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejecte dGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejecte dGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Keith Waters\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [8922 octets] - [14/11/2012 19:44:17]
AdwCleaner[S1].txt - [10056 octets] - [15/11/2012 21:24:52]

########## EOF - C:\AdwCleaner[S1].txt - [10117 octets] ##########


ComboFix 12-11-15.01 - Keith Waters 15/11/2012  22:03:21.3.8 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3063.2288 [GMT 0:00]
Running from: c:\documents and settings\Keith Waters\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\0665c25e931c1ac0151b062449e91028\XSAccessor.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\17d0b152e63e6bfe81b4b19588538896\mro.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\19febd96672ffdb7ea244cef36aaa062\Zlib.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\3b7106dd14676048b10bbb09a990f74c\XS.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\4461f48e31bde5c56b31b973b773de09\List.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\44727051c604ef6b79894b64d4c63832\Expat.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\7f177c338672436e01c4f0bdbcf94491\EV.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\7f2598c08178217a0e2c754f3d568f28\Byte.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\aff7ee779ea184f884ed432c30a58f5d\Scale.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\b6bd87c968599725b8ab2e5c25d3046a\API.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\b979ace6da01e63d651cce9ee2474fdc\Name.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\bc147d83c7c868eeee67082dcf55430c\File.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\bd5179a413bc0c4b82eedc22c6cab101\re.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\c199d3c1960e7aeeecb599487952bed2\HiRes.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\c344fd5536724b2af2e6453833b60203\SHA1.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\c668a322917d32a5ea22894518aa9897\Base64.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\d0bf009923f29116535c26d228271d6d\Scan.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icuin46.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icuuc46.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\e56c61f7248672819579325af3387035\POSIX.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\eb138ef0e4282611dbf485a302784646\LibYAML.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\f233f63b6654362865c7577442edb9e3\Win32.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-2404\perl514.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\4461f48e31bde5c56b31b973b773de09\List.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\93e7e3d6030f426844228042348210cf\Service.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\bd5179a413bc0c4b82eedc22c6cab101\re.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\e56c61f7248672819579325af3387035\POSIX.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\eb138ef0e4282611dbf485a302784646\LibYAML.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\f233f63b6654362865c7577442edb9e3\Win32.dll
c:\docume~1\KEITHW~1\LOCALS~1\Temp\pdk-Keith_Waters-3552\perl514.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\0665c25e931c1ac0151b062449e91028\XSAccessor.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\17d0b152e63e6bfe81b4b19588538896\mro.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\19febd96672ffdb7ea244cef36aaa062\Zlib.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\3b7106dd14676048b10bbb09a990f74c\XS.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\4461f48e31bde5c56b31b973b773de09\List.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\44727051c604ef6b79894b64d4c63832\Expat.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\7f177c338672436e01c4f0bdbcf94491\EV.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\7f2598c08178217a0e2c754f3d568f28\Byte.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\aff7ee779ea184f884ed432c30a58f5d\Scale.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\b6bd87c968599725b8ab2e5c25d3046a\API.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\b979ace6da01e63d651cce9ee2474fdc\Name.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\bc147d83c7c868eeee67082dcf55430c\File.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\bd5179a413bc0c4b82eedc22c6cab101\re.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\c199d3c1960e7aeeecb599487952bed2\HiRes.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\c344fd5536724b2af2e6453833b60203\SHA1.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\c668a322917d32a5ea22894518aa9897\Base64.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\d0bf009923f29116535c26d228271d6d\Scan.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icuin46.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\icuuc46.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\e56c61f7248672819579325af3387035\POSIX.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\eb138ef0e4282611dbf485a302784646\LibYAML.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\f233f63b6654362865c7577442edb9e3\Win32.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-2404\perl514.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\4461f48e31bde5c56b31b973b773de09\List.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\93e7e3d6030f426844228042348210cf\Service.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\bd5179a413bc0c4b82eedc22c6cab101\re.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\e56c61f7248672819579325af3387035\POSIX.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\eb138ef0e4282611dbf485a302784646\LibYAML.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\f233f63b6654362865c7577442edb9e3\Win32.dll
c:\documents and settings\Keith Waters\Local Settings\temp\pdk-Keith_Waters-3552\perl514.dll
c:\documents and settings\Keith Waters\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\083b95982dac99d4.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2aafef63cf929d3c.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\8702e21ea93407b0.fb
c:\windows\system32\Cache\99494c55e48696ad.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bced3609cd4313a9.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\e35a913902aba37b.fb
c:\windows\system32\Cache\e8db39e39966059c.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\FE05DA0D.dll
c:\windows\system32\FE05EFED.dll
c:\windows\system32\FE05F051.dll
c:\windows\system32\FE05F3D5.dll
c:\windows\system32\FE05F3D6.dll
c:\windows\system32\SETCC.tmp
c:\windows\system32\SETCE.tmp
c:\windows\system32\SETF7.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-15 to 2012-11-15  )))))))))))))))))))))))))))))))
.
.
2012-11-14 17:14 . 2012-11-14 19:22   --------   d-----w-   c:\documents and settings\Keith Waters\My Downloads
2012-11-14 17:11 . 2012-11-14 17:20   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\FreeTorrentViewer
2012-11-14 16:53 . 2012-11-14 16:53   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\SpottyFiles
2012-11-14 16:39 . 2012-11-14 16:39   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\SwvUpdater
2012-11-14 15:20 . 2012-11-14 15:20   --------   d-----w-   c:\program files\Gophoto.it
2012-11-14 15:19 . 2012-11-14 17:31   --------   d-----w-   c:\program files\TornTV.com
2012-11-14 15:09 . 2012-11-14 15:09   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\searchresultstb
2012-11-14 15:09 . 2012-11-14 15:09   --------   d-----w-   c:\documents and settings\Keith Waters\AppData
2012-11-14 15:05 . 2012-11-14 15:05   --------   d-----w-   c:\program files\MocaFlix
2012-11-14 15:04 . 2012-11-14 15:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\SaveAs
2012-11-14 14:56 . 2012-11-14 15:09   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\ilividtoolbarguid
2012-11-14 14:56 . 2012-11-14 14:58   --------   d-----w-   c:\program files\Search Results Toolbar
2012-11-13 16:22 . 2012-11-14 17:54   --------   d-----w-   c:\documents and settings\Keith Waters\Application Data\vlc
2012-11-13 16:21 . 2012-11-13 16:21   --------   d-----w-   c:\program files\VideoLAN
2012-10-22 10:51 . 2012-10-22 10:51   --------   d-----w-   c:\program files\IIS Express
2012-10-19 09:38 . 2012-10-19 09:38   --------   d-----w-   c:\documents and settings\DELLDESK
2012-10-18 13:37 . 2012-10-18 13:37   --------   d-----w-   c:\program files\Common Files\Java
2012-10-18 13:27 . 2012-10-18 13:34   --------   d-----w-   C:\PHP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 10:56 . 2012-08-22 18:23   26984   ----a-w-   c:\windows\system32\drivers\avgtpx86.sys
2012-11-07 23:38 . 2010-06-01 18:00   99080   ----a-w-   c:\windows\system32\drivers\inspect.sys
2012-11-07 23:38 . 2010-06-01 18:00   32640   ----a-w-   c:\windows\system32\drivers\CMDHLP.SYS
2012-11-07 23:38 . 2010-06-04 10:55   497952   ----a-w-   c:\windows\system32\drivers\CMDGUARD.SYS
2012-11-07 23:38 . 2010-06-01 18:00   18096   ----a-w-   c:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37 . 2011-10-19 18:58   34024   ----a-w-   c:\windows\system32\cmdcsr.dll
2012-11-07 23:37 . 2010-06-01 18:00   301264   ----a-w-   c:\windows\system32\guard32.dll
2012-10-11 13:05 . 2008-04-25 16:16   2405   ----a-w-   c:\windows\_default.pif
2012-10-09 10:19 . 2012-05-10 09:15   696760   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-10-09 10:19 . 2011-05-15 09:36   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 19:54 . 2010-08-27 07:14   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-24 14:32 . 2012-06-27 21:02   477168   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32 . 2010-04-22 10:28   473072   ----a-w-   c:\windows\system32\deployJava1.dll
2012-09-24 12:51 . 2012-06-27 21:02   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-08-28 15:14 . 2010-08-31 22:18   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2010-02-13 18:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2010-08-31 22:18   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2010-08-31 22:18   385024   ----a-w-   c:\windows\system32\html.iec
2012-08-24 14:43 . 2010-09-07 02:49   301920   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2012-08-24 13:53 . 2008-04-14 07:00   177664   ----a-w-   c:\windows\system32\wintrust.dll
2012-08-20 13:17 . 2009-12-02 06:31   16976   ----a-w-   c:\windows\system32\drivers\dsNcAdpt.sys
2012-10-16 12:42 . 2011-05-10 08:12   261600   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 19:12   86280   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-12 61440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2010-11-26 331264]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2010-1-27 53248]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2010-2-14 241664]
Logitech Media Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2011-11-9 3051619]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]
Microsoft Office.lnk - c:\program files\Microsoft Office 2000\Office\OSA9.EXE [1999-2-17 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-7 106560]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2012-06-27 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0sprestrt\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Remote Access\\ezi_ra.exe"=
"c:\\Program Files\\Common Files\\Dell\\Advanced Networking Service\\hnm_svc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Dell\\VLC\\vlc.exe"=
"c:\\Program Files\\Common Files\\Common Desktop Agent\\CDASrv.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\IDS.Application.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\OrderSupplies.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\IDSAlert.exe"=
"c:\\Program Files\\Samsung\\Easy Printer Manager\\CDAS2PC\\CDAS2PC.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\Search Results Toolbar\\Datamngr\\SRTOOL~1\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"9000:TCP"= 9000:TCP:Logitech Media Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Logitech Media Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Logitech Media Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Logitech Media Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Logitech Media Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Logitech Media Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Logitech Media Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Logitech Media Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Logitech Media Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Logitech Media Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Logitech Media Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Logitech Media Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Logitech Media Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Logitech Media Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Logitech Media Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Logitech Media Server 3483 udp
"3483:TCP"= 3483:TCP:Logitech Media Server 3483 tcp
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 03:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 02:48 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 02:48 237408]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 02:49 301920]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [22/08/2012 18:23 26984]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\CMDGUARD.SYS [04/06/2010 10:55 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\CMDHLP.SYS [01/06/2010 18:00 32640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 18:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [29/06/2010 17:48 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [13/08/2012 02:24 5167736]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 03:53 193288]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [11/06/2012 15:22 193616]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BACS\BPowMon.exe [12/06/2009 14:23 79168]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [23/12/2010 06:06 5120]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 12:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 12:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 12:32 17232]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [28/01/2010 02:31 209960]
S0 cerc6;cerc6;

S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/01/2010 02:31 1684736]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [06/05/2011 19:16 1025352]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [11/06/2012 15:22 240208]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-10 10:19]
.
