TechSpot

Alureon infection, BSODs on scans, AVG cannot detect

By sweeneytodd94
Feb 12, 2011
  1. Hi,

    Windows Action Center has reported that I have the Alureon virus, and since it did, I've been getting BSODs left right and centre! I have run AVG 2011 scans, which don't pick up much, and a load of other anti-malware software, all with no success in detecting or removing Alureon. Attempting to run AVG Rootkit Scan causes immediate BSOD.

    Please find my logs below, I've also attached the AVG normal scan log and the HijackThis log.

    Many thanks in advance for you help.
     

    Attached Files:

  2. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    MBAM found nothing.

    DDS:


    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Mark at 13:15:26.09 on 12/02/2011
    Internet Explorer: 9.0.7930.16406
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.6135.4356 [GMT 0:00]

    AV: Emsisoft Anti-Malware *Disabled/Updated* {607A6E45-BE50-AFD5-4F70-7EAAEC5B715D}
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {DB1B8FA1-986A-A05B-75C0-45D897DC3BE0}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG10\avgfws.exe
    C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\AVG\AVG10\avgam.exe
    C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe
    C:\Windows\SysWOW64\Ctxfihlp.exe
    C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\CyberLink\Shared files\brs.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\CTXFISPI.EXE
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\DllHost.exe
    C:\Windows\explorer.exe
    C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Program Files (x86)\AVG\AVG10\avgui.exe
    C:\Program Files (x86)\AVG\AVG10\avgcfgex.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Mark\Downloads\dds.scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uStart Page = about:Tabs
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [Google Update] "C:\Users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    mRun: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
    mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [Name of App] C:\Program Files (x86)\SAMSUNG\FW LiveUpdate\FWManager.exe r
    mRun: [MDS_Menu] "C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
    mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    StartupFolder: C:\Users\Mark\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    uPolicies-explorer: DisableThumbnailsOnNetworkFolders = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15114/CTPID.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
    mRun-x64: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
    R0 mv91cons;Marvell 91xx Config Device Driver;C:\Windows\System32\drivers\mv91cons.sys [2009-10-27 22568]
    R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2009-12-25 297512]
    R0 RapportKE64;RapportKE64;C:\Windows\System32\drivers\RapportKE64.sys [2011-1-17 62448]
    R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2011-2-10 48216]
    R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2011-2-10 14720]
    R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-7-12 57696]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]
    R1 CLBStor;InstantBurn Storage Helper Driver;C:\Windows\System32\drivers\CLBStor.sys [2010-9-7 24560]
    R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-1-5 50672]
    R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-1-5 58864]
    R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/10/29 18:15:36];C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [2009-8-28 146928]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-2-10 2853904]
    R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG10\avgfws.exe [2010-11-22 3226632]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
    R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;C:\Windows\System32\drivers\CLBUDF.sys [2010-9-7 371696]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-7 378984]
    R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
    R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2011-2-10 84752]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 157264]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
    R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2010-5-5 202840]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-5-5 1417304]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2010-5-5 94808]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-1-22 77824]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-1-22 180224]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2011-2-9 155752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-10-9 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-10-9 79360]
    S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2010-5-5 202840]
    S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-5-5 1417304]
    S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2010-5-5 94808]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-7 1255736]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
    S4 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-1-5 821048]

    =============== Created Last 30 ================

    2011-02-10 23:37:36 18816 ------w- C:\Windows\SysWow64\SAVRKBootTasks.sys
    2011-02-10 23:31:49 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{B7D062D9-1C6A-4E38-AD69-5A49B387AA8C}\mpengine.dll
    2011-02-10 18:14:53 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
    2011-02-09 21:30:57 -------- d-----w- C:\Users\Mark\.dia
    2011-02-09 21:30:49 -------- d-----w- C:\Program Files (x86)\Dia
    2011-02-09 13:11:31 -------- d-----w- C:\NVIDIA
    2011-02-09 11:37:05 2381824 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-02-09 11:37:05 2381824 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-02-09 11:37:05 1502208 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-02-09 11:37:05 1448448 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-01-31 19:57:36 -------- d-----w- C:\Program Files\iTunes
    2011-01-31 19:57:36 -------- d-----w- C:\Program Files\iPod
    2011-01-31 19:57:36 -------- d-----w- C:\Program Files (x86)\iTunes
    2011-01-30 18:45:42 -------- d-----w- C:\Users\Mark\AppData\Roaming\TS3Client
    2011-01-30 18:44:26 -------- d-----w- C:\Program Files\TeamSpeak 3 Client
    2011-01-30 14:57:00 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2011-01-26 18:27:43 -------- d-----w- C:\Program Files (x86)\Egosoft
    2011-01-26 13:43:26 540688 ----a-w- C:\Windows\System32\d3dx10_39.dll
    2011-01-26 13:43:26 4992520 ----a-w- C:\Windows\System32\D3DX9_39.dll
    2011-01-26 13:43:26 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
    2011-01-26 13:43:26 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
    2011-01-26 13:43:26 1942552 ----a-w- C:\Windows\System32\D3DCompiler_39.dll
    2011-01-26 13:43:26 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
    2011-01-17 13:14:59 -------- d-----w- C:\Users\Mark\AppData\Roaming\HTC
    2011-01-17 13:14:18 -------- d-----w- C:\Program Files (x86)\HTC
    2011-01-17 13:14:13 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
    2011-01-17 11:23:32 62448 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
    2011-01-17 11:23:30 -------- d-----w- C:\Users\Mark\AppData\Roaming\Trusteer
    2011-01-17 11:23:28 -------- d-----w- C:\Program Files (x86)\Trusteer
    2011-01-17 11:22:42 -------- d-----w- C:\PROGRA~3\Trusteer

