TechSpot

Critical error, restart in 1 minute strikes again

Inactive
By PoorlyPC
Aug 28, 2012
  1. Hello Virus Busters

    You have been so kind to help other amatuers like me with Virus issues and I was hoping for the same. Anything you can suggest would be greatly appreciated

    Running Vista 32. I have completed the Farbar scan, please see below.

    Thanks in advance

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 28-08-2012
    Ran by SYSTEM at 28-08-2012 14:59:07
    Running from E:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [159744 2007-09-06] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
    HKLM\...\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [16384 2008-02-13] ( )
    HKLM\...\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" [189736 2007-11-01] (CyberLink Corp.)
    HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [51048 2008-10-17] (Symantec Corporation)
    HKLM\...\Run: [BTHelena_McciTrayApp] C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe [x]
    HKLM\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2008-08-13] (SupportSoft, Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [141600 2009-11-12] (Apple Inc.)
    HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [103768 2009-09-12] (Citrix Systems, Inc.)
    HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-11-12] (IDT, Inc.)
    HKLM\...\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [1584640 2009-09-14] (Alcatel-Lucent)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-08-09] (Apple Inc.)
    HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Louise\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2008-08-13] (SupportSoft, Inc.)
    HKU\Louise\...\Run: [conhost] C:\Users\Louise\AppData\Roaming\Microsoft\conhost.exe [x]
    HKU\Louise\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\Louise\...\Winlogon: [Shell] explorer.exe, [x]
    HKU\Stephen\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Stephen\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2008-08-13] (SupportSoft, Inc.)
    HKU\Stephen\...\Run: [Spotify Web Helper] "C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1193176 2012-08-21] ()
    Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickSet.lnk
    ShortcutTarget: QuickSet.lnk -> C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)

    ========================== Services (Whitelisted) ========================

    2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    4 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" [243064 2007-08-31] (Symantec Corporation)
    2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)
    2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)
    2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)
    3 comHost; "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [55640 2007-12-27] (Symantec Corporation)
    3 getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [33176 2009-03-03] (NOS Microsystems Ltd.)
    3 GoToAssist; "C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe" Start=service [16680 2010-01-25] (Citrix Online, a division of Citrix Systems, Inc.)
    3 LiveUpdate; "C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE" [3192184 2007-12-27] (Symantec Corporation)
    2 LiveUpdate Notice; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [149352 2008-10-17] (Symantec Corporation)
    2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [201968 2008-08-13] (SupportSoft, Inc.)
    3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1251720 2008-04-20] ()
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

    ==================== Drivers (Whitelisted) ===================

    3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-30] (Symantec Corporation)
    2 CO_Mon; \??\C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-12-27] (Symantec Corporation)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-02-25] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [101936 2009-02-25] (Symantec Corporation)
    1 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090730.002\IDSvix86.sys [272432 2009-02-09] (Symantec Corporation)
    3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-22] (Malwarebytes Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 nmwcd; C:\Windows\System32\drivers\nmwcd.sys [137216 2007-02-22] (Nokia)
    3 nmwcdc; C:\Windows\System32\drivers\nmwcdc.sys [8320 2007-02-22] (Nokia)
    3 nmwcdcj; C:\Windows\System32\drivers\nmwcdcj.sys [12288 2007-02-22] (Nokia)
    3 nmwcdcm; C:\Windows\System32\drivers\nmwcdcm.sys [12288 2007-02-22] (Nokia)
    0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [43840 2007-11-13] (Sonic Solutions)
    1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2008-09-05] (Symantec Corporation)
    3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2007-11-30] (Symantec Corporation)
    3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-11-30] (Symantec Corporation)
    1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-11-30] (Symantec Corporation)
    3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-19] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-09] (Symantec Corporation)
    3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-19] (Symantec Corporation)
    1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-19] (Symantec Corporation)
    3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-19] (Symantec Corporation)
    3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-19] (Symantec Corporation)
    1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-19] (Symantec Corporation)
    3 tapvpn; C:\Windows\System32\DRIVERS\tapvpn.sys [27136 2008-01-23] (The OpenVPN Project)
    3 zebrbus; C:\Windows\System32\DRIVERS\zebrbus.sys [83200 2008-01-15] (MCCI)
    3 zebrmdfl; C:\Windows\System32\DRIVERS\zebrmdfl.sys [14848 2008-01-15] (MCCI Corporation)
    3 zebrmdm; C:\Windows\System32\DRIVERS\zebrmdm.sys [109568 2008-01-15] (MCCI)
    3 zebrmdmc; C:\Windows\System32\DRIVERS\zebrmdmc.sys [109568 2008-01-15] (MCCI)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
    3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
    3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090731.004\NAVENG.SYS [x]
    3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090731.004\NAVEX15.SYS [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]