2012-11-15 c:\windows\Tasks\AmiUpdXp.job
- c:\documents and settings\Keith Waters\Application Data\SwvUpdater\Updater.exe [2012-11-14 16:38]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-21 16:00]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-21 16:00]
.
2012-11-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://websearch.mocaflix.com/
mStart Page = hxxp://websearch.mocaflix.com/
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.mocaflix.com/?l=1&q=
FF - prefs.js: browser.search.selectedEngine - WebSearch
FF - ExtSQL: 2012-10-18 14:37; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-14 14:57; {f34c9277-6577-4dff-b2d7-7d58092f272f}; c:\documents and settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\extensions\{f34c9277-6577-4dff-b2d7-7d58092f272f}
FF - ExtSQL: 2012-11-14 15:19; [email protected]; c:\documents and settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\extensions\[email protected]
FF - ExtSQL: 2012-11-14 20:28; [email protected]; c:\documents and settings\Keith Waters\Application Data\Mozilla\Firefox\Profiles\0uc8mmsq.default\extensions\[email protected]
FF - ExtSQL: !HIDDEN! 2009-11-03 22:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2012-11-14 14:57; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; c:\program files\Search Results Toolbar\Datamngr\FirefoxExtension
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\Keith Waters\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-10 - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
HKLM-Run-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
HKLM-Run-ROC_ROC_JULY_P1 - c:\program files\AVG Secure Search\ROC_ROC_JULY_P1.exe
HKLM-Run-MFARestart - c:\documents and settings\All Users\Application Data\MFAData\pack\avgrunasx.exe
HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe
AddRemove-1ClickDownload - c:\program files\TornTV.com\uninst.exe
AddRemove-FreeTorrentViewer - c:\program files\FreeTorrentViewer\uninst.exe
AddRemove-OptimizerPro - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\OPTIMI~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-15 22:18
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1228)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1284)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(1184)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Samsung\Easy Printer Manager\SpoolerComp.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Dell Remote Access\ezi_ra.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\SQUEEZ~1\server\SQUEEZ~3.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
.
**************************************************************************
.
Completion time: 2012-11-15  22:24:50 - machine was rebooted
ComboFix-quarantined-files.txt  2012-11-15 22:24
.
Pre-Run: 284,510,109,696 bytes free
Post-Run: 286,111,911,936 bytes free
.
- - End Of File - - F8F0C7DC740DD7AFEF0376AFCCAAEBD9

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 15, 2012, 04:13:25 PM

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**************************************************
Please download aswMBR.exe (http://public.avast.com/%7Egmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg)

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)

On completion of the scan click save log, save it to your desktop and post in your next reply
************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 15, 2012, 05:40:39 PM

As instructed ran SecurityCheck.exe/bat.  There were quite a few Comodo alerts and I accepted all.

Ran aswMBR as instructed.  Comodo gave a warning of threat to computer detected and offered GeekBuddy to check and clean.  I declined this.  Comodo also said “Cloud Scanner Alert.  A malicious item has been detected, clean or ignore”.  I clicked ignore.

AswMBR itself offered to download the latest Avast virus definitions for better detection results.  I was wary of this and so declined it – hope I did correctly.

Then ran SysProt as instructed.

See all three logs below.

Keith


Results of screen317's Security Check version 0.99.54 
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.65.1.1000 
 CCleaner     
 Java(TM) 6 Update 37 
 Java version out of Date!
 Adobe Flash Player    11.4.402.287 
 Adobe Reader 9 Adobe Reader out of Date!
 Adobe Reader X (10.1.4)
 Mozilla Firefox (16.0)
````````Process Check: objlist.exe by Laurent````````[/u] 
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Comodo Firewall cmdagent.exe
 Comodo Firewall cfp.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 32% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]



aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-16 00:01:00
-----------------------------
00:01:00.281    OS Version: Windows 5.1.2600 Service Pack 3
00:01:00.281    Number of processors: 8 586 0x1E05
00:01:00.281    ComputerName: DELLDESK  UserName:
00:01:01.843    Initialze error C0000022 - driver not loaded
00:08:38.046    Service scanning
00:08:51.281    Modules scanning
00:08:51.281    Disk 0 trace - called modules:
00:08:51.281   
00:08:51.281    Scan finished successfully
00:09:44.531    The log file has been saved successfully to "C:\Documents and Settings\Keith Waters\Desktop\Anti-Malware\aswMBR.txt"



SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F74E7000
Module End: F74F6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A1381000
Module End: A145B000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: F7887000
Module End: F788F000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: A4EC3000
Module End: A4EC5000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: A16C67E4
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwConnectPort
Address: A16C5D90
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateFile
Address: A16C644A
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateKey
Address: A16C7040
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSection
Address: A16C8C20
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSymbolicLinkObject
Address: A16C8F9E
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateThread
Address: A16C577C
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteKey
Address: A16C69D0
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteValueKey
Address: A16C6BE8
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDuplicateObject
Address: A16C5582
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateKey
Address: A16C782A
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateValueKey
Address: A16C7A80
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwLoadDriver
Address: A16C8652
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwMakeTemporaryObject
Address: A16C6058
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwNotifyChangeKey
Address: 9EF81004
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwNotifyChangeMultipleKeys
Address: 9EF810D4
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwOpenFile
Address: A16C6626
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenKey
Address: A16C7030
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenProcess
Address: 9EF80D76
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwOpenSection
Address: A16C62F2
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenThread
Address: A16C53B4
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryKey
Address: A16C7C8E
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryMultipleValueKey
Address: A16C80E2
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryValueKey
Address: A3F0F1EA
Driver Base: A3F0E000
Driver End: A3F19000
Driver Name: \??\C:\WINDOWS\system32\drivers\avgtpx86.sys

Function Name: ZwRenameKey
Address: A16C75B2
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSecurityObject
Address: A16C6E54
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSystemInformation
Address: A16C893E
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetValueKey
Address: A16C730A
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwShutdownSystem
Address: A16C5FC2
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSystemDebugControl
Address: A16C61DE
Driver Base: A16BC000
Driver End: A1733000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateProcess
Address: 9EF80E1E
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwTerminateThread
Address: 9EF80EBA
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwWriteVirtualMemory
Address: 9EF80F56
Driver Base: 9EF80000
Driver End: 9EF83000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Keith Waters\Desktop\My Printer\Samsung ML-3310ND\Samsung ML-3310ND - Printer - B-W - duplex - laser - Legal, A4 - 1200 dpi x 1200 dpi - up to 31 ppm - capacity- 300 sheets - USB, 10-100Base-TX- Amazon.co.uk- Computers & Accessor
Status: Hidden

Object: C:\MyDocuments\Busty\Macromastia\Isabelle Lanthier\9598d0793fa61272 - ??t???af? (2).jpg
Status: Hidden

Object: C:\MyDocuments\Busty\Macromastia\Isabelle Lanthier\9598d0793fa61272 - ??t???af? - ??t???af?.jpg
Status: Hidden

Object: C:\MyDocuments\Japan\Mlle\OPPAI[????] ???????????????? ??????? (ppmd019).url
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\174377_100002373177675_2554687_n - ??t???af?.jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\225225_213375692019373_100000408302028_749412_4007924_n - ??t???af? - ??t???af?.jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\9598d0793fa61272 - ??t???af? (2).jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\9598d0793fa61272 - ??t???af? - ??t???af?.jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\F2.large - ??t???af?.jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\figure_MSD_222_2 - ??t???af? - ??t???af?.jpg
Status: Hidden

Object: C:\Personal\www\jpg\macromastia\??t???af? ap? 2107.jpg
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 15, 2012, 07:42:47 PM

Quote

Comodo gave a warning of threat to computer detected and offered GeekBuddy to check and clean.  I declined this.  Comodo also said “Cloud Scanner Alert.  A malicious item has been detected, clean or ignore”.  I clicked ignore.

Good. I don't know what's up with Comodo give you those messages. If it keeps doing, you should choose anther firewall.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version (http://www.java.com/en/download/installed.jsp)

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***********************************************

Quote

Total Fragmentation on Drive C:: 32% Defragment your hard drive soon! (Do NOT defrag if SSD!)

You should defrag your harddrive soon. SSD means Solid State Drive.
You need to run aswMBR again and allow Avast to load. It requires this to run the scan.

• Download RogueKiller (http://tigzy.geekstogo.com/Tools/RogueKiller.exe) on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 16, 2012, 02:58:35 AM

When computer shut down last night a total of 9 updates auto-installed.