    ==================== Find3M ====================

    2011-02-08 23:24:21 270904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-02-08 23:24:21 270904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-02-08 23:19:36 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-02-02 17:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
    2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
    2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
    2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
    2011-01-07 20:50:14 795752 ----a-w- C:\Windows\System32\easyUpdatusAPIU64.dll
    2011-01-07 20:50:08 6143080 ----a-w- C:\Windows\System32\nvcpl.dll
    2011-01-07 20:49:50 3156072 ----a-w- C:\Windows\System32\nvsvc64.dll
    2011-01-07 20:49:28 117864 ----a-w- C:\Windows\System32\nvmctray.dll
    2011-01-07 20:49:26 2558568 ----a-w- C:\Windows\System32\nvsvcr.dll
    2011-01-07 20:49:26 1005160 ----a-w- C:\Windows\System32\nvvsvc.exe
    2011-01-07 08:06:50 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2011-01-07 07:27:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2011-01-07 05:49:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
    2011-01-07 05:33:11 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2011-01-05 11:31:30 709456 ----a-w- C:\Windows\is-7EQCH.exe
    2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
    2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
    2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
    2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll
    2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
    2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
    2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
    2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
    2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
    2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
    2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
    2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
    2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
    2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
    2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
    2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
    2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
    2010-12-20 18:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2010-12-19 18:12:00 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
    2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
    2010-12-08 04:12:36 308304 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2010-12-02 09:12:08 1359976 ----a-w- C:\Windows\System32\nvgenco64hda.dll
    2010-11-29 17:38:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2010-11-29 17:38:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2010-11-23 16:06:19 834544 ----a-w- C:\Windows\System32\drivers\sptd.sys

    ============= FINISH: 13:15:46.79 ===============
     
  3. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    DDS Attach:

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 07/09/2010 17:14:40
    System Uptime: 12/02/2011 13:01:36 (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P6X58D-E
    Processor: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz | LGA1366 | 2667/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 119 GiB total, 22.643 GiB free.
    D: is CDROM (UDF)
    E: is FIXED (NTFS) - 932 GiB total, 214.665 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
    Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&18ABAD59&0&00E2
    Manufacturer: Marvell
    Name: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
    PNP Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&18ABAD59&0&00E2
    Service: yukonw7

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    PNP Device ID: ROOT\NET\0000
    Service: vpnva

    ==== System Restore Points ===================

    RP140: 26/01/2011 13:42:14 - Installed DirectX
    RP141: 26/01/2011 13:43:10 - Installed DirectX
    RP142: 07/02/2011 20:47:49 - Installed DirectX
    RP143: 09/02/2011 11:36:59 - Windows Update
    RP144: 10/02/2011 23:31:44 - Windows Update
    RP145: 10/02/2011 23:48:50 - Removed Feedback Tool

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Anno 1404
    Apple Application Support
    Apple Software Update
    Assassin's Creed
    Assassin's Creed II
    Audacity 1.3.12 (Unicode)
    Audiosurf
    AVG PC Tuneup 2011
    Batman: Arkham Asylum Game of the Year Edition
    Battlefield: Bad Company™ 2
    Cisco AnyConnect VPN Client
    Command & Conquer 3
    Creative ALchemy
    Creative Audio Control Panel
    Creative Software AutoUpdate
    Creative Sound Blaster Properties x64 Edition
    Crysis(R)
    Crystal Reports for Visual Studio
    CyberLink Blu-ray Disc Suite
    CyberLink InstantBurn
    CyberLink LabelPrint
    CyberLink MediaShow
    CyberLink Power2Go
    CyberLink PowerDVD 8
    CyberLink PowerProducer
    D3DX10
    DARK VOID
    Definition update for Microsoft Office 2010 (KB982726)
    Dia (remove only)
    EA Download Manager
    EA Download Manager UI
    Emsisoft Anti-Malware 5.1
    eReg
    Feedback Tool
    FW LiveUpdate
    Google Update Helper
    GPL Ghostscript Lite 8.70
    Hearts of Iron III
    HTC BMP USB Driver
    Impulse
    IronPython 2.7
    Java Auto Updater
    Java(TM) 6 Update 23
    King Arthur - The Role-playing Wargame
    LightScribe System Software
    Malwarebytes' Anti-Malware
    marvell 91xx driver
    Marvell Miniport Driver
    Medieval II Total War
    Medieval II Total War : Kingdoms : Americas
    Medieval II Total War : Kingdoms : Britannia
    Medieval II Total War : Kingdoms : Crusades
    Medieval II Total War : Kingdoms : Teutonic
    Method Workshop
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft SQL Server 2008 R2 Data-Tier Application Framework
    Microsoft SQL Server 2008 R2 Data-Tier Application Project
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Transact-SQL Language Service
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server System CLR Types
    Microsoft Sync Framework SDK v1.0 SP1
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual F# 2.0 Runtime
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio 2010 Professional - ENU
    Microsoft Visual Studio Macro Tools
    Microsoft XNA Framework Redistributable 3.1
    Microsoft XNA Framework Redistributable 4.0
    Microsoft XNA Game Studio 4.0
    Microsoft XNA Game Studio 4.0 (ARP entry)
    Microsoft XNA Game Studio 4.0 (Redists)
    Microsoft XNA Game Studio 4.0 (Shared Components)
    Microsoft XNA Game Studio 4.0 (Visual Studio)
    Microsoft XNA Game Studio 4.0 (XnaLiveProxy)
    Microsoft XNA Game Studio 4.0 Documentation
    Microsoft XNA Game Studio Platform Tools
    Mirror's Edge™
    MSI Afterburner 2.0.0
    MSVCRT
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    NEC Electronics USB 3.0 Host Controller Driver
    NVIDIA PhysX
    NVIDIA PhysX Unreal Tournament 3 Mods
    NVIDIA Stereoscopic 3D Driver
    OpenAL
    PC Probe II
    Portal
    PunkBuster Services
    QuickTime
    R.U.S.E
    Rapport
    redist
    Rhythm Zone - Demo
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    Semper Fi 2.03
    Sibelius 6.2.0.88
    Sibelius Scorch (all browsers)
    Sibelius Sounds Essentials for Sibelius 6
    Sins of a Solar Empire - Trinity
    Sophos Anti-Rootkit 1.5.0
    SpeechRedist
    Steam
    System Requirements Lab
    The Polynomial - Demo
    The Witcher: Enhanced Edition
    Third Age - Total War 2.0 (Part1of2)
    Third Age - Total War 2.0 (Part2of2)
    Ubisoft Game Launcher
    Unigine Heaven Benchmark v2.1
    Unreal Tournament 2004
    Unreal Tournament 3
    Unreal Tournament 3 - Community Bonus Pack 3 - Volume 2
    Unreal Tournament 3 - Community Bonus Pack 3 - Volume 3
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft OneNote 2010 (KB2433299)
    Update for Microsoft Outlook Social Connector (KB2289116)
    Update for Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (KB982305)
    UT3 Domination (CBP Edition)
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VLC media player 1.1.5
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    X3 Bonus Package 3.1.04
    X3 Reunion
    X3: Terran Conflict

