Funmoods and redirect troubles

Solved
By Mister Ed
Nov 8, 2012
  1. Somehow I have picked up Funmoods and cannot get rid of it. I ununstalled it ... but it is still there and will not let me change my primary seaarch provider. Also started to see some redirect issues in Internet Explorer.

    Here is the MalwareBytes log (it was a full scan, I had completed it prior to realizing I needed to come to this site for help):
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.07.05
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Ed :: ED-NXAIBJWWPXN5 [administrator]
    11/7/2012 8:20:38 PM
    mbam-log-2012-11-07 (20-20-38).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 288255
    Time elapsed: 5 hour(s), 9 minute(s), 32 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 12
    HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
    Registry Values Detected: 1
    HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: af47eb11d2c194b396ff726a469ec377 -> Quarantined and deleted successfully.
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 15
    C:\Documents and Settings\Ed\My Documents\Downloads\JDast_installer.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033402.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033426.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033427.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033428.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033429.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033432.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP299\A0033486.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\is263093\escort.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\is263093\escortApp.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\is263093\escortEng.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\is263093\escorTlbr.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\is263093\funmoodssrv.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Ed\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
    (end)
    GMER Log:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-11-08 20:23:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75DEA0 rev.05.03E05
    Running: rr94c86h.exe; Driver: C:\WINDOWS\TEMP\awaiyuoc.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G Data Software AG)
    Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G Data Software AG)
    Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G Data Software AG)
    Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G Data Software AG)
    ---- EOF - GMER 1.0.15 ----

    DDS Logs:

    DDS (Ver_2012-11-07.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Ed at 20:26:30 on 2012-11-08
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.469 [GMT -5:00]
    .
    AV: G Data TotalSecurity 2012 *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
    FW: G Data Personal Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Secunia\PSI\psi_tray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://www.google.com/
    mStart Page = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
    uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
    BHO: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files\g data\totalsecurity\webfilter\AvkWebIE.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
    BHO: G Data BankGuard: {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - c:\program files\common files\g data\avkproxy\BanksafeBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files\g data\totalsecurity\webfilter\AvkWebIE.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [G Data AntiVirus Tray Application] c:\program files\g data\totalsecurity\avktray\AVKTray.exe
    mRun: [GDFirewallTray] c:\program files\g data\totalsecurity\firewall\GDFirewallTray.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{5A0DE531-0B77-487D-B443-F8C892D9FD93} : DHCPNameServer = 192.168.1.1
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2012-2-11 40440]
    R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2012-2-11 30200]
    R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2012-2-11 79992]
    R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2012-2-12 69112]
    R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2012-2-11 40568]
    R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2011-5-3 1499656]
    R2 AVKService;G Data Scheduler;c:\program files\g data\totalsecurity\avk\AVKService.exe [2011-5-3 409608]
    R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\g data\totalsecurity\avk\AVKWCtl.exe [2011-5-3 1554184]
    R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2012-2-11 52216]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-7 399432]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
    R3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\totalsecurity\firewall\GDFwSvc.exe [2011-5-3 1613424]
    R3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2011-5-3 457536]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-7 22856]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-7 676936]
    S3 GDBackupSvc;G Data Backup Service;c:\program files\g data\totalsecurity\avkbackup\AVKBackupService.exe [2011-5-3 1498616]
    S3 GDTunerSvc;G Data Tuner Service;c:\program files\g data\totalsecurity\avktuner\AVKTunerService.exe [2011-5-3 960504]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-4 16968]
    S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-11-08 18:03:37 -------- d-----w- c:\program files\MSXML 4.0
    2012-11-08 18:01:30 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-11-08 17:31:09 -------- d-----w- c:\program files\Microsoft Download Manager
    2012-11-07 16:42:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-07 02:41:14 -------- d-----w- c:\documents and settings\ed\application data\Funmoods
    2012-11-07 02:20:41 -------- d-----w- c:\documents and settings\ed\application data\jdnetmon
    2012-11-07 01:53:58 -------- d-----w- c:\documents and settings\ed\application data\jdast
    2012-11-07 01:53:57 -------- d-----w- c:\program files\JDAST
    2012-11-07 01:52:02 -------- d-----w- c:\documents and settings\ed\local settings\application data\Wajam
    2012-10-21 15:40:28 -------- d-----w- c:\program files\common files\Symantec Shared
    2012-10-21 15:40:04 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2012-10-21 15:39:57 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
    2012-10-10 03:05:04 -------- d-----w- C:\128908204b16f6cc63734c
    .