This morning, got green tick from Verify Java Version– “You have recommended Java installation (Version 6 Update 37)”

When I ran JavaRa as instructed, it crashed and showed the usual error-reporting dialog, “JavaRa has encountered a problem and needs to close.  We are sorry for the inconvenience”.

Reran aswMBR as instructed.  Again, Comodo gave a warning of threat to computer detected and offered GeekBuddy to check and clean.  As before, I declined this.  Comodo also again said “Cloud Scanner Alert.  A malicious item has been detected, clean or ignore” and as before I clicked ignore.

This time I accepted the offer to download the latest Avast virus definitions.  Please see log below.  Bit puzzled as to why the log says “Initialize error C0000022 – driver not loaded” just before the download and “AVAST engine download error: 0” just after”.

Just after downloading RogueKiller.exe from the link you gave, Comodo said, “Threat detected.” with the following info.

Threat name: IDP.Trojan.97AC54E5
Category: Malware
Description: This is a known piece of Malware (malicious software).  It is recommended that you quarantine this threat.

I declined quarantine and clicked “Allow”.

When I ran RogueKiller, Comodo again gave a lot of alerts, which I skipped to allow it to run.  Please see report below.

Keith


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-16 09:18:32
-----------------------------
09:18:32.234    OS Version: Windows 5.1.2600 Service Pack 3
09:18:32.234    Number of processors: 8 586 0x1E05
09:18:32.234    ComputerName: DELLDESK  UserName:
09:18:49.500    Initialze error C0000022 - driver not loaded
09:20:03.718    AVAST engine download error: 0
09:26:48.546    Service scanning
09:27:02.500    Modules scanning
09:27:02.500    Disk 0 trace - called modules:
09:27:02.500   
09:27:02.500    Scan finished successfully
09:27:53.578    The log file has been saved successfully to "C:\Documents and Settings\Keith Waters\Desktop\Anti-Malware\aswMBR#02.txt"


RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Keith Waters [Admin rights]
Mode : Scan -- Date : 11/16/2012 09:49:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[TASK][SUSP PATH] AmiUpdXp.job : C:\Documents and Settings\Keith Waters\Application Data\SwvUpdater\Updater.exe  -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] d91721c50bb0d70937009e54fb278258
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 94 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 192780 | Size: 476843 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11162012_02d0949.txt >>
RKreport[1]_S_11162012_02d0949.txt

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 16, 2012, 07:10:16 AM

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
 ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
  

•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 16, 2012, 12:13:15 PM

Computer certainly seems to be behaving better, although I haven’t given it much of a workout yet.  Both IE and Firefox seem to be behaving correctly.  Also the Comodo tray icon is no longer turning alert-yellow as it was before.  I have yet to reinstall Chrome.  I haven’t defragged the HD yet.  Should I do that now or wait till after our checks and scans?

Following your instructions to run ESET OnlineScan, I noticed that at the step “Check ‘Scan archives’”, there is another check box entitled “Remove found threats” that is already checked.  I suspected you might have intended a scan rather than a scan-and-clean so I unchecked “Remove found threats”.  As the scan has been running I’m beginning to doubt my decision.  An apology if incorrect and I will repeat the scan if required.

Please see list of found threats and log below.

Keith

C:\Documents and Settings\All Users\Application Data\SaveAs\50a3b30f8aa09.ocx   Win32/Adware.MultiPlug.D application
C:\Documents and Settings\Keith Waters\My Documents\My Videos\iLividSetupV1.exe   Win32/Toolbar.SearchSuite application
C:\Downloads\RegistryBooster\registrybooster.exe   a variant of Win32/RegistryBooster application
C:\Downloads\VLCMediaPlayer\VLCMediaPlayer.exe   a variant of Win32/Somoto.A application
C:\Program Files\MocaFlix\sprotector.dll   Win32/SProtector application
C:\Program Files\Search Results Toolbar\Datamngr\datamngr.dll   a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Search Results Toolbar\Datamngr\datamngrUI.exe   a variant of Win32/Toolbar.SearchSuite.A application
C:\Program Files\Search Results Toolbar\Datamngr\DnsBHO.dll   a variant of Win32/Toolbar.SearchSuite application
C:\Program Files\Search Results Toolbar\Datamngr\IEBHO.dll   a variant of Win32/Toolbar.SearchSuite application
C:\TBas\PETZOLD\CHAPT06\CONNECT.EXE   a variant of Win32/Kryptik.AFAX trojan


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b49c503ff64e1442b2beb97d9536dde8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-11-16 07:03:32
# local_time=2012-11-16 07:03:32 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 33780114 33780114 0 0
# compatibility_mode=3073 16777213 80 71 434779 2847661 0 0
# compatibility_mode=8192 67108863 100 0 3940 3940 0 0
# scanned=391920
# found=10
# cleaned=0
# scan_time=12554
C:\Documents and Settings\All Users\Application Data\SaveAs\50a3b30f8aa09.ocx   Win32/Adware.MultiPlug.D application (unable to clean)   00000000000000000000000000000000   I
C:\Documents and Settings\Keith Waters\My Documents\My Videos\iLividSetupV1.exe   Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Downloads\RegistryBooster\registrybooster.exe   a variant of Win32/RegistryBooster application (unable to clean)   00000000000000000000000000000000   I
C:\Downloads\VLCMediaPlayer\VLCMediaPlayer.exe   a variant of Win32/Somoto.A application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\MocaFlix\sprotector.dll   Win32/SProtector application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\datamngr.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\datamngrUI.exe   a variant of Win32/Toolbar.SearchSuite.A application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\DnsBHO.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\IEBHO.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\TBas\PETZOLD\CHAPT06\CONNECT.EXE   a variant of Win32/Kryptik.AFAX trojan (unable to clean)   00000000000000000000000000000000   I

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 16, 2012, 01:25:48 PM

Quote

I haven’t defragged the HD yet.  Should I do that now or wait till after our checks and scans?

Ok, do it anytime.
Please do the ESET scan again and post the log.

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 16, 2012, 04:49:40 PM

Reran ESET OnlineScan this time leaving “Remove found threats” checked.  Please see list of found threats and log below.

Keith

C:\Documents and Settings\All Users\Application Data\SaveAs\50a3b30f8aa09.ocx   Win32/Adware.MultiPlug.D application   cleaned by deleting - quarantined
C:\Documents and Settings\Keith Waters\My Documents\My Videos\iLividSetupV1.exe   Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\Downloads\RegistryBooster\registrybooster.exe   a variant of Win32/RegistryBooster application   cleaned by deleting - quarantined
C:\Downloads\VLCMediaPlayer\VLCMediaPlayer.exe   a variant of Win32/Somoto.A application   cleaned by deleting - quarantined
C:\Program Files\MocaFlix\sprotector.dll   Win32/SProtector application   cleaned by deleting - quarantined
C:\Program Files\Search Results Toolbar\Datamngr\datamngr.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\Program Files\Search Results Toolbar\Datamngr\datamngrUI.exe   a variant of Win32/Toolbar.SearchSuite.A application   cleaned by deleting - quarantined
C:\Program Files\Search Results Toolbar\Datamngr\DnsBHO.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\Program Files\Search Results Toolbar\Datamngr\IEBHO.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048876.ocx   Win32/Adware.MultiPlug.D application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048877.exe   a variant of Win32/RegistryBooster application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048878.exe   a variant of Win32/Somoto.A application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048879.dll   Win32/SProtector application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048880.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048881.exe   a variant of Win32/Toolbar.SearchSuite.A application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048882.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048883.dll   a variant of Win32/Toolbar.SearchSuite application   cleaned by deleting - quarantined
C:\TBas\PETZOLD\CHAPT06\CONNECT.EXE   a variant of Win32/Kryptik.AFAX trojan   cleaned by deleting - quarantined


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b49c503ff64e1442b2beb97d9536dde8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-11-16 07:03:32
# local_time=2012-11-16 07:03:32 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 33780114 33780114 0 0
# compatibility_mode=3073 16777213 80 71 434779 2847661 0 0
# compatibility_mode=8192 67108863 100 0 3940 3940 0 0
# scanned=391920
# found=10
# cleaned=0
# scan_time=12554
C:\Documents and Settings\All Users\Application Data\SaveAs\50a3b30f8aa09.ocx   Win32/Adware.MultiPlug.D application (unable to clean)   00000000000000000000000000000000   I
C:\Documents and Settings\Keith Waters\My Documents\My Videos\iLividSetupV1.exe   Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Downloads\RegistryBooster\registrybooster.exe   a variant of Win32/RegistryBooster application (unable to clean)   00000000000000000000000000000000   I
C:\Downloads\VLCMediaPlayer\VLCMediaPlayer.exe   a variant of Win32/Somoto.A application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\MocaFlix\sprotector.dll   Win32/SProtector application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\datamngr.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\datamngrUI.exe   a variant of Win32/Toolbar.SearchSuite.A application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\DnsBHO.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files\Search Results Toolbar\Datamngr\IEBHO.dll   a variant of Win32/Toolbar.SearchSuite application (unable to clean)   00000000000000000000000000000000   I
C:\TBas\PETZOLD\CHAPT06\CONNECT.EXE   a variant of Win32/Kryptik.AFAX trojan (unable to clean)   00000000000000000000000000000000   I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b49c503ff64e1442b2beb97d9536dde8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-11-16 11:40:58
# local_time=2012-11-16 11:40:58 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 33798384 33798384 0 0
# compatibility_mode=3073 16777213 80 71 453049 2865931 0 0
# compatibility_mode=8192 67108863 100 0 22210 22210 0 0
# scanned=391976
# found=18
# cleaned=18
# scan_time=10929
C:\Documents and Settings\All Users\Application Data\SaveAs\50a3b30f8aa09.ocx   Win32/Adware.MultiPlug.D application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Keith Waters\My Documents\My Videos\iLividSetupV1.exe   Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Downloads\RegistryBooster\registrybooster.exe   a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Downloads\VLCMediaPlayer\VLCMediaPlayer.exe   a variant of Win32/Somoto.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\MocaFlix\sprotector.dll   Win32/SProtector application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Search Results Toolbar\Datamngr\datamngr.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Search Results Toolbar\Datamngr\datamngrUI.exe   a variant of Win32/Toolbar.SearchSuite.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Search Results Toolbar\Datamngr\DnsBHO.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Search Results Toolbar\Datamngr\IEBHO.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048876.ocx   Win32/Adware.MultiPlug.D application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048877.exe   a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048878.exe   a variant of Win32/Somoto.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048879.dll   Win32/SProtector application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048880.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048881.exe   a variant of Win32/Toolbar.SearchSuite.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048882.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048883.dll   a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\TBas\PETZOLD\CHAPT06\CONNECT.EXE   a variant of Win32/Kryptik.AFAX trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 17, 2012, 12:20:34 PM

• Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  (http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber1.png)
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  (http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber2.png)
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  (http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber3.png)
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  (http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillerlastone3.png)
  
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 17, 2012, 01:55:24 PM

Thanks for these latest instructions.  I ran TDSSKiller and it found no issues at all.  The log is below.