    ==== Event Viewer Messages From Past Week ========

    12/02/2011 13:04:01, Error: Microsoft-Windows-WMPNSS-Service [14319] - Service 'WMPNetworkSvc' did not start because Group Policy is preventing Windows Media Player from sharing media with other devices.
    12/02/2011 13:01:54, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRKBootTasks
    12/02/2011 12:42:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    12/02/2011 12:31:45, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    12/02/2011 12:31:45, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    12/02/2011 12:31:44, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    12/02/2011 12:31:44, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/02/2011 12:31:43, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/02/2011 12:31:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    12/02/2011 12:31:34, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: a2injectiondriver AsIO Avgldx64 Avgmfx64 discache SAVRKBootTasks spldr Wanarpv6
    12/02/2011 12:31:34, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002e82664, 0x0000000000000000, 0x0000000000000008). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 021211-5054-01.
    12/02/2011 12:31:33, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
    12/02/2011 12:29:23, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002e82664, 0x0000000000000000, 0x0000000000000008). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 021211-9235-01.
    12/02/2011 12:14:53, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    12/02/2011 12:14:53, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running.
    12/02/2011 12:14:53, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the IKE and AuthIP IPsec Keying Modules service, but this action failed with the following error: An instance of the service is already running.
    12/02/2011 12:14:53, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: An instance of the service is already running.
    12/02/2011 12:13:53, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running.
    12/02/2011 12:12:53, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:12:53, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/02/2011 12:09:37, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x000000020a000000, 0x0000000000000002, 0x0000000000000001, 0xfffff80002e16330). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 021211-9204-01.
    10/02/2011 23:36:58, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
    10/02/2011 23:36:58, Error: Application Popup [1060] - \??\C:\Windows\system32\3B81.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    10/02/2011 23:34:10, Error: Application Popup [1060] - \??\C:\Windows\system32\8D85.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    10/02/2011 17:50:21, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002ead7e7, 0x0000000000000000, 0x000007fffffa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 021011-9188-01.
    10/02/2011 17:32:38, Error: nvlddmkm [14] -
    09/02/2011 16:34:20, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Internal Timer Error Processor ID: 0 The details view of this entry contains further information.
    09/02/2011 16:34:16, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000124 (0x0000000000000000, 0xfffffa8006f8d8f8, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\Minidump\020911-9313-01.dmp. Report Id: 020911-9313-01.

    ==== End Of File ===========================
     
  4. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    GMER:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-12 13:15:17
    Windows 6.1.7600
    Running: 48b1k0ec.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x31 0x28 0x1D ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x34 0x97 0x55 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC9 0x92 0x6C 0x4C ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x31 0x28 0x1D ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x34 0x97 0x55 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC9 0x92 0x6C 0x4C ...

    ---- EOF - GMER 1.0.15 ----
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    [​IMG]
    (Image courtesy animationplayhouse.com)

    Welcome to TechSpot!
    'Ill help with the problem- when I find it! Your scans will take a while as will my checking of your logs> it appears that you have everything on your system running in the background!!

    An FYI for you: Some security program will report out malware that is no longer active in the system- such as if malware is in a System Restore point. Then is becomes difficult to find if any malware if currently active.