    ==================== Find3M ====================
    .
    2012-11-08 18:00:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-11-08 18:00:58 473072 -c--a-w- c:\windows\system32\deployJava1.dll
    2012-11-08 06:48:15 858424 -c--a-w- c:\windows\system32\sig.bin
    2012-10-09 17:00:21 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-09 17:00:21 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
    2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-21 17:01:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-08-21 17:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-08-21 13:29:19 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-21 12:58:06 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 20:27:26.09 ===============
    And:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-07.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/20/2009 8:51:45 PM
    System Uptime: 11/8/2012 12:16:24 PM (8 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 02Y832
    Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2660/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 17.015 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VE Network Connection
    Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VE Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
    Service: E100B
    .
    ==== System Restore Points ===================
    .
    RP281: 10/19/2012 6:25:49 AM - System Checkpoint
    RP282: 10/20/2012 6:49:35 AM - System Checkpoint
    RP283: 10/21/2012 7:38:44 AM - System Checkpoint
    RP284: 10/22/2012 7:56:36 AM - System Checkpoint
    RP285: 10/23/2012 8:14:43 AM - System Checkpoint
    RP286: 10/24/2012 9:42:22 AM - System Checkpoint
    RP287: 10/25/2012 10:40:31 AM - System Checkpoint
    RP288: 10/26/2012 11:52:13 AM - System Checkpoint
    RP289: 10/27/2012 12:08:55 PM - System Checkpoint
    RP290: 10/28/2012 12:17:37 PM - System Checkpoint
    RP291: 10/29/2012 12:49:49 PM - System Checkpoint
    RP292: 10/30/2012 1:49:19 PM - System Checkpoint
    RP293: 10/31/2012 2:44:09 PM - System Checkpoint
    RP294: 11/1/2012 5:53:22 PM - System Checkpoint
    RP295: 11/2/2012 6:01:31 PM - System Checkpoint
    RP296: 11/3/2012 6:08:02 PM - System Checkpoint
    RP297: 11/4/2012 6:20:18 PM - System Checkpoint
    RP298: 11/5/2012 6:25:17 PM - System Checkpoint
    RP299: 11/6/2012 10:47:09 PM - System Checkpoint
    RP300: 11/8/2012 3:00:20 AM - Software Distribution Service 3.0
    RP301: 11/8/2012 12:31:07 PM - Installed Microsoft Download Manager
    RP302: 11/8/2012 1:03:35 PM - Installed MSXML 4.0 SP3 Parser
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.4)
    Adobe Shockwave Player 11.6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    AVG 2012
    Bonjour
    Canon Camera Access Library
    CANON iMAGE GATEWAY MyCamera Download Plugin
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Utilities CameraWindow DC 8
    Canon Utilities CameraWindow Launcher
    Canon Utilities Digital Photo Professional 3.10
    Canon Utilities EOS Utility
    Canon Utilities Movie Uploader for YouTube
    Canon Utilities MyCamera
    Canon Utilities ZoomBrowser EX
    CCleaner
    Compatibility Pack for the 2007 Office system
    Dell Picture Studio - Dell Image Expert
    G Data TotalSecurity 2012
    Google Earth Plug-in
    Google SketchUp 8
    Google Toolbar for Internet Explorer
    Google Update Helper
    H&R Block Deluxe + Efile + State 2010
    H&R Block Deluxe + Efile + State 2011
    H&R Block Michigan 2010
    H&R Block Michigan 2011
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB954550-v5)
    ieSpell
    Intel(R) PRO Network Adapters and Drivers
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 37
    JDs Auto Speed Tester
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft ASP.NET Web Pages
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Download Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Basic Edition 2003
    Microsoft Office File Validation Add-In
    Microsoft Silverlight
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server System CLR Types
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser
    NVIDIA Windows 2000/XP Display Drivers
    Primo
    QuickTime
    Registry Mechanic 10.0
    Runtime
    Secunia PSI (2.0.0.4003)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB923789)