Earlier today I noticed a few odd things with the computer.

While left unattended, a message box had appeared saying, “jusched.exe has encountered a problem and needs to close.  We are sorry for the inconvenience.”.

I ran MS Defrag.  When finished it said there were files that could not be defragmented and the “before and after” graphic didn’t look much improved (report is below, although it does not list any files!).

When I tried to search for a file, the Windows Search utility doesn’t display properly as shown in attached image.  The Search form is all crunched up and when I scroll to the bottom there is no Search “puppy” option as there was before.  Then when I try to search for file “whatever” I get ‘Nothing found for query “” because the folder c:\ is not indexed‘.

Later, after hunting around but not finding any settings etc. to change, I tried again.  This time I no longer get the “Nothing found…” message when I launch Search from Windows Explorer but I still get it from Start>Search as shown in the attached image.  The Search form is still not displaying properly though.  Could a Windows system file be corrupted perhaps?

Reinstalled Google Chrome.  When ran first time it gave “Could not open user profile”.  I have cured this by removing old profile and creating a new one.

Keith

(http://SearchOnC.png)
(http://Search#02.png)


20:34:24.0906 5008  TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
20:34:25.0390 5008  ============================================================
20:34:25.0390 5008  Current date / time: 2012/11/17 20:34:25.0390
20:34:25.0390 5008  SystemInfo:
20:34:25.0390 5008 
20:34:25.0390 5008  OS Version: 5.1.2600 ServicePack: 3.0
20:34:25.0390 5008  Product type: Workstation
20:34:25.0390 5008  ComputerName: DELLDESK
20:34:25.0390 5008  UserName: Keith Waters
20:34:25.0390 5008  Windows directory: C:\WINDOWS
20:34:25.0390 5008  System windows directory: C:\WINDOWS
20:34:25.0390 5008  Processor architecture: Intel x86
20:34:25.0390 5008  Number of processors: 8
20:34:25.0390 5008  Page size: 0x1000
20:34:25.0390 5008  Boot type: Normal boot
20:34:25.0390 5008  ============================================================
20:34:26.0109 5008  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:34:26.0109 5008  ============================================================
20:34:26.0109 5008  \Device\Harddisk0\DR0:
20:34:26.0109 5008  MBR partitions:
20:34:26.0109 5008  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2F10C, BlocksNum 0x3A355B35
20:34:26.0109 5008  ============================================================
20:34:26.0156 5008  C: <-> \Device\Harddisk0\DR0\Partition1
20:34:26.0156 5008  ============================================================
20:34:26.0156 5008  Initialize success
20:34:26.0156 5008  ============================================================
20:35:13.0109 4688  ============================================================
20:35:13.0109 4688  Scan started
20:35:13.0109 4688  Mode: Manual;
20:35:13.0109 4688  ============================================================
20:35:13.0218 4688  ================ Scan system memory ========================
20:35:13.0218 4688  System memory - ok
20:35:13.0218 4688  ================ Scan services =============================
20:35:13.0281 4688  [ C0393EB99A6C72C6BEF9BFC4A72B33A6 ] !SASCORE        C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
20:35:13.0281 4688  !SASCORE - ok
20:35:13.0390 4688  Abiosdsk - ok
20:35:13.0421 4688  [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5        C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:35:13.0421 4688  abp480n5 - ok
20:35:13.0468 4688  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:35:13.0468 4688  ACPI - ok
20:35:13.0500 4688  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
20:35:13.0500 4688  ACPIEC - ok
20:35:13.0562 4688  [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:35:13.0562 4688  AdobeFlashPlayerUpdateSvc - ok
20:35:13.0593 4688  [ 9A11864873DA202C996558B2106B0BBC ] adpu160m        C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:35:13.0593 4688  adpu160m - ok
20:35:13.0625 4688  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
20:35:13.0625 4688  aec - ok
20:35:13.0671 4688  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
20:35:13.0671 4688  AFD - ok
20:35:13.0703 4688  [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440          C:\WINDOWS\system32\DRIVERS\agp440.sys
20:35:13.0703 4688  agp440 - ok
20:35:13.0718 4688  [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ          C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:35:13.0718 4688  agpCPQ - ok
20:35:13.0734 4688  [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x         C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:35:13.0750 4688  Aha154x - ok
20:35:13.0750 4688  [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2         C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:35:13.0765 4688  aic78u2 - ok
20:35:13.0781 4688  [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx         C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:35:13.0781 4688  aic78xx - ok
20:35:13.0812 4688  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
20:35:13.0828 4688  Alerter - ok
20:35:13.0859 4688  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
20:35:13.0859 4688  ALG - ok
20:35:13.0890 4688  [ 1140AB9938809700B46BB88E46D72A96 ] AliIde          C:\WINDOWS\system32\DRIVERS\aliide.sys
20:35:13.0890 4688  AliIde - ok
20:35:13.0890 4688  [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541        C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:35:13.0890 4688  alim1541 - ok
20:35:13.0921 4688  [ F6AF59D6EEE5E1C304F7F73706AD11D8 ] Ambfilt         C:\WINDOWS\system32\drivers\Ambfilt.sys
20:35:13.0953 4688  Ambfilt - ok
20:35:13.0968 4688  [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp          C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:35:13.0968 4688  amdagp - ok
20:35:13.0968 4688  [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint          C:\WINDOWS\system32\DRIVERS\amsint.sys
20:35:13.0968 4688  amsint - ok
20:35:14.0000 4688  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
20:35:14.0000 4688  AppMgmt - ok
20:35:14.0015 4688  [ 62D318E9A0C8FC9B780008E724283707 ] asc             C:\WINDOWS\system32\DRIVERS\asc.sys
20:35:14.0015 4688  asc - ok
20:35:14.0062 4688  [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p        C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:35:14.0062 4688  asc3350p - ok
20:35:14.0093 4688  [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550         C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:35:14.0093 4688  asc3550 - ok
20:35:14.0187 4688  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
20:35:14.0218 4688  aspnet_state - ok
20:35:14.0234 4688  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:35:14.0234 4688  AsyncMac - ok
20:35:14.0281 4688  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
20:35:14.0281 4688  atapi - ok
20:35:14.0281 4688  Atdisk - ok
20:35:14.0312 4688  [ 1635A809B90EAC3C0A844249E9A35856 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
20:35:14.0328 4688  Ati HotKey Poller - ok
20:35:14.0421 4688  [ 7452AB1A89F43785D20A10066BC3B73A ] ati2mtag        C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
20:35:14.0484 4688  ati2mtag - ok
20:35:14.0531 4688  [ D9BC8892B9440A2551B8148C57AA039E ] AtiHdmiService  C:\WINDOWS\system32\drivers\AtiHdmi.sys
20:35:14.0546 4688  AtiHdmiService - ok
20:35:14.0562 4688  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:35:14.0562 4688  Atmarpc - ok
20:35:14.0593 4688  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
20:35:14.0593 4688  AudioSrv - ok
20:35:14.0593 4688  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
20:35:14.0593 4688  audstub - ok
20:35:14.0718 4688  [ 124D235185004F699FAF115EBD85733E ] AVG Security Toolbar Service C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
20:35:14.0734 4688  AVG Security Toolbar Service - ok
20:35:14.0875 4688  [ F6A528DE535396C2FB1A4E3C6F00CEC4 ] AVGIDSAgent     C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
20:35:14.0890 4688  AVGIDSAgent - ok
20:35:14.0937 4688  [ 1074F787080068C71303B61FAE7E7CA4 ] AVGIDSDriver    C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
20:35:14.0937 4688  AVGIDSDriver - ok
20:35:14.0968 4688  [ 61A7E0B02F82CFF3DB2445BBE50B3589 ] AVGIDSFilter    C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
20:35:14.0968 4688  AVGIDSFilter - ok
20:35:14.0984 4688  [ D63D83659EEDF60B3A3E620281A888E5 ] AVGIDSHX        C:\WINDOWS\system32\DRIVERS\avgidshx.sys
20:35:14.0984 4688  AVGIDSHX - ok
20:35:15.0031 4688  [ BAF975B72062F53D327788E99D64197E ] AVGIDSShim      C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
20:35:15.0031 4688  AVGIDSShim - ok
20:35:15.0046 4688  [ DCB09125C8B4766A88C86914B65487C1 ] Avgldx86        C:\WINDOWS\system32\DRIVERS\avgldx86.sys
20:35:15.0046 4688  Avgldx86 - ok
20:35:15.0062 4688  [ CCDD61545AAEA265977E4B1EFDC74E8C ] Avgmfx86        C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
20:35:15.0062 4688  Avgmfx86 - ok
20:35:15.0078 4688  [ 1FD90B28D2C3100BF4500199C8AD6358 ] Avgrkx86        C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
20:35:15.0078 4688  Avgrkx86 - ok
20:35:15.0109 4688  [ C0BC3B2E3FD625E7F55E1FF863E94592 ] Avgtdix         C:\WINDOWS\system32\DRIVERS\avgtdix.sys
20:35:15.0125 4688  Avgtdix - ok
20:35:15.0156 4688  [ 57D83B82117C2DDB9D7E9AEA691CEDFC ] avgtp           C:\WINDOWS\system32\drivers\avgtpx86.sys
20:35:15.0171 4688  avgtp - ok
20:35:15.0203 4688  [ EA1145DEBCD508FD25BD1E95C4346929 ] avgwd           C:\Program Files\AVG\AVG2012\avgwdsvc.exe
20:35:15.0203 4688  avgwd - ok
20:35:15.0234 4688  [ 5C68AC6F3E5B3E6D6A78E97D05E42C3A ] BASFND          C:\Program Files\Broadcom\BACS\BASFND.sys
20:35:15.0234 4688  BASFND - ok
20:35:15.0343 4688  [ F48FEB7DA35821DA15E0B006DCB9A169 ] BBSvc           C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.exe
20:35:15.0359 4688  BBSvc - ok
20:35:15.0390 4688  [ 8E16F7A85441986FD2B9CE6C879524E4 ] BBUpdate        C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
20:35:15.0406 4688  BBUpdate - ok
20:35:15.0453 4688  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
20:35:15.0453 4688  Beep - ok
20:35:15.0515 4688  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
20:35:15.0625 4688  BITS - ok
20:35:15.0640 4688  [ 7C9F9F819EA17016E6C7BF387A0E0883 ] BPowMon         C:\Program Files\Broadcom\BACS\BPowMon.exe
20:35:15.0640 4688  BPowMon - ok
20:35:15.0671 4688  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
20:35:15.0671 4688  Browser - ok
20:35:15.0703 4688  catchme - ok
20:35:15.0718 4688  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf           C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:35:15.0718 4688  cbidf - ok
20:35:15.0734 4688  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
20:35:15.0734 4688  cbidf2k - ok