    It appears that you may have some overlapping security programs, so please run this: Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ====================================
    Then Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I will determine he next step after I see those logs.
     
  6. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    Hi Bobbye--thanks for your help!
    I normally just have AVG and MBAM, but have been trying a few other things to try and sort this.

    Security Check log:

    Results of screen317's Security Check version 0.99.8
    Windows 7 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    AVG PC Tuneup 2011
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    AVG PC Tuneup 2011
    Java(TM) 6 Update 23
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.4.2
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    Emsisoft Anti-Malware a2service.exe
    ``````````End of Log````````````



    The Eset scanner reported no threats, and the log (in C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt) only had this:


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
     
  7. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    Hi, I got impatient and successfully ran the AVG root-kit scan this morning. That's the first time it hasn't thrown a STOP error instantly. I decided not to remove any of the infections yet, and see if the log would help though (See below).

    Also, the original Windows Action Center message about Alureon has gone completely, and there is nothing in archived messages. I did not do anything to 'okay it' or remove it. Not sure whether this is good or bad, clearly if there is something still there it is hiding fairly well!

    Wondering whether to update Adobe Reader (noticed in previous thread) and disable&/remove the Emsisoft Anti-Malware/A2 Anti-virus program... but trying to resist the urge and hold off until I get futher instructions from you!


    "Scan ""Anti-Rootkit scan"" completed."
    "Rootkits";"28";"0";"28"
    ""
    "Scan started:";"13 February 2011, 12:55:42"
    "Scan finished:";"13 February 2011, 12:57:59 (2 minute(s) 16 second(s))"
    "Total object scanned:";"419034"
    "User who launched the scan:";"SYSTEM"

    "Rootkits"
    "";"File";"Infection";"Result"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_CREATE -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_CREATE_NAMED_PIPE -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_CLOSE -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_READ -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_WRITE -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_QUERY_INFORMATION -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SET_INFORMATION -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_QUERY_EA -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SET_EA -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_FLUSH_BUFFERS -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_QUERY_VOLUME_INFORMATION -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SET_VOLUME_INFORMATION -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_DIRECTORY_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_FILE_SYSTEM_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_DEVICE_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SHUTDOWN -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_LOCK_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_CLEANUP -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_CREATE_MAILSLOT -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_QUERY_SECURITY -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SET_SECURITY -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_POWER -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SYSTEM_CONTROL -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_DEVICE_CHANGE -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_QUERY_QUOTA -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_SET_QUOTA -> 0xFFFFFA8005DA18DD";"Object is hidden"
    "";"<unknown>";"IRP hook, \Driver\mv91xx IRP_MJ_PNP -> 0xFFFFFA8005DA18DD";"Object is hidden"
     
  8. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    The normal AVG scan picked up a few tracking cookies (nothing too unusual as far as I understand), I allowed it to heal/remove them. Log:


    "Scan ""Scan specific files or folders"" completed."
    "Warnings";"207";"207";"0"
    "Information";"2"
    "Folders selected for scanning:";"C:\;C:\Program Files;C:\Program Files (x86);C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files;C:\Users\Mark\AppData\Local\Temp;C:\Users\Mark\Documents;C:\Windows;C:\Windows\SysWOW64;C:\Windows\System32;"
    "Scan started:";"13 February 2011, 13:02:47"
    "Scan finished:";"13 February 2011, 13:09:40 (6 minute(s) 53 second(s))"
    "Total object scanned:";"1839185"
    "User who launched the scan:";"Mark"