    ==================== NetSvcs (Whitelisted) =================


    ============ One Month Created Files and Folders ==============

    2012-08-27 07:13 - 2012-08-27 07:13 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\zochjfpl.sys
    2012-08-23 10:05 - 2012-08-23 10:05 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-23 10:05 - 2012-08-23 10:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-23 10:03 - 2012-08-23 10:03 - 10288512 ____A (Microsoft Corporation) C:\Users\Stephen\Downloads\mseinstall(1).exe
    2012-08-23 10:02 - 2012-08-23 10:02 - 12621696 ____A (Microsoft Corporation) C:\Users\Stephen\Downloads\mseinstall.exe
    2012-08-22 12:26 - 2012-08-22 12:26 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-22 12:24 - 2012-08-22 12:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Louise\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-22 12:04 - 2012-08-22 12:04 - 00652800 ____A C:\Users\Louise\Downloads\MicrosoftFixit50362(1).msi
    2012-08-22 12:02 - 2012-08-22 12:02 - 00652800 ____A C:\Users\Louise\Downloads\MicrosoftFixit50362.msi
    2012-08-21 23:11 - 2012-08-21 23:11 - 00000000 ____D C:\Users\Stephen\AppData\Roaming\Malwarebytes
    2012-07-30 14:03 - 2012-07-30 14:03 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe


    ============ 3 Months Modified Files ========================

    2012-08-27 07:13 - 2012-08-27 07:13 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\zochjfpl.sys
    2012-08-23 10:46 - 2008-04-19 08:10 - 00196608 ____A C:\Windows\System32\Ikeext.etl
    2012-08-23 10:45 - 2009-10-21 10:55 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-23 10:44 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-23 10:44 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-23 10:44 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-23 10:29 - 2006-11-02 05:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-23 10:06 - 2008-04-11 09:43 - 01340809 ____A C:\Windows\WindowsUpdate.log
    2012-08-23 10:05 - 2012-08-23 10:05 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-23 10:05 - 2006-11-02 02:33 - 00712984 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-23 10:03 - 2012-08-23 10:03 - 10288512 ____A (Microsoft Corporation) C:\Users\Stephen\Downloads\mseinstall(1).exe
    2012-08-23 10:02 - 2012-08-23 10:02 - 12621696 ____A (Microsoft Corporation) C:\Users\Stephen\Downloads\mseinstall.exe
    2012-08-23 08:37 - 2006-11-02 04:52 - 00064820 ____A C:\Windows\setupact.log
    2012-08-22 23:45 - 2008-04-11 10:16 - 00073926 ____A C:\Windows\PFRO.log
    2012-08-22 12:29 - 2011-06-13 12:19 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-22 12:28 - 2008-04-19 06:14 - 00005972 ____A C:\Users\Louise\AppData\Local\d3d9caps.dat
    2012-08-22 12:26 - 2012-08-22 12:26 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-22 12:24 - 2012-08-22 12:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Louise\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-22 12:04 - 2012-08-22 12:04 - 00652800 ____A C:\Users\Louise\Downloads\MicrosoftFixit50362(1).msi
    2012-08-22 12:02 - 2012-08-22 12:02 - 00652800 ____A C:\Users\Louise\Downloads\MicrosoftFixit50362.msi
    2012-08-06 11:12 - 2008-04-16 10:47 - 00000548 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Louise.job
    2012-08-04 02:45 - 2012-07-22 08:17 - 00016384 ____A C:\Users\Louise\Documents\Maternity Pay.xls
    2012-07-30 14:03 - 2012-07-30 14:03 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-30 14:03 - 2011-09-14 12:58 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-25 11:13 - 2010-01-17 06:00 - 00085504 ____A C:\Users\Public\Documents\Our Finances.xls
    2012-07-23 09:10 - 2011-03-04 03:40 - 00041984 ____A C:\Users\Louise\Documents\My Finance.xls
    2012-07-12 11:26 - 2006-11-02 04:47 - 00332504 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-12 10:50 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-12 10:44 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
    2012-07-11 11:03 - 2012-07-11 11:04 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-07-11 11:03 - 2012-07-11 11:03 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-07-11 11:03 - 2012-07-11 11:03 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-07-11 11:03 - 2012-07-11 11:03 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-07-11 11:03 - 2010-11-25 10:08 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-07-05 08:15 - 2012-07-05 08:15 - 00288340 ____A C:\Windows\msxml4-KB954430-enu.LOG
    2012-07-05 08:15 - 2012-07-05 08:13 - 00298954 ____A C:\Windows\msxml4-KB973688-enu.LOG
    2012-07-03 04:46 - 2011-06-13 12:19 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-01 11:38 - 2012-07-01 11:38 - 00027648 ___RA C:\Users\Public\Documents\ESBK.mb
    2012-07-01 11:38 - 2012-07-01 11:38 - 00003072 ___RA C:\Users\Public\Documents\ESBK.mbb
    2012-07-01 11:32 - 2012-07-01 11:32 - 00000006 __ASH C:\Users\Stephen\AppData\Roaming\desktop.ini
    2012-07-01 11:32 - 2012-07-01 11:32 - 00000006 __ASH C:\Users\Stephen\AppData\Local\desktop.ini
    2012-07-01 11:29 - 2008-07-31 12:35 - 00033162 ____A C:\Windows\DPINST.LOG
    2012-07-01 11:25 - 2012-07-01 10:52 - 00001977 ____A C:\Users\Public\Desktop\Kodak EasyShare.lnk
    2012-07-01 11:19 - 2012-07-01 11:19 - 01857488 ____A C:\Users\Stephen\Downloads\install_easyshare.exe
    2012-07-01 06:20 - 2012-07-01 06:20 - 01857488 ____A C:\Users\Louise\Downloads\install_easyshare(2).exe
    2012-07-01 06:19 - 2012-07-01 06:18 - 01857488 ____A C:\Users\Louise\Downloads\install_easyshare(1).exe
    2012-06-13 05:40 - 2012-07-12 10:53 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 09:47 - 2012-07-11 11:13 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-11 11:13 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-11 11:13 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-11 11:13 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-21 08:11 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 08:11 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 08:11 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 08:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 08:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 08:11 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 08:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 06:19 - 2012-06-21 08:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:12 - 2012-06-21 08:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-12 10:46 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-12 10:46 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-12 10:47 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-12 10:46 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-12 10:47 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:25 - 2012-07-12 10:46 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:23 - 2012-07-12 10:47 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-12 10:47 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-12 10:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-12 10:47 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-12 10:47 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-12 10:47 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-12 10:47 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-12 10:47 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-11 11:13 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-11 11:13 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-31 03:25 - 2009-10-03 00:17 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ZeroAccess:
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\@
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\L
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\n
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\U
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\L\00000004.@
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\L\201d3dde

    ZeroAccess:
    C:\Users\Stephen\AppData\Local\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}
    C:\Users\Stephen\AppData\Local\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\@
    C:\Users\Stephen\AppData\Local\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\L
    C:\Users\Stephen\AppData\Local\{acf72554-e0db-6a4c-a1cd-546ce38f03e5}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-07-26 09:45:19
    Restore point made on: 2012-07-28 13:21:37
    Restore point made on: 2012-08-01 12:51:46
    Restore point made on: 2012-08-06 09:40:11
    Restore point made on: 2012-08-17 13:23:38
    Restore point made on: 2012-08-21 16:46:32
    Restore point made on: 2012-08-22 12:06:17

    ==================== Memory info ===========================

    Percentage of memory in use: 12%
    Total physical RAM: 2037.43 MB
    Available physical RAM: 1772.74 MB
    Total Pagefile: 1969.32 MB
    Available Pagefile: 1840.39 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.72 MB

    ==================== Partitions ============================

    1 Drive c: (OS) (Fixed) (Total:136.46 GB) (Free:26.56 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (WD Passport) (Fixed) (Total:74.51 GB) (Free:27.39 GB) FAT32
    4 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.77 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 1024 KB
    Disk 1 Online 75 GB 1528 KB

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 94 MB 32 KB
    Partition 2 Primary 10 GB 95 MB
    Partition 3 Primary 136 GB 10 GB
    Partition 0 Extended 2560 MB 147 GB
    Partition 4 Logical 2559 MB 147 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 94 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 X RECOVERY NTFS Partition 10 GB Healthy Boot