20:35:15.0750 4688  [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt        C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:35:15.0750 4688  cd20xrnt - ok
20:35:15.0781 4688  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
20:35:15.0781 4688  Cdaudio - ok
20:35:15.0812 4688  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
20:35:15.0812 4688  Cdfs - ok
20:35:15.0843 4688  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:35:15.0843 4688  Cdrom - ok
20:35:15.0843 4688  cerc6 - ok
20:35:15.0843 4688  Changer - ok
20:35:15.0875 4688  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
20:35:15.0875 4688  CiSvc - ok
20:35:15.0875 4688  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
20:35:15.0875 4688  ClipSrv - ok
20:35:15.0968 4688  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:35:16.0000 4688  clr_optimization_v2.0.50727_32 - ok
20:35:16.0046 4688  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:35:16.0062 4688  clr_optimization_v4.0.30319_32 - ok
20:35:16.0171 4688  [ 2A2D72271844C52F004901A60312B96A ] cmdAgent        C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
20:35:16.0171 4688  cmdAgent - ok
20:35:16.0218 4688  [ 9181CC4D007ADBE21DB9A11BFECAFEF5 ] cmdGuard        C:\WINDOWS\system32\DRIVERS\cmdguard.sys
20:35:16.0218 4688  cmdGuard - ok
20:35:16.0234 4688  [ C5A9FB50E8CA7FD99F256255FEE71580 ] cmdHlp          C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
20:35:16.0234 4688  cmdHlp - ok
20:35:16.0265 4688  [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde          C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:35:16.0265 4688  CmdIde - ok
20:35:16.0265 4688  COMSysApp - ok
20:35:16.0281 4688  [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray        C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:35:16.0281 4688  Cpqarray - ok
20:35:16.0312 4688  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
20:35:16.0312 4688  CryptSvc - ok
20:35:16.0328 4688  [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k         C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:35:16.0328 4688  dac2w2k - ok
20:35:16.0359 4688  [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt        C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:35:16.0359 4688  dac960nt - ok
20:35:16.0390 4688  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
20:35:16.0406 4688  DcomLaunch - ok
20:35:16.0437 4688  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
20:35:16.0453 4688  Dhcp - ok
20:35:16.0468 4688  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
20:35:16.0484 4688  Disk - ok
20:35:16.0484 4688  dmadmin - ok
20:35:16.0500 4688  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
20:35:16.0515 4688  dmboot - ok
20:35:16.0515 4688  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\DRIVERS\dmio.sys
20:35:16.0515 4688  dmio - ok
20:35:16.0531 4688  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
20:35:16.0531 4688  dmload - ok
20:35:16.0562 4688  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
20:35:16.0562 4688  dmserver - ok
20:35:16.0609 4688  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
20:35:16.0609 4688  DMusic - ok
20:35:16.0640 4688  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
20:35:16.0640 4688  Dnscache - ok
20:35:16.0656 4688  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
20:35:16.0671 4688  Dot3svc - ok
20:35:16.0687 4688  [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o          C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:35:16.0687 4688  dpti2o - ok
20:35:16.0718 4688  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
20:35:16.0718 4688  drmkaud - ok
20:35:16.0750 4688  [ 79D48920063220D5E0C55C5964234099 ] dsNcAdpt        C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
20:35:16.0750 4688  dsNcAdpt - ok
20:35:16.0812 4688  [ F383B60E7468D613990F8ACA59269573 ] dsNcService     C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
20:35:16.0828 4688  dsNcService - ok
20:35:16.0859 4688  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
20:35:16.0859 4688  EapHost - ok
20:35:16.0875 4688  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
20:35:16.0875 4688  ERSvc - ok
20:35:16.0906 4688  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
20:35:16.0921 4688  Eventlog - ok
20:35:16.0953 4688  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
20:35:16.0953 4688  EventSystem - ok
20:35:17.0000 4688  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
20:35:17.0000 4688  Fastfat - ok
20:35:17.0031 4688  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
20:35:17.0031 4688  FastUserSwitchingCompatibility - ok
20:35:17.0078 4688  [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax             C:\WINDOWS\system32\fxssvc.exe
20:35:17.0078 4688  Fax - ok
20:35:17.0125 4688  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
20:35:17.0125 4688  Fdc - ok
20:35:17.0156 4688  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
20:35:17.0156 4688  Fips - ok
20:35:17.0187 4688  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
20:35:17.0187 4688  Flpydisk - ok
20:35:17.0218 4688  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:35:17.0218 4688  FltMgr - ok
20:35:17.0265 4688  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:35:17.0265 4688  Fs_Rec - ok
20:35:17.0296 4688  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:35:17.0296 4688  Ftdisk - ok
20:35:17.0312 4688  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:35:17.0328 4688  Gpc - ok
20:35:17.0359 4688  [ F02A533F517EB38333CB12A9E8963773 ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
20:35:17.0359 4688  gupdate - ok
20:35:17.0359 4688  [ F02A533F517EB38333CB12A9E8963773 ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
20:35:17.0359 4688  gupdatem - ok
20:35:17.0406 4688  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:35:17.0406 4688  HDAudBus - ok
20:35:17.0468 4688  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:35:17.0484 4688  helpsvc - ok
20:35:17.0500 4688  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         C:\WINDOWS\System32\hidserv.dll
20:35:17.0500 4688  HidServ - ok
20:35:17.0546 4688  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:35:17.0546 4688  hidusb - ok
20:35:17.0578 4688  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
20:35:17.0578 4688  hkmsvc - ok
20:35:17.0625 4688  [ 853BABC289F2B46F8150DF0E0CF0B537 ] hnmsvc          C:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
20:35:17.0640 4688  hnmsvc - ok
20:35:17.0640 4688  [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn             C:\WINDOWS\system32\DRIVERS\hpn.sys
20:35:17.0656 4688  hpn - ok
20:35:17.0671 4688  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
20:35:17.0671 4688  HTTP - ok
20:35:17.0703 4688  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
20:35:17.0718 4688  HTTPFilter - ok
20:35:17.0734 4688  [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt         C:\WINDOWS\system32\drivers\i2omgmt.sys
20:35:17.0734 4688  i2omgmt - ok
20:35:17.0765 4688  [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp           C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:35:17.0765 4688  i2omp - ok
20:35:17.0781 4688  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:35:17.0781 4688  i8042prt - ok
20:35:17.0843 4688  [ 0E899D0DB39617AA0B2F992E7E95B5EB ] IAANTMON        C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
20:35:17.0843 4688  IAANTMON - ok
20:35:17.0875 4688  [ 01446278D4563B3013C92830AE6CBB26 ] iaStor          C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:35:17.0875 4688  iaStor - ok
20:35:17.0953 4688  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:35:17.0968 4688  idsvc - ok
20:35:18.0031 4688  [ DB3C22745C0DA4666F3BE31F1AF36B2F ] IISADMIN        C:\WINDOWS\system32\inetsrv\inetinfo.exe
20:35:18.0031 4688  IISADMIN - ok
20:35:18.0031 4688  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
20:35:18.0031 4688  Imapi - ok
20:35:18.0078 4688  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
20:35:18.0093 4688  ImapiService - ok
20:35:18.0125 4688  [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u         C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:35:18.0125 4688  ini910u - ok
20:35:18.0140 4688  [ E1DF634BEC066B3D4FFE437BCB78C282 ] Inspect         C:\WINDOWS\system32\DRIVERS\inspect.sys
20:35:18.0140 4688  Inspect - ok
20:35:18.0250 4688  [ 0CACDCBBC8E6F11E2865C47BFC509848 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:35:18.0359 4688  IntcAzAudAddService - ok
20:35:18.0375 4688  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
20:35:18.0375 4688  IntelIde - ok
20:35:18.0421 4688  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:35:18.0421 4688  intelppm - ok
20:35:18.0453 4688  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:35:18.0453 4688  Ip6Fw - ok
20:35:18.0500 4688  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:35:18.0500 4688  IpFilterDriver - ok
20:35:18.0531 4688  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:35:18.0531 4688  IpInIp - ok
20:35:18.0562 4688  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:35:18.0562 4688  IpNat - ok
20:35:18.0578 4688  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:35:18.0578 4688  IPSec - ok
20:35:18.0593 4688  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
20:35:18.0593 4688  IRENUM - ok
20:35:18.0625 4688  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:35:18.0625 4688  isapnp - ok
20:35:18.0640 4688  [ 997190701BD80DD0F4412ED202CC7816 ] k57w2k          C:\WINDOWS\system32\DRIVERS\k57xp32.sys
20:35:18.0640 4688  k57w2k - ok
20:35:18.0656 4688  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:35:18.0656 4688  Kbdclass - ok
20:35:18.0703 4688  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:35:18.0703 4688  kbdhid - ok
20:35:18.0750 4688  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
20:35:18.0750 4688  kmixer - ok
20:35:18.0765 4688  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
20:35:18.0765 4688  KSecDD - ok
20:35:18.0796 4688  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer    C:\WINDOWS\System32\srvsvc.dll
20:35:18.0796 4688  LanmanServer - ok
20:35:18.0828 4688  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
20:35:18.0843 4688  lanmanworkstation - ok
20:35:18.0843 4688  lbrtfdc - ok
20:35:18.0859 4688  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
20:35:18.0859 4688  LmHosts - ok
20:35:18.0906 4688  [ A2AE666CEE860BABE7FA6F1662B71737 ] MASPINT         C:\WINDOWS\system32\drivers\MASPINT.sys
20:35:18.0906 4688  MASPINT - ok
20:35:18.0968 4688  [ 6CAB6542CCF3B5F1BB86D2CB6EED1E48 ] MDM             C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
20:35:18.0968 4688  MDM - ok
20:35:19.0015 4688  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
20:35:19.0015 4688  Messenger - ok
20:35:19.0031 4688  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
20:35:19.0031 4688  mnmdd - ok