    "Warnings"
    "";"File";"Infection";"Result"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt";"Found Tracking cookie.247realmedia";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt:\247realmedia.com.125a868c";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt:\247realmedia.com.6b039dbe";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt:\247realmedia.com.e14be39e";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@247realmedia[2].txt:\247realmedia.com.fb81a031";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@2o7[2].txt";"Found Tracking cookie.2o7";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@2o7[2].txt:\2o7.net.c7b585e6";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@7search[2].txt";"Found Tracking cookie.7search";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@7search[2].txt:\7search.com.5bc4302d";"Found Tracking cookie.7search";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@7search[2].txt:\7search.com.f2cc2494";"Found Tracking cookie.7search";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adbrite[1].txt";"Found Tracking cookie.Adbrite";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adbrite[1].txt:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adbrite[1].txt:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adbrite[1].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adbrite[1].txt:\adbrite.com.f796fd05";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt";"Found Tracking cookie.Adtech";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.2a854701";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.4cb5048b";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.5180539e";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.53b93bb1";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.91568bb6";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.9cbd4eca";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.9d5db0f5";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.a5279f16";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.afa56ad1";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.ce2ad846";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.d32f3c9e";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.dd5bb7e";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.e2531618";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.ef259a5e";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adtech[2].txt:\adtech.de.fa8d0d40";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt";"Found Tracking cookie.Advertising";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.893d35c2";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@advertising[1].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adviva[1].txt";"Found Tracking cookie.Adviva";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adviva[1].txt:\adviva.net.39ec90c";"Found Tracking cookie.Adviva";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@adviva[1].txt:\adviva.net.85256b16";"Found Tracking cookie.Adviva";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@atdmt[1].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@atdmt[1].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt";"Found Tracking cookie.Casalemedia";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@casalemedia[2].txt:\casalemedia.com.e1f88397";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt";"Found Tracking cookie.Fastclick";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.6fd479aa";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.8dd1284a";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.94ca190b";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@fastclick[1].txt:\fastclick.net.9b41aa53";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@gamershell[1].txt";"Found Tracking cookie.Gamershell";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@gamershell[1].txt:\gamershell.com.13a6979d";"Found Tracking cookie.Gamershell";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@gamershell[1].txt:\gamershell.com.8aafc627";"Found Tracking cookie.Gamershell";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@gamershell[1].txt:\gamershell.com.99c35e71";"Found Tracking cookie.Gamershell";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@gamershell[1].txt:\gamershell.com.ce59db3e";"Found Tracking cookie.Gamershell";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@liveperson[1].txt";"Found Tracking cookie.Liveperson";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@liveperson[1].txt:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@m.webtrends[1].txt";"Found Tracking cookie.Webtrends";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@mediaplex[1].txt";"Found Tracking cookie.Mediaplex";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@mediaplex[1].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@mediaplex[1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@pro-market[2].txt";"Found Tracking cookie.Pro-market";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@pro-market[2].txt:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@questionmarket[2].txt:\questionmarket.com.767e4302";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt";"Found Tracking cookie.Revsci";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.265d6617";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.26b016c3";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.4260287e";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.4fdfee8f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.5d94181c";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.6ac59ebd";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.8d22fa22";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.8edf9499";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.b9b08de6";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.e936b9b1";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.f0067737";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.f3475212";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.f7ac007f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@revsci[1].txt:\revsci.net.fb487293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@ru4[1].txt";"Found Tracking cookie.Ru4";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@ru4[1].txt:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@ru4[1].txt:\ru4.com.82a499d7";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@ru4[1].txt:\ru4.com.83b89ffa";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@serving-sys[1].txt:\serving-sys.com.176b0dad";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@serving-sys[1].txt:\serving-sys.com.3c465e6e";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@serving-sys[1].txt:\serving-sys.com.bb39fa8c";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@serving-sys[1].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@smartadserver[2].txt";"Found Tracking cookie.Smartadserver";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@smartadserver[2].txt:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@smartadserver[2].txt:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@smartadserver[2].txt:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@smartadserver[2].txt:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@stat.dealtime[2].txt";"Found Tracking cookie.Dealtime";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@stat.dealtime[2].txt:\stat.dealtime.com.f58c396a";"Found Tracking cookie.Dealtime";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@statse.webtrendslive[2].txt";"Found Tracking cookie.Webtrendslive";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@statse.webtrendslive[2].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tradedoubler[1].txt";"Found Tracking cookie.Tradedoubler";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tradedoubler[1].txt:\tradedoubler.com.a0d950bb";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tradedoubler[1].txt:\tradedoubler.com.ba12c0e9";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tradedoubler[1].txt:\tradedoubler.com.eab0972e";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tradedoubler[1].txt:\tradedoubler.com.ef90aa95";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@trafficmp[1].txt";"Found Tracking cookie.Trafficmp";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@trafficmp[1].txt:\trafficmp.com.4a13119";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@trafficmp[1].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@trafficmp[1].txt:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.5eef93d0";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.7610f0e0";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.8b22ad8c";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.9bc3e98f";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@tribalfusion[1].txt:\tribalfusion.com.ff8546b9";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@yadro[2].txt";"Found Tracking cookie.Yadro";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@yadro[2].txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt";"Found Tracking cookie.Zedo";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.cef1c7af";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.dab23eee";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark@zedo[1].txt:\zedo.com.dd15d628";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@2o7[2].txt";"Found Tracking cookie.2o7";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@2o7[2].txt:\2o7.net.87f47d84";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@adbrite[1].txt";"Found Tracking cookie.Adbrite";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@adbrite[1].txt:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@adbrite[1].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@adbrite[1].txt:\adbrite.com.f796fd05";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@advertising[2].txt";"Found Tracking cookie.Advertising";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@advertising[2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[2].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@atdmt[2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@mediaplex[1].txt";"Found Tracking cookie.Mediaplex";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@mediaplex[1].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@mediaplex[1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt";"Found Tracking cookie.Revsci";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.5d94181c";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.730f4d3f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.f0067737";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@revsci[2].txt:\revsci.net.f7ac007f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ru4[1].txt";"Found Tracking cookie.Ru4";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ru4[1].txt:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@serving-sys[1].txt:\serving-sys.com.176b0dad";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@serving-sys[1].txt:\serving-sys.com.3c465e6e";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@serving-sys[1].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt";"Found Tracking cookie.Smartadserver";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt:\smartadserver.com.3632541c";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@smartadserver[2].txt:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion";"Healed"
    "";"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"

    "Information"
    "";"File";"Information";"Result"
    "";"C:\Users\Mark\Downloads\Game Files\x3\X3Update1.4_to_2.5.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
    "";"C:\Users\Mark\Downloads\Game Files\x3\X3Update1.4_to_2.5.exe:\{tmp}\wmfdist_xp32.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
     
  9. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Logs

    I've also run Microsoft's Malicious Software Removal Tool (Feb 2011) which says it checks for DOS and Win32 variants of Alureon. Seeing as these were the only guys who identified it in the first place (assuming it was correct)...