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 136 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : DD
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 75 GB 32 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 E WD Passport FAT32 Partition 75 GB Healthy

    ==================================================================================

    Last Boot: 2012-08-23 08:27

    ==================== End Of Log =============================
  2. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    And here is the services log as well

    :)

    Farbar Recovery Scan Tool Version: 28-08-2012
    Ran by SYSTEM at 2012-08-28 15:02:48
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-10-21 10:55] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-07-26 01:30] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2009-10-21 10:55] - [2012-08-23 10:45] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

    === End Of Search ===
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    .
    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  4. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Hi

    Here is the fix log

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 28-08-2012
    Ran by SYSTEM at 2012-08-29 13:35:52 Run:1
    Running from E:\

    ==============================================

    HKEY_USERS\Louise\Software\Microsoft\Windows\CurrentVersion\Run\\conhost Value deleted successfully.
    C:\Windows\System32\Drivers\zochjfpl.sys moved successfully.
    C:\Windows\Installer\{acf72554-e0db-6a4c-a1cd-546ce38f03e5} moved successfully.
    C:\Users\Stephen\AppData\Local\{acf72554-e0db-6a4c-a1cd-546ce38f03e5} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====


    Reboot is slow but the critical error has not appeared in last 5 minutes

    (y)
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  6. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Hi, here is the combofix log.

    :)