20:35:19.0046 4688  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
20:35:19.0062 4688  mnmsrvc - ok
20:35:19.0062 4688  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
20:35:19.0062 4688  Modem - ok
20:35:19.0093 4688  [ 9FA7207D1B1ADEAD88AE8EED9CDBBAA5 ] Monfilt         C:\WINDOWS\system32\drivers\Monfilt.sys
20:35:19.0109 4688  Monfilt - ok
20:35:19.0140 4688  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:35:19.0140 4688  Mouclass - ok
20:35:19.0187 4688  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:35:19.0187 4688  mouhid - ok
20:35:19.0234 4688  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
20:35:19.0234 4688  MountMgr - ok
20:35:19.0265 4688  [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x        C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:35:19.0265 4688  mraid35x - ok
20:35:19.0265 4688  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:35:19.0265 4688  MRxDAV - ok
20:35:19.0312 4688  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:35:19.0312 4688  MRxSmb - ok
20:35:19.0328 4688  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
20:35:19.0328 4688  MSDTC - ok
20:35:19.0343 4688  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
20:35:19.0343 4688  Msfs - ok
20:35:19.0343 4688  MSIServer - ok
20:35:19.0359 4688  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:35:19.0359 4688  MSKSSRV - ok
20:35:19.0375 4688  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:35:19.0375 4688  MSPCLOCK - ok
20:35:19.0406 4688  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
20:35:19.0406 4688  MSPQM - ok
20:35:19.0453 4688  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:35:19.0453 4688  mssmbios - ok
20:35:19.0546 4688  MSSQL$SQLEXPRESS - ok
20:35:19.0593 4688  MSSQLSERVER - ok
20:35:19.0625 4688  [ 1D89EB4E2A99CABD4E81225F4F4C4B25 ] MSSQLServerADHelper c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
20:35:19.0625 4688  MSSQLServerADHelper - ok
20:35:19.0796 4688  [ 70E994D23895DF6B1EE1E70145299FCF ] msvsmon90       c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe
20:35:19.0875 4688  msvsmon90 - ok
20:35:19.0906 4688  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
20:35:19.0921 4688  Mup - ok
20:35:19.0953 4688  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
20:35:19.0953 4688  napagent - ok
20:35:19.0984 4688  NasPmService - ok
20:35:20.0015 4688  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
20:35:20.0031 4688  NDIS - ok
20:35:20.0031 4688  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:35:20.0031 4688  NdisTapi - ok
20:35:20.0046 4688  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:35:20.0046 4688  Ndisuio - ok
20:35:20.0062 4688  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:35:20.0078 4688  NdisWan - ok
20:35:20.0093 4688  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
20:35:20.0093 4688  NDProxy - ok
20:35:20.0109 4688  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
20:35:20.0109 4688  NetBIOS - ok
20:35:20.0140 4688  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
20:35:20.0140 4688  NetBT - ok
20:35:20.0171 4688  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
20:35:20.0187 4688  NetDDE - ok
20:35:20.0187 4688  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
20:35:20.0187 4688  NetDDEdsdm - ok
20:35:20.0234 4688  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
20:35:20.0234 4688  Netlogon - ok
20:35:20.0234 4688  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
20:35:20.0234 4688  Netman - ok
20:35:20.0281 4688  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
20:35:20.0296 4688  NetTcpPortSharing - ok
20:35:20.0343 4688  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
20:35:20.0343 4688  Nla - ok
20:35:20.0406 4688  [ 7AEA4DF1CA68FD45DD4BBE1F0243CE7F ] NMSAccess       C:\Program Files\CDBurnerXP\NMSAccessU.exe
20:35:20.0406 4688  NMSAccess - ok
20:35:20.0406 4688  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
20:35:20.0406 4688  Npfs - ok
20:35:20.0421 4688  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
20:35:20.0421 4688  Ntfs - ok
20:35:20.0437 4688  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
20:35:20.0437 4688  NtLmSsp - ok
20:35:20.0468 4688  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
20:35:20.0484 4688  NtmsSvc - ok
20:35:20.0515 4688  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
20:35:20.0515 4688  Null - ok
20:35:20.0546 4688  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:35:20.0546 4688  NwlnkFlt - ok
20:35:20.0562 4688  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:35:20.0562 4688  NwlnkFwd - ok
20:35:20.0593 4688  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:35:20.0593 4688  ose - ok
20:35:20.0609 4688  [ 9D80E0BE979C3EDAF2863F23B88F4DE6 ] Packet          C:\WINDOWS\system32\DRIVERS\packet.sys
20:35:20.0609 4688  Packet - ok
20:35:20.0640 4688  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\drivers\Parport.sys
20:35:20.0640 4688  Parport - ok
20:35:20.0640 4688  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
20:35:20.0640 4688  PartMgr - ok
20:35:20.0656 4688  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
20:35:20.0656 4688  ParVdm - ok
20:35:20.0703 4688  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
20:35:20.0703 4688  PCI - ok
20:35:20.0703 4688  PCIDump - ok
20:35:20.0718 4688  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
20:35:20.0718 4688  PCIIde - ok
20:35:20.0750 4688  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
20:35:20.0750 4688  Pcmcia - ok
20:35:20.0750 4688  PDCOMP - ok
20:35:20.0765 4688  PDFRAME - ok
20:35:20.0765 4688  PDRELI - ok
20:35:20.0765 4688  PDRFRAME - ok
20:35:20.0781 4688  [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2           C:\WINDOWS\system32\DRIVERS\perc2.sys
20:35:20.0781 4688  perc2 - ok
20:35:20.0796 4688  [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib        C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:35:20.0796 4688  perc2hib - ok
20:35:20.0828 4688  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
20:35:20.0828 4688  PlugPlay - ok
20:35:20.0828 4688  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
20:35:20.0828 4688  PolicyAgent - ok
20:35:20.0828 4688  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:35:20.0843 4688  PptpMiniport - ok
20:35:20.0843 4688  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
20:35:20.0843 4688  ProtectedStorage - ok
20:35:20.0843 4688  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
20:35:20.0843 4688  PSched - ok
20:35:20.0843 4688  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:35:20.0843 4688  Ptilink - ok
20:35:20.0875 4688  [ 03E0FE281823BA64B3782F5B38950E73 ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:35:20.0890 4688  PxHelp20 - ok
20:35:20.0906 4688  [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080          C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:35:20.0906 4688  ql1080 - ok
20:35:20.0953 4688  [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt         C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:35:20.0953 4688  Ql10wnt - ok
20:35:20.0984 4688  [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160         C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:35:20.0984 4688  ql12160 - ok
20:35:21.0015 4688  [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240          C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:35:21.0015 4688  ql1240 - ok
20:35:21.0031 4688  [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280          C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:35:21.0031 4688  ql1280 - ok
20:35:21.0046 4688  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:35:21.0046 4688  RasAcd - ok
20:35:21.0078 4688  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
20:35:21.0093 4688  RasAuto - ok
20:35:21.0109 4688  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:35:21.0109 4688  Rasl2tp - ok
20:35:21.0125 4688  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
20:35:21.0125 4688  RasMan - ok
20:35:21.0125 4688  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:35:21.0125 4688  RasPppoe - ok
20:35:21.0140 4688  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
20:35:21.0140 4688  Raspti - ok
20:35:21.0156 4688  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:35:21.0171 4688  Rdbss - ok
20:35:21.0203 4688  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:35:21.0203 4688  RDPCDD - ok
20:35:21.0203 4688  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:35:21.0203 4688  rdpdr - ok
20:35:21.0265 4688  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
20:35:21.0281 4688  RDPWD - ok
20:35:21.0296 4688  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
20:35:21.0296 4688  RDSessMgr - ok
20:35:21.0328 4688  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
20:35:21.0328 4688  redbook - ok
20:35:21.0375 4688  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
20:35:21.0375 4688  RemoteAccess - ok
20:35:21.0390 4688  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
20:35:21.0390 4688  RemoteRegistry - ok
20:35:21.0421 4688  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
20:35:21.0421 4688  RpcLocator - ok
20:35:21.0437 4688  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\System32\rpcss.dll
20:35:21.0437 4688  RpcSs - ok
20:35:21.0484 4688  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
20:35:21.0484 4688  RSVP - ok
20:35:21.0500 4688  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
20:35:21.0500 4688  SamSs - ok
20:35:21.0578 4688  [ 39763504067962108505BFF25F024345 ] SASDIFSV        C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:35:21.0578 4688  SASDIFSV - ok
20:35:21.0578 4688  [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL        C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
20:35:21.0593 4688  SASKUTIL - ok
20:35:21.0609 4688  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
20:35:21.0609 4688  SCardSvr - ok
20:35:21.0640 4688  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
20:35:21.0640 4688  Schedule - ok
20:35:21.0656 4688  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:35:21.0656 4688  Secdrv - ok
20:35:21.0687 4688  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
20:35:21.0687 4688  seclogon - ok
20:35:21.0718 4688  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
20:35:21.0734 4688  SENS - ok
20:35:21.0734 4688  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] Serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
20:35:21.0734 4688  Serenum - ok
20:35:21.0734 4688  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
20:35:21.0734 4688  Serial - ok
20:35:21.0781 4688  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
20:35:21.0781 4688  Sfloppy - ok
20:35:21.0796 4688  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
20:35:21.0812 4688  SharedAccess - ok
20:35:21.0828 4688  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