    Results were clean, but I'm still a bit nervous, as I haven't done anything to remove it yet!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Normally I would take you to task for running another scan, but I see I didn't include this:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    The reason for this is because programs are going to change the log entries I have to work with so please stop running scans and removing entries unless I instruct you to. AVG scans are useless. Usually most of what they show is tracking Cookies. You can prevent the be resetting Cookies in the browser not to accept 3rd party Cookies.
    ==========================================
    And your files are all locked and cannot be accessed. I'm going to have you run Combofix and to do it, you will need to uninstall AVG:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ================================================
    You have several programs that are not compatible with the Win 7 OS> one may be this:
    Product name: Sophos Anti-Rootkit
    Description: Sophos boot tasks for Windows 2000
    You need to look into these errors from the Event Viewer:
    10/02/2011 23:36:58, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
    10/02/2011 23:36:58, Error: Application Popup [1060] - \??\C:\Windows\system32\3B81.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    10/02/2011 23:34:10, Error: Application Popup [1060] - \??\C:\Windows\system32\8D85.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

    I see a lot of bug checks and mini dumps. I don't handle those here- there is a forum especially for the BSODs
     
  11. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    ComboFix

    Hi,
    I attempted to run Combo Fix, exactly as you said, after removing AVG. The AVG uninstall process asked to restart, which gave a BSOD, but after that it appears to be removed properly (I used their removal tool to be certain.)

    Ran Combo Fix, and saw it take a couple of actions but before the log came up it asked to restart, and as it did so, I had yet another BSOD.

    I ran it a second time, and although it didn't seem to disconnect me from the internet (there was no notification and my sidebar gadget seemed to be normal) it worked, with another restart. Here is the log:




    ComboFix 11-02-13.04 - Mark 14/02/2011 15:56:03.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.6135.4945 [GMT 0:00]
    Running from: c:\users\Mark\Desktop\ComboFix.exe
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
    .

    2011-02-13 13:19 . 2011-02-13 13:19 388096 ----a-r- c:\users\Mark\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-02-12 16:22 . 2011-02-12 16:22 -------- d-----w- c:\program files (x86)\ESET
    2011-02-12 13:26 . 2011-02-12 13:26 -------- d-----w- c:\program files (x86)\Trend Micro
    2011-02-10 23:37 . 2009-06-18 12:55 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
    2011-02-10 23:31 . 2011-02-02 17:10 7844688 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7D062D9-1C6A-4E38-AD69-5A49B387AA8C}\mpengine.dll
    2011-02-10 18:14 . 2011-02-14 15:48 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware
    2011-02-09 21:59 . 2011-02-09 22:00 -------- d-----w- c:\users\Mark\AppData\Roaming\gtk-2.0
    2011-02-09 21:30 . 2011-02-09 22:02 -------- d-----w- c:\users\Mark\.dia
    2011-02-09 21:30 . 2011-02-09 21:30 -------- d-----w- c:\program files (x86)\Dia
    2011-02-09 13:11 . 2011-02-09 13:11 -------- d-----w- C:\NVIDIA
    2011-02-09 11:37 . 2010-12-18 03:39 1502208 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-09 11:37 . 2010-12-18 03:35 2381824 ----a-w- c:\windows\system32\mshtml.tlb
    2011-02-09 11:37 . 2010-12-18 03:19 1448448 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2011-02-09 11:37 . 2010-12-18 03:15 2381824 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-01-31 19:57 . 2011-01-31 19:57 -------- d-----w- c:\program files\iTunes
    2011-01-31 19:57 . 2011-01-31 19:57 -------- d-----w- c:\program files (x86)\iTunes
    2011-01-31 19:57 . 2011-01-31 19:57 -------- d-----w- c:\program files\iPod
    2011-01-30 18:45 . 2011-02-01 20:57 -------- d-----w- c:\users\Mark\AppData\Roaming\TS3Client
    2011-01-30 18:44 . 2011-01-30 18:44 -------- d-----w- c:\program files\TeamSpeak 3 Client
    2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2011-01-26 18:27 . 2011-01-26 18:27 -------- d-----w- c:\program files (x86)\Egosoft
    2011-01-26 13:43 . 2008-07-12 08:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
    2011-01-26 13:43 . 2008-07-12 08:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
    2011-01-26 13:43 . 2008-07-12 08:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
    2011-01-26 13:43 . 2008-07-12 08:18 540688 ----a-w- c:\windows\system32\d3dx10_39.dll
    2011-01-26 13:43 . 2008-07-12 08:18 4992520 ----a-w- c:\windows\system32\D3DX9_39.dll
    2011-01-26 13:43 . 2008-07-12 08:18 1942552 ----a-w- c:\windows\system32\D3DCompiler_39.dll
    2011-01-17 13:14 . 2011-01-17 13:15 -------- d-----w- c:\users\Mark\AppData\Roaming\HTC
    2011-01-17 13:14 . 2011-01-25 10:42 -------- d-----w- c:\program files (x86)\HTC
    2011-01-17 13:14 . 2011-01-17 13:14 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2011-01-17 11:23 . 2011-01-05 19:03 62448 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2011-01-17 11:23 . 2011-01-17 11:23 -------- d-----w- c:\users\Mark\AppData\Roaming\Trusteer
    2011-01-17 11:23 . 2011-01-17 11:23 -------- d-----w- c:\program files (x86)\Trusteer
    2011-01-17 11:22 . 2011-01-17 11:22 -------- d-----w- c:\programdata\Trusteer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-08 23:24 . 2010-09-27 18:15 270904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-02-08 23:24 . 2010-09-08 21:27 270904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-02-08 23:19 . 2010-09-08 21:27 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-02-02 17:11 . 2010-09-07 16:24 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 03:27 . 2010-10-29 18:20 7729256 ----a-w- c:\windows\system32\nvwgf2umx.dll
    2011-01-08 03:27 . 2010-10-29 18:20 2200680 ----a-w- c:\windows\system32\nvapi64.dll
    2011-01-08 03:27 . 2010-10-29 18:20 12859496 ----a-w- c:\windows\system32\nvd3dumx.dll
    2011-01-08 03:27 . 2010-10-29 18:20 10078312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
    2011-01-07 20:50 . 2011-01-07 20:50 795752 ----a-w- c:\windows\system32\easyUpdatusAPIU64.dll
    2011-01-07 20:50 . 2011-01-07 20:50 6143080 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-07 20:49 . 2011-01-07 20:49 3156072 ----a-w- c:\windows\system32\nvsvc64.dll
    2011-01-07 20:49 . 2011-01-07 20:49 117864 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-07 20:49 . 2011-01-07 20:49 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
    2011-01-07 20:49 . 2011-01-07 20:49 1005160 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-12-20 18:09 . 2010-11-15 18:43 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-11-15 18:43 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-19 18:12 . 2010-09-08 21:27 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2010-12-06 13:46 . 2010-12-06 13:43 2142976 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2010-11-23 16:06 . 2010-11-23 16:06 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2009-05-25 210216]
    "UpdatePPShortCut"="c:\program files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-16 91432]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
    "MDS_Menu"="c:\program files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2008-10-17 681256]
    "CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-04-30 103720]
    "BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisableThumbnailsOnNetworkFolders"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-10-09 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-10-09 79360]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2010-05-05 202840]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2010-05-05 1417304]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2010-05-05 94808]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\3B81.tmp [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-09-28 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-07 1255736]
    R4 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-01-05 821048]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-11-23 834544]
    S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [2009-10-27 22568]
    S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2009-12-25 297512]
    S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2011-01-05 62448]
    S1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\DRIVERS\CLBStor.sys [2008-10-14 24560]
    S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-01-05 50672]
    S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-01-05 58864]
    S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/10/29 18:15];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2009-08-28 17:36 146928]
    S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
    S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2010-05-05 202840]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2010-05-05 1417304]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2010-05-05 94808]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-01-22 77824]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-01-22 180224]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-11-11 155752]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]