    ComboFix 12-08-30.04 - Stephen 30/08/2012 20:39:12.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1117 [GMT 1:00]
    Running from: c:\users\Stephen\Desktop\svchost.exe.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1135.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1141.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1430.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc15F3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc169E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc17D6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc18F2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1A66.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1A75.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1B4F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1C5B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1C7A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1C89.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1CCB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1D40.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1D91.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1F55.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1FB3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2389.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2464.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc254.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc264F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2686.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2745.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2865.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B86.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc316E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc31FC.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc33FE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3410.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc352.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3564.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc35F1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc367E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc376E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3845.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3F24.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3FD2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc40CA.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc40DA.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4119.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41D3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41E2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc433A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4694.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4899.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A2D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A4.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4BC2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4F1C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5130.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5441.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc56F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc58DC.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A82.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B5E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CF3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc62B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc63C4.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc64BE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc68E6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6930.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc697.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6AC6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6C7C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6D77.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6DC2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7424.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc75BE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc77C1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc780F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7B30.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7D4C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7E0A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc823C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8393.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8403.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc84CB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8603.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc86B2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc874B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc89EB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8B31.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D15.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8E3D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8E9B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc906F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9168.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc91E5.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc91F6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9243.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9244.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9629.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc979E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc988A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9935.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9C41.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9EC1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9EE0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F0F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F6C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9FAB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9FE9.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA028.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA123.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA160.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA21.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA278.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA352.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA3C0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA671.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA872.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA8A0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA8DE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA8EB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA9B9.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAC3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAF1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAC19.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAD51.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAE5A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB1C6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB2FC.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB39.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB3F6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB560.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB608.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB687.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB731.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB7BD.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB80B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB924.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBA6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBA7B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBAC9.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBB08.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBC5F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBD0A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBD5.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBDA6.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBEA0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBEC0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC007.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC0D2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC15E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC19E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC249.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC40F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC412.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC45A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC5C1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC65D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC68F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC6CB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC7A5.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC802.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC8AE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC90B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC93.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC972.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA08.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA26.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCAB1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCB4D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC85.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD255.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD28D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD329.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD3D5.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6D1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD71F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD74E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD7DA.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD876.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD8F3.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD931.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD9A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDA69.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDC6C.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDCA5.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDCAB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDCCA.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDEBF.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDEFB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDF4A.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE062.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE0A1.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE0E2.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE0FE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE15E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE227.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE246.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE3DB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE3EB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE41D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE468.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4D9.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE573.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE6F7.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE88D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE8DB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE948.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEA51.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEACE.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEB3B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccECF0.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEDDA.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEE57.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEF02.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF02D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF088.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF2D9.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF327.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF4F.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF4FB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF549.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF70D.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF78E.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF809.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF901.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFC4B.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCF7.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFEAB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFECB.tmp
    c:\users\Louise\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFEFA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1086.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1103.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc120C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc126A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc12B8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1363.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1368.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc14AB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc14CA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1509.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1631.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc16BD.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc18B1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1980.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1A37.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1B5F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1B80.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1E2D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1F17.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc203F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc20BD.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2139.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2196.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc21C9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2277.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc22EF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc231F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2493.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2500.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc25CB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2677.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2735.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc278F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc27AE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc280F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2999.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc29D0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B18.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B47.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2BB4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2BD3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2BE3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2C54.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D3A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2E25.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2F13.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2FF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3027.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc318E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc31EB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc331E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3325.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3355.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc33B4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc34D8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3630.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3861.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc395A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc39C8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3AB2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3B2E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3B70.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3B7D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3BD9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3DC1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3DCF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3E5A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3F74.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3F93.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3F97.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc409B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4156.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc463A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc46E2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4730.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4972.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4982.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A4B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4AC8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4B4B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4C3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4DF3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4E03.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5063.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc50B1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc51CA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc51DA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc531.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5314.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5365.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc537F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5440.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc545.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5556.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc56C9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5756.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5968.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5969.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A14.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B22.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CA3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5D5F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5E19.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5EF5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5FA3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc60B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc60C2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6154.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc61F1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc629C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc63E3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc64ED.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc655A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc66B2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc678B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc679C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc67DB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6839.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6904.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6930.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6955.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc695F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc69DC.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6A59.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6B14.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6BB0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6BB1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6C7B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6DE2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6DE6.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6E41.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6E8E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6F68.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc716D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc725.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc76C7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7774.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7957.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7BE6.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C05.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C53.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7ECD.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7F40.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7F8E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7FEB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc80F6.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc818D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc81DE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc82EA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc833A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8883.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8892.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc892F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8A76.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8A79.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8AF3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8CF8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D82.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc92FE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9533.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc965.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc96C5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc984.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc994D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9966.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A2F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A6D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A6E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A8D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9ABB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9C28.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9CCE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9D2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9D3B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9E93.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F1E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9F6C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA0F3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA353.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA3F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA420.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA47B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA498.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA4C4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA4E9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA5A4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA5D5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA611.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA7CA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA8FE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAA64.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAA77.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAF2.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAB5E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccABF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAC29.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAC48.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccACC.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccADB3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccADC1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAEA8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF25.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB07C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB177.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB1B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB1B5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB251.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB2DD.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB463.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB4C0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB58B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB58C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB5A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB77F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB7BF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB82D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB86B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB8D9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB919.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB962.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB963.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBA0E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBA7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBAC9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBC6E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBC93.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBD88.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBDC6.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBDE5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBF1E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC016.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC036.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC14E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC18D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC1DB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC22E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC2F3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC519.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC52.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC525.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC63A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC70A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC81.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC8E4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC94A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA66.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCA91.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC03.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC28.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCC66.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCD90.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCDEF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCEB7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCED5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCF58.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCFFE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD034.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD04E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD09A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD0E9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD23F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD25E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD2AF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD348.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD34E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD4CE.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD56E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD656.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD688.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6E5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD700.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD721.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD7AB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD8CA.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDA4A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDA79.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDAC7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDB15.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDB63.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDB92.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDBC1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDD56.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDE21.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDE50.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDE6F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDE7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDE8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDF1B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE072.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE081.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE12D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE17B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE1D9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE265.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE2C3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE38D.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE3BD.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE48B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4A6.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4C5.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4E7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE5A0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE6A9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE70A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE755.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEA32.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEC15.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccECB3.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccECE0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccECF0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccED8C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccED9C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEE97.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF04A.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF1B1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF28E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF2C9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF2D9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF421.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF4EB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF549.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF55B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF6CF.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF6D1.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF79F.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF7A9.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF876.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF8E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF9B0.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFAE4.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFC00.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFC3B.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCB8.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCF7.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFD64.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFE14.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFE8E.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFE9C.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFEBB.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFF28.tmp
    c:\users\Stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFFB5.tmp
    .
    .
  7. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Here is Part 2
    :)