20:35:21.0828 4688  ShellHWDetection - ok
20:35:21.0828 4688  Simbad - ok
20:35:21.0859 4688  [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp          C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:35:21.0859 4688  sisagp - ok
20:35:21.0890 4688  [ DB3C22745C0DA4666F3BE31F1AF36B2F ] SMTPSVC         C:\WINDOWS\system32\inetsrv\inetinfo.exe
20:35:21.0890 4688  SMTPSVC - ok
20:35:21.0937 4688  [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow         C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:35:21.0937 4688  Sparrow - ok
20:35:21.0968 4688  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
20:35:21.0968 4688  splitter - ok
20:35:22.0000 4688  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
20:35:22.0000 4688  Spooler - ok
20:35:22.0015 4688  [ 86EBD8B1F23E743AAD21F4D5B4D40985 ] SQLBrowser      c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
20:35:22.0031 4688  SQLBrowser - ok
20:35:22.0062 4688  [ D89083C4EB02DACA8F944B0E05E57F9D ] SQLWriter       c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
20:35:22.0062 4688  SQLWriter - ok
20:35:22.0078 4688  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
20:35:22.0078 4688  sr - ok
20:35:22.0125 4688  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
20:35:22.0125 4688  srservice - ok
20:35:22.0140 4688  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
20:35:22.0156 4688  Srv - ok
20:35:22.0171 4688  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
20:35:22.0171 4688  SSDPSRV - ok
20:35:22.0203 4688  [ EF3458337D7341A05169CEFC73709264 ] SSPORT          C:\WINDOWS\system32\Drivers\SSPORT.sys
20:35:22.0203 4688  SSPORT - ok
20:35:22.0234 4688  [ F92254B0BCFCD10CAAC7BCCC7CB7F467 ] StarOpen        C:\WINDOWS\system32\drivers\StarOpen.sys
20:35:22.0234 4688  StarOpen - ok
20:35:22.0281 4688  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
20:35:22.0281 4688  stisvc - ok
20:35:22.0328 4688  [ E476C66713C842F58E61A95826ED1D57 ] stllssvr        c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
20:35:22.0328 4688  stllssvr - ok
20:35:22.0359 4688  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
20:35:22.0359 4688  swenum - ok
20:35:22.0406 4688  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
20:35:22.0406 4688  swmidi - ok
20:35:22.0406 4688  SwPrv - ok
20:35:22.0453 4688  [ 1FF3217614018630D0A6758630FC698C ] symc810         C:\WINDOWS\system32\DRIVERS\symc810.sys
20:35:22.0453 4688  symc810 - ok
20:35:22.0468 4688  [ 070E001D95CF725186EF8B20335F933C ] symc8xx         C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:35:22.0468 4688  symc8xx - ok
20:35:22.0515 4688  [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi          C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:35:22.0515 4688  sym_hi - ok
20:35:22.0546 4688  [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3          C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:35:22.0546 4688  sym_u3 - ok
20:35:22.0593 4688  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
20:35:22.0593 4688  sysaudio - ok
20:35:22.0640 4688  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
20:35:22.0640 4688  SysmonLog - ok
20:35:22.0656 4688  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
20:35:22.0671 4688  TapiSrv - ok
20:35:22.0687 4688  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:35:22.0687 4688  Tcpip - ok
20:35:22.0718 4688  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
20:35:22.0718 4688  TDPIPE - ok
20:35:22.0718 4688  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
20:35:22.0718 4688  TDTCP - ok
20:35:22.0734 4688  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
20:35:22.0734 4688  TermDD - ok
20:35:22.0765 4688  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
20:35:22.0765 4688  TermService - ok
20:35:22.0781 4688  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
20:35:22.0781 4688  Themes - ok
20:35:22.0812 4688  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
20:35:22.0828 4688  TlntSvr - ok
20:35:22.0843 4688  [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde          C:\WINDOWS\system32\DRIVERS\toside.sys
20:35:22.0843 4688  TosIde - ok
20:35:22.0875 4688  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
20:35:22.0890 4688  TrkWks - ok
20:35:22.0906 4688  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
20:35:22.0921 4688  Udfs - ok
20:35:22.0937 4688  [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra           C:\WINDOWS\system32\DRIVERS\ultra.sys
20:35:22.0937 4688  ultra - ok
20:35:22.0968 4688  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
20:35:22.0968 4688  Update - ok
20:35:23.0015 4688  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
20:35:23.0015 4688  upnphost - ok
20:35:23.0046 4688  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
20:35:23.0046 4688  UPS - ok
20:35:23.0078 4688  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:35:23.0078 4688  usbccgp - ok
20:35:23.0093 4688  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:35:23.0093 4688  usbehci - ok
20:35:23.0093 4688  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:35:23.0109 4688  usbhub - ok
20:35:23.0156 4688  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:35:23.0156 4688  usbprint - ok
20:35:23.0187 4688  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:35:23.0187 4688  usbscan - ok
20:35:23.0203 4688  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:35:23.0203 4688  USBSTOR - ok
20:35:23.0218 4688  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:35:23.0218 4688  usbuhci - ok
20:35:23.0250 4688  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
20:35:23.0250 4688  VgaSave - ok
20:35:23.0250 4688  [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp          C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:35:23.0250 4688  viaagp - ok
20:35:23.0281 4688  [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde          C:\WINDOWS\system32\DRIVERS\viaide.sys
20:35:23.0281 4688  ViaIde - ok
20:35:23.0312 4688  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
20:35:23.0312 4688  VolSnap - ok
20:35:23.0328 4688  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
20:35:23.0328 4688  VSS - ok
20:35:23.0328 4688  vToolbarUpdater13.2.0 - ok
20:35:23.0375 4688  [ 54AF4B1D5459500EF0937F6D33B1914F ] w32time         C:\WINDOWS\system32\w32time.dll
20:35:23.0375 4688  w32time - ok
20:35:23.0390 4688  [ DB3C22745C0DA4666F3BE31F1AF36B2F ] W3SVC           C:\WINDOWS\system32\inetsrv\inetinfo.exe
20:35:23.0390 4688  W3SVC - ok
20:35:23.0390 4688  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:35:23.0390 4688  Wanarp - ok
20:35:23.0390 4688  WDICA - ok
20:35:23.0406 4688  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
20:35:23.0406 4688  wdmaud - ok
20:35:23.0421 4688  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
20:35:23.0421 4688  WebClient - ok
20:35:23.0515 4688  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
20:35:23.0515 4688  winmgmt - ok
20:35:23.0546 4688  [ 18F347402DA544A780949B8FDF83351B ] WinRM           C:\WINDOWS\system32\WsmSvc.dll
20:35:23.0578 4688  WinRM - ok
20:35:23.0593 4688  [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN        C:\WINDOWS\system32\mspmsnsv.dll
20:35:23.0593 4688  WmdmPmSN - ok
20:35:23.0640 4688  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             C:\WINDOWS\System32\advapi32.dll
20:35:23.0640 4688  Wmi - ok
20:35:23.0687 4688  [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi         C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
20:35:23.0687 4688  WmiAcpi - ok
20:35:23.0734 4688  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:35:23.0750 4688  WmiApSrv - ok
20:35:23.0812 4688  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
20:35:23.0812 4688  WMPNetworkSvc - ok
20:35:23.0890 4688  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
20:35:23.0890 4688  WPFFontCache_v0400 - ok
20:35:23.0937 4688  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:35:23.0937 4688  WS2IFSL - ok
20:35:23.0984 4688  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
20:35:23.0984 4688  wscsvc - ok
20:35:23.0984 4688  WSearch - ok
20:35:24.0031 4688  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
20:35:24.0031 4688  wuauserv - ok
20:35:24.0046 4688  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:35:24.0062 4688  WudfPf - ok
20:35:24.0093 4688  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:35:24.0093 4688  WudfRd - ok
20:35:24.0109 4688  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
20:35:24.0109 4688  WudfSvc - ok
20:35:24.0140 4688  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
20:35:24.0140 4688  WZCSVC - ok
20:35:24.0187 4688  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
20:35:24.0187 4688  xmlprov - ok
20:35:24.0203 4688  ================ Scan global ===============================
20:35:24.0250 4688  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
20:35:24.0281 4688  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:35:24.0296 4688  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:35:24.0296 4688  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
20:35:24.0312 4688  [Global] - ok
20:35:24.0312 4688  ================ Scan MBR ==================================
20:35:24.0328 4688  [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
20:35:24.0562 4688  \Device\Harddisk0\DR0 - ok
20:35:24.0562 4688  ================ Scan VBR ==================================
20:35:24.0562 4688  [ D3B0AD59BBCB3F34EA41601089F1F176 ] \Device\Harddisk0\DR0\Partition1
20:35:24.0578 4688  \Device\Harddisk0\DR0\Partition1 - ok
20:35:24.0578 4688  ============================================================
20:35:24.0578 4688  Scan finished
20:35:24.0578 4688  ============================================================
20:35:24.0578 6512  Detected object count: 0
20:35:24.0578 6512  Actual detected object count: 0
20:41:12.0328 3900  Deinitialize success



---------------------------------------

MS Defrag report:

Volume OS (C:)
    Volume size                                = 466 GB
    Cluster size                               = 4 KB
    Used space                                 = 203 GB
    Free space                                 = 262 GB
    Percent free space                         = 56 %

Volume fragmentation
    Total fragmentation                        = 26 %
    File fragmentation                         = 53 %
    Free space fragmentation                   = 0 %

File fragmentation
    Total files                                = 392,876
    Average file size                          = 739 KB
    Total fragmented files                     = 3,279
    Total excess fragments                     = 281,872
    Average fragments per file                 = 1.71

Pagefile fragmentation
    Pagefile size                &nb<

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 17, 2012, 07:32:56 PM

Something is blocking those infections from being deleted by ESET.