    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-01-27 21:28 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1609296]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:Tabs
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKCU-Run-Google Update - c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe
    Wow6432Node-HKLM-Run-Name of App - c:\program files (x86)\SAMSUNG\FW LiveUpdate\FWManager.exe
    Wow6432Node-HKLM-Run-CTxfiHlp - CTXFIHLP.EXE
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\3B81.tmp"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
    "ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-3968718095-3507211263-3057274292-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:6e,3b,93,1a,ee,70,98,b3,a5,8d,4c,e9,8d,e4,fa,b9,f9,8f,ee,f0,48,57,af,
    a8,5c,89,35,a7,62,df,dd,f3,05,d3,60,d4,94,3a,ef,58,01,1d,de,75,03,ca,ab,b1,\
    "??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f

    [HKEY_USERS\S-1-5-21-3968718095-3507211263-3057274292-1001\Software\SecuROM\License information*]
    "datasecu"=hex:3d,80,b5,5f,55,34,3d,3c,ea,05,33,8f,a3,b9,a9,54,00,b5,be,a4,b5,
    e4,df,c7,65,c5,a0,ee,d7,2d,95,10,7b,6c,1e,64,ca,ec,a9,10,e3,37,88,02,25,d1,\
    "rkeysecu"=hex:da,69,69,92,06,8f,39,9e,b4,53,bf,d3,ff,f8,83,ad

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_10_2_161_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_10_2_161_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-14 15:59:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-14 15:59

    Pre-Run: 26,261,516,288 bytes free
    Post-Run: 25,471,942,656 bytes free

    - - End Of File - - FB6E75E3E450D27377A481F60A81A9C5
     
  12. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    ...

    I will remove the Sophos software, and look into the BSODs on the other forum once this is sorted, although I assumed they were related, as I only had them very rarely before.

    The MEMSWEEP event details are as follows:

    - System

    - Provider

    [ Name] Service Control Manager
    [ Guid] {555908d1-a6d7-4695-8e1e-26931d2012f4}
    [ EventSourceName] Service Control Manager

    - EventID 7000

    [ Qualifiers] 49152

    Version 0

    Level 2

    Task 0

    Opcode 0

    Keywords 0x8080000000000000

    - TimeCreated

    [ SystemTime] 2011-02-10T23:36:58.825107400Z

    EventRecordID 62419

    Correlation

    - Execution

    [ ProcessID] 864
    [ ThreadID] 1816

    Channel System

    Computer Mark-PC

    Security


    - EventData

    param1 MEMSWEEP2
    param2 %%1275



    I could not glean anything else from event viewer.