    ((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-30 19:52 . 2012-08-30 19:52 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C29532BA-86C8-419F-9E7C-75F124D4BE2F}\offreg.dll
    2012-08-30 19:50 . 2012-08-30 19:52 -------- d-----w- c:\users\Stephen\AppData\Local\temp
    2012-08-30 19:50 . 2012-08-30 19:50 -------- d-----w- c:\users\Louise\AppData\Local\temp
    2012-08-30 19:50 . 2012-08-30 19:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-08-28 22:58 . 2012-08-28 22:58 -------- d-----w- C:\FRST
    2012-08-23 18:10 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-23 18:10 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7843FA25-1145-4E7C-B7F6-CB13D9FF616F}\gapaengine.dll
    2012-08-23 18:09 . 2012-08-20 00:53 7023536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C29532BA-86C8-419F-9E7C-75F124D4BE2F}\mpengine.dll
    2012-08-23 18:05 . 2012-08-23 18:05 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-22 07:11 . 2012-08-22 07:11 -------- d-----w- c:\users\Stephen\AppData\Roaming\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-30 19:56 . 2012-08-30 19:56 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C29532BA-86C8-419F-9E7C-75F124D4BE2F}\MpKsl1f536c8e.sys
    2012-08-22 20:29 . 2011-06-13 20:19 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-07-30 22:03 . 2012-07-30 22:03 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-30 22:03 . 2011-09-14 20:58 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-11 19:03 . 2012-07-11 19:04 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-07-11 19:03 . 2010-11-25 18:08 472840 ----a-w- c:\windows\system32\deployJava1.dll
    2012-07-03 12:46 . 2011-06-13 20:19 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-29 08:44 . 2012-07-27 15:22 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DE28C6A4-C8D8-4374-89A8-DB0DEFF14869}\mpengine.dll
    2012-06-13 13:40 . 2012-07-12 18:53 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 16:47 . 2012-07-11 19:13 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-11 19:13 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26 . 2012-07-11 19:13 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 16:11 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 16:11 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 16:10 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 16:10 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 16:11 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 16:11 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 16:10 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-21 16:10 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12 . 2012-06-21 16:10 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33 . 2012-07-12 18:47 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25 . 2012-07-12 18:47 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25 . 2012-07-12 18:46 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-12 18:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-12 18:47 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 00:04 . 2012-07-11 19:13 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03 . 2012-07-11 19:13 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2009-09-12 23:05 . 2009-09-12 23:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-12 23:06 . 2009-09-12 23:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-12 23:06 . 2009-09-12 23:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-12 23:06 . 2009-09-12 23:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-12 23:06 . 2009-09-12 23:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-12 23:07 . 2009-09-12 23:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-12 23:06 . 2009-09-12 23:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-12 23:06 . 2009-09-12 23:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-08-14 13:33 . 2009-08-14 13:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-12 23:06 . 2009-09-12 23:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2012-07-30 21:44 . 2012-02-05 17:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "Spotify Web Helper"="c:\users\Stephen\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-21 1193176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-12 103768]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
    "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-11 50688]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2011-2-23 323584]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2010-01-25 20:18 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - COMHOST
    *NewlyCreated* - MPKSL1F536C8E
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-06 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Louise.job
    - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-12-28 04:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.co.uk/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\kdvclxc0.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-BTHelena_McciTrayApp - c:\program files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
    SafeBoot-Wdf01000.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-30 20:56
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\STacSV.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-30 21:02:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-30 20:02
    .
    Pre-Run: 26,646,130,688 bytes free
    Post-Run: 28,631,232,512 bytes free
    .
    - - End Of File - - 0E54A2E7C3A972DCDCA3D0186BA7E490
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work!

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    Please download aswMBR from here

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

    [​IMG]

    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
  9. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    ADW Log

    :)


    # AdwCleaner v2.000 - Logfile created 08/31/2012 at 15:51:59
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Stephen - LOUISE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Stephen\Desktop\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\kdvclxc0.default\searchplugins\Askcom.xml

    ***** [Registry] *****

    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKU\S-1-5-21-2012126408-1028830987-2871542728-1001\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v14.0.1 (en-GB)

    Profile name : default
    File : C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\7ibzfbxj.default\prefs.js

    [OK] File is clean.