Please do this even if you don't have the OS disk.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue  progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
Please let me know what happens.

Save these instructions so you can have access to them while in Safe Mode.

Please click here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 18, 2012, 09:35:13 AM

This morning after starting computer I again got a message box saying, “jusched.exe has encountered a problem and needs to close.  We are sorry for the inconvenience.”.

I do have the XP CD so I placed it in the drive and ran SFC as instructed.  All I saw was a progress bar entitled “Windows File Protection”, which steadily ran to completion with no apparent incident.  Would it have told me if it had detected a discrepancy?

Installed and ran the Kaspersky AVP Tool.  Under the Automatic scan tab there were no checkboxes immediately apparent.  I had to click a gear wheel icon that then allowed access to settings under the categories “Scan scope”, “Security level” and “Action”.  The checkboxes you listed were under Scan scope.

A few times while running, the tool popped up a message saying a particular file is password protected.  The message did not ask, or wait, for me to respond but it did have “More details”, which I didn’t click (the message disappears quickly).

On completion, the tool said, “no threats detected”.  It confused me a bit when saving the report as it popped up a modal dialog entitled simply “Save” with no explanatory text, a blank uneditable text field and an unclickable OK button.  After a delay it vanished.

Shortly after rebooting into normal XP I again got the “jusched.exe crashed” message box.  I looked in the saved report and found no list of detected threats.  I’ve copy/pasted the first few lines from the start of the report here.

Automatic Scan: completed 8 minutes ago   (events: 1781794, objects: 1758971, time: 02:17:36)   
18/11/2012 15:57:41   Task completed         
18/11/2012 15:57:41   OK   C:\Workarea\ihs\Zstuff\slog\_messing_about\WindowsFormsApplication1\WindowsFormsApplication1\Web References\refwsfma\.svn\text-base\wsfma.wsdl.svn-base      
18/11/2012 15:57:41   OK   C:\Workarea\ihs\Zstuff\slog\_messing_about\WindowsFormsApplication1\WindowsFormsApplication1\Web References\refwsfma\.svn\text-base\wsfma.disco.svn-base      
18/11/2012 15:57:41   OK   C:\Workarea\ihs\Zstuff\slog\_messing_about\WindowsFormsApplication1\WindowsFormsApplication1\Web References\refwsfma\.svn\text-base\Reference.map.svn-base      
18/11/2012 15:57:41   OK   C:\Workarea\ihs\Zstuff\slog\_messing_about\WindowsFormsApplication1\WindowsFormsApplication1\Web References\refwsfma\.svn\text-base\Reference.cs.svn-base      
18/11/2012 15:57:41   OK   C:\Workarea\ihs\Zstuff\slog\_messing_about\WindowsFormsApplication1\WindowsFormsApplication1\Web References\refwsfma\.svn\text-base\FmaInput.datasource.svn-base      


ps.  I’ve just noticed that AVG was showing me I’m not fully protected – “Identity Protection” disabled.  I clicked its “Fix” button and now it is showing that I am protected (with “All security features are working correctly and are up to date”) but has popped up a message saying, “Could not finish automatic state repair.  We weren’t able to fix one or more components”.  Bit contradictory, eh?

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 18, 2012, 12:08:56 PM

Could you please run the ESET scan again and see what comes up?

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 19, 2012, 07:51:11 AM

This time ESET scan found one threat.  Should we be expecting more?

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP159\A0048884.EXE   a variant of Win32/Kryptik.AFAX trojan   cleaned by deleting - quarantined

Ps. Windows Search is still not displaying properly (crunched up search form) as shown in previous post.

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 19, 2012, 12:54:47 PM

Quote

Ps. Windows Search is still not displaying properly (crunched up search form) as shown in previous post.

Is that your only problem now? Could you send me a screenprint?

How to post screenshots or images (http://www.computerhope.com/forum/index.php/topic,61232.0.html)

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 19, 2012, 02:10:57 PM

Apart from the Windows Search problem, I’m not currently noticing any remaining malbehavior.  Here are two screen images showing the scrunched up search form.

Start > Search > For Files or Folders...
(http://imageshack.us/a/img837/3930/windowssearch.th.png)

Windows Explorer > Search
(http://imageshack.us/a/img24/2093/csearch.th.png)

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 19, 2012, 06:38:15 PM

Ok. I can't make out those pictures but I would suggest that you create a new thread in this forum (http://www.computerhope.com/forum/index.php/board,50.0.html) and see if someone can help you with that problem.
Let's do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

***********************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup2.jpg)

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup.jpg)

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
************************************************
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)

Check out Keeping Yourself Safe On The Web  (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 20, 2012, 07:01:09 AM

While Combofix.was uninstalling it popped up a message box saying, “There’s a newer version of ComboFix available.  Would you like to update ComboFix”.  I clicked “No”.  Later it sounded an alarm and popped the message shown here.

(http://img801.imageshack.us/img801/4430/combofixwarning.png)

I clicked “OK” and then it popped up another message as shown here.

(http://img836.imageshack.us/img836/9712/12852411.png)

Again I clicked “OK” and then it ran to completion.

I’m having trouble with the Windows updates.  I have “Automatic Updates” turned on and at every shut down, there are five Windows updates that take ages attempting to install but fail.  They are listed here.

(http://img546.imageshack.us/img546/3096/myupdates.png)

Looking back through the updates history I see this has been happening from 16th November.

I realise these remaining problems may have nothing to do with lingering virus/malware so I will try to resolve them outside this thread.  Dave, please accept a big thank you from me for helping me through this.  It is much appreciated.

Keith

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 20, 2012, 12:25:33 PM

It reads " If an update failed to install, click the Failed icon to learn how to solve the problem. Did you do that?

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 20, 2012, 02:06:09 PM

Yes, I did that for the update that fails but I’m not too concerned about a security update for the ancient .NET Framework 1.1, SP1.  I’m more worried by the other 4 (of the batch of 5) because they have green ticks next to them and yet keep reinstalling at every machine shutdown.  I don’t feel confident they have installed properly?  Maybe I need to try manually installing them.  Maybe I’ll end up reinstalling .NET 4.

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 20, 2012, 04:22:05 PM

I really don't understand why they keep installing. Have you tried contacting MS?

Title: Re: Malware infection following a moment of madness
Post by: whathim on November 21, 2012, 09:41:36 AM

Just for the record, and hopefully to help someone if they have similar problems:

I fixed the persistent Windows updates issue described above as follows.

I downloaded and run the .NET Framework Repair Tool, http://www.microsoft.com/en-us/download/details.aspx?id=30135 (this is actually Version 2, I believe).  The tool runs in stages and I had to do stage two, where it repairs .NET Framework (back to 2.0) before I got an improvement.  This fixed 4 of the five updates.  The remaining update is for .NET 1.1, so it makes sense the tool could not fix this.  For this update I simple blocked it from Windows Updater.

I also fixed the jusched.exe crashing problem.  I elected to send an error report, which sent me to a diagnostics page, which the sent me on to a new Java version page.  Installing this new version seems to have fixed it.

Keith

Title: Re: Malware infection following a moment of madness
Post by: SuperDave on November 21, 2012, 01:27:56 PM

Good news.  ;D