    The details for the next one you mentioned are:

    - System

    - Provider

    [ Name] Application Popup

    - EventID 26

    [ Qualifiers] 16384

    Level 4

    Task 0

    Keywords 0x80000000000000

    - TimeCreated

    [ SystemTime] 2011-02-10T23:36:56.859503900Z

    EventRecordID 62414

    Channel System

    Computer Mark-PC

    Security


    - EventData


    \??\C:\Windows\system32\3B81.tmp failed to load
    0000000002003000000000001A000040280400C06C0200C000000000000000000000000000000000


    --------------------------------------------------------------------------------

    Binary data:


    In Words

    0000: 00000000 00300002 00000000 4000001A
    0008: C0000428 C000026C 00000000 00000000
    0010: 00000000 00000000


    In Bytes

    0000: 00 00 00 00 02 00 30 00 ......0.
    0008: 00 00 00 00 1A 00 00 40 .......@
    0010: 28 04 00 C0 6C 02 00 C0 (..Àl..À
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........


    and the third one is pretty similar:

    - System

    - Provider

    [ Name] Application Popup

    - EventID 26

    [ Qualifiers] 16384

    Level 4

    Task 0

    Keywords 0x80000000000000

    - TimeCreated

    [ SystemTime] 2011-02-10T23:34:10.025213800Z

    EventRecordID 62406

    Channel System

    Computer Mark-PC

    Security


    - EventData


    \??\C:\Windows\system32\8D85.tmp failed to load
    0000000002003000000000001A000040280400C06C0200C000000000000000000000000000000000


    --------------------------------------------------------------------------------

    Binary data:


    In Words

    0000: 00000000 00300002 00000000 4000001A
    0008: C0000428 C000026C 00000000 00000000
    0010: 00000000 00000000


    In Bytes

    0000: 00 00 00 00 02 00 30 00 ......0.
    0008: 00 00 00 00 1A 00 00 40 .......@
    0010: 28 04 00 C0 6C 02 00 C0 (..Àl..À
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........




    I have no idea what they are, except that MEMSWEEP may be part of the Sophos anti-rootkit software. Shall I uninstall it now?
     
  13. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Combo Fix

    Just noticed that in C:\Qoobox\ComboFix-quarantined-files.txt the log is slightly different to what I posted before (see below). The file 6363.tmp.vir could have been what it dealt with the first time I ran it but lost the log due to the crash... Hope its useful.

    2011-02-14 15:59:24 . 2011-02-14 15:59:24 2,966 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PunkBusterSvc.reg.dat
    2011-02-14 15:59:09 . 2011-02-14 15:59:09 119 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-CTxfiHlp.reg.dat
    2011-02-14 15:59:09 . 2011-02-14 15:59:09 174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-Name of App.reg.dat
    2011-02-14 15:59:08 . 2011-02-14 15:59:08 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-Google Update.reg.dat
    2011-02-14 15:52:19 . 2011-02-14 15:57:19 5,249 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2011-02-14 15:50:37 . 2011-02-14 15:55:40 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2011-02-14 15:50:06 . 2011-02-14 15:50:06 349,648 ----a-w- C:\Qoobox\Quarantine\C\Users\Mark\AppData\Local\Temp\6363.tmp.vir
     
  14. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Ok having major issues now! Had BSOD related to rapport driver, restarted, but couldn't boot Windows. Eventually booted recovery console from windows disc and let it auto repair. It found the master boot record was corrupt and did disk metadata repairs.

    Restart failed with new Bsod just as Windows starts to boot. Stop error is 0X0000007B, which according to Microsoft article is either due to new hardware issue, or is due to a boot sector virus. This is why I'm still posting here, and desperately need help! The MS article is http://support.microsoft.com/kb/324103.

    I tried a system file integrity check but repair failed.

    I have files on the system I really need to keep, so if there is any way...
     
  15. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Somehow, I've managed to repair the MBR, (exported it to delete it and create a new one), then couldn't boot due to BSOD on RapportPG64.sys.

    Got into Safe Mode, and manually uninstalled Rapport (following instructions from Trusteer's website).

    Now I can boot again! But system doesn't feel entirely stable, a few slow ups etc. I await further instructions/condemnation! Expect you'll have to start again with fresh scans after all that activity?!
     
  16. sweeneytodd94

    sweeneytodd94 TS Rookie Topic Starter Posts: 20

    Another detection

    Sorry to post again before you've had a chance to take a look through, but figured I should keep the thread up-to-date!

    Booted today to find Avira has detected the trojan TR/Mooplids.A.4 (mhkvqgwm.dll) and has automatically moved it into quarantine.

    Haven't scanned or produced any more logs as of yet--learnt my lesson :p
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm not sure what you are wanting to do. In this forum, we look for malware and hopefully remove it. You continue to give problems that are 'system' in nature, not 'malware'. If you have an antivirus program and it finds a bad entry and puts it in Quarantine, that's what you have it for and that's what it's suppose to do.

    Once you did the repair, the previous logs were no longer applicable.

    You're having Memory dumps, Bug Checks and creating mini-dump files. These are what are most likely the cause of the BSOD. But I don't handle this- there is a forum especially for this. You need to get the system stabilized so a scan can be run without producing a BSOD or making you do a repair.

    I am going to close this thread. Please let the members in the BSOD forum help you find and resolve the drivers causing the errors. After that has been done, if you still think you have a malware issue, return here and start a new thread with references to the URL for this thread and also the thread in the BSOD forum. Run Mbam, GMER and DDS again and leave the new logs.

    In the meantime, Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    (I m not having you remove the old restore points yet because I'm not sure if the system is clean yet.)
    ==============================================
    When I left the following, I did not mean for you to give me the details from the Event Viewer- I meant for you to see what the incompatible programs were and either uninstall them or update them, whichever is the most appropriate:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...