    Profile name : default
    File : C:\Users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\kdvclxc0.default\prefs.js

    Found : user_pref("browser.search.defaultengine", "Ask.com");
    Found : user_pref("browser.search.defaultenginename", "Ask.com");
    Found : user_pref("browser.search.order.1", "Ask.com");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Stephen\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [1546 octets] - [31/08/2012 15:51:59]

    ########## EOF - C:\AdwCleaner[R1].txt - [1606 octets] ##########
  10. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    ASWMBR Log

    :)

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-31 15:55:50
    -----------------------------
    15:55:50.642 OS Version: Windows 6.0.6002 Service Pack 2
    15:55:50.642 Number of processors: 2 586 0xF0D
    15:55:50.643 ComputerName: LOUISE-PC UserName: Stephen
    15:56:53.834 Initialize success
    15:57:14.978 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    15:57:14.982 Disk 0 Vendor: ST916082 3.CD Size: 152627MB BusType: 3
    15:57:15.005 Disk 0 MBR read successfully
    15:57:15.010 Disk 0 MBR scan
    15:57:15.014 Disk 0 Windows VISTA default MBR code
    15:57:15.018 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
    15:57:15.035 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 194560
    15:57:15.055 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 139730 MB offset 21166080
    15:57:15.061 Disk 0 Partition - 00 0F Extended LBA 2560 MB offset 307335168
    15:57:15.105 Disk 0 Partition 4 00 DD MSDOS5.0 2559 MB offset 307337216
    15:57:15.114 Disk 0 scanning sectors +312578048
    15:57:15.171 Disk 0 scanning C:\Windows\system32\drivers
    15:57:34.974 Service scanning
    15:57:43.609 Service MpKslf9284276 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C29532BA-86C8-419F-9E7C-75F124D4BE2F}\MpKslf9284276.sys **LOCKED** 32
    15:57:55.337 Modules scanning
    15:58:05.640 Disk 0 trace - called modules:
    15:58:05.663 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    15:58:05.669 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x859522c0]
    15:58:05.674 3 CLASSPNP.SYS[883a68b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84e04030]
    15:58:05.680 Scan finished successfully
    15:58:39.604 Disk 0 MBR has been saved successfully to "C:\Users\Stephen\Desktop\MBR.dat"
    15:58:39.617 The log file has been saved successfully to "C:\Users\Stephen\Desktop\aswMBR.txt"
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Remove the Adware:
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  12. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Contents of the ADW cleaner text file

    :)

    # AdwCleaner v2.000 - Logfile created 09/01/2012 at 20:42:31
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Stephen - LOUISE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Stephen\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\kdvclxc0.default\searchplugins\Askcom.xml

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v14.0.1 (en-GB)

    Profile name : default
    File : C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\7ibzfbxj.default\prefs.js

    C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\7ibzfbxj.default\user.js ... Deleted !

    [OK] File is clean.

    Profile name : default
    File : C:\Users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\kdvclxc0.default\prefs.js

    Deleted : user_pref("browser.search.defaultengine", "Ask.com");
    Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
    Deleted : user_pref("browser.search.order.1", "Ask.com");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Stephen\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [1675 octets] - [31/08/2012 15:51:59]
    AdwCleaner[S1].txt - [1981 octets] - [01/09/2012 20:42:31]

    ########## EOF - C:\AdwCleaner[S1].txt - [2041 octets] ##########
  13. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    I have run the ESET scan and it found a couple of threats but before the scan completed Windows shut down and restarted. I tried a second time, this time no threats were found but this time system closed and didn't restart.

    Both ocurred after a couple of hours scanning!
    :(
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  15. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Hi

    The security Essentials icon is saying potentially unprotected
    My Norton is out of date but I keep getting update reminders, I would like to delete and replace with something else
    Constant Java update popups

    Pc doesn't appear to be running slow

    :)
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I will give some recommendations after the following...q

    Completely Uninstall Norton software using:

    Instructions
    1. Please download and save SymNRT.exe to your desktop.
    2. Close all programs and double click on the tool.
    3. Follow the on-screen instructions.
    4. Restart the computer if asked.
    5. Then delete the SymNRT.exe tool from your desktop.
    6. Open the Program Files folder on your local disk ( normally C: )
    7. Find and delete the following folders (if present):
      • Norton AntiVirus
      • Norton Internet Security
      • Norton SystemWorks
      • Norton Personal Firewall

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  17. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Firstly thanks for your continued help, I intend to follow your above instructions but my wife gave birth to my son 2 days ago and when I am functioning normally I will post all required text etc.....
    Thanks again
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Let me know...congrats to you guys!

    Topic marked inactive.
  19. PoorlyPC

    PoorlyPC TS Rookie Topic Starter

    Here is the requested text from the security check

    :)




    Results of screen317's Security Check version 0.99.50
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 33
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.3.183.7 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (15.0)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1 %
    ````````````````````End of Log``````````````````````
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.