    Sony Picture Utility
    SoundMAX
    swMSM
    Uniblue SpeedUpMyPC
    Uniblue SystemTweaker
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB951978)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/8/2012 12:13:16 PM, error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
    11/8/2012 1:21:28 PM, error: Service Control Manager [7031] - The G Data AntiVirus Proxy service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/5/2012 5:21:42 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
    11/5/2012 3:40:15 PM, error: Service Control Manager [7034] - The Secunia Update Agent service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:15 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:14 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Secunia PSI Agent service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    11/5/2012 3:40:10 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    =====================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ===================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  3. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    TDS Log:
    11:15:08.0625 4080 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
    11:15:10.0625 4080 ============================================================
    11:15:10.0625 4080 Current date / time: 2012/11/09 11:15:10.0625
    11:15:10.0625 4080 SystemInfo:
    11:15:10.0625 4080
    11:15:10.0625 4080 OS Version: 5.1.2600 ServicePack: 3.0
    11:15:10.0625 4080 Product type: Workstation
    11:15:10.0625 4080 ComputerName: ED-NXAIBJWWPXN5
    11:15:10.0625 4080 UserName: Ed
    11:15:10.0625 4080 Windows directory: C:\WINDOWS
    11:15:10.0625 4080 System windows directory: C:\WINDOWS
    11:15:10.0625 4080 Processor architecture: Intel x86
    11:15:10.0625 4080 Number of processors: 1
    11:15:10.0625 4080 Page size: 0x1000
    11:15:10.0625 4080 Boot type: Normal boot
    11:15:10.0625 4080 ============================================================
    11:15:12.0937 4080 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    11:15:12.0968 4080 ============================================================
    11:15:12.0968 4080 \Device\Harddisk0\DR0:
    11:15:12.0968 4080 MBR partitions:
    11:15:12.0968 4080 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x4A69BB9
    11:15:12.0968 4080 ============================================================
    11:15:13.0046 4080 C: <-> \Device\Harddisk0\DR0\Partition1
    11:15:13.0046 4080 ============================================================
    11:15:13.0046 4080 Initialize success
    11:15:13.0046 4080 ============================================================
    11:15:15.0109 3104 ============================================================
    11:15:15.0109 3104 Scan started
    11:15:15.0109 3104 Mode: Manual;
    11:15:15.0109 3104 ============================================================
    11:15:16.0937 3104 ================ Scan system memory ========================
    11:15:16.0937 3104 System memory - ok
    11:15:16.0953 3104 ================ Scan services =============================
    11:15:18.0187 3104 [ F82AB4A2A26E172B929D27D60B637973 ] 3c1807pd C:\WINDOWS\system32\DRIVERS\3c1807pd.sys
    11:15:18.0250 3104 3c1807pd - ok
    11:15:18.0265 3104 Abiosdsk - ok
    11:15:18.0265 3104 abp480n5 - ok
    11:15:18.0343 3104 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
    11:15:18.0421 3104 ACPI - ok
    11:15:18.0500 3104 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
    11:15:18.0500 3104 ACPIEC - ok
    11:15:18.0687 3104 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    11:15:18.0765 3104 AdobeFlashPlayerUpdateSvc - ok
    11:15:18.0781 3104 adpu160m - ok
    11:15:18.0875 3104 [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
    11:15:18.0875 3104 aeaudio - ok
    11:15:18.0906 3104 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
    11:15:18.0937 3104 aec - ok
    11:15:19.0000 3104 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
    11:15:19.0062 3104 AFD - ok
    11:15:19.0078 3104 AFGMp50 - ok
    11:15:19.0093 3104 AFGSp50 - ok
    11:15:19.0171 3104 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
    11:15:19.0171 3104 agp440 - ok
    11:15:19.0187 3104 Aha154x - ok
    11:15:19.0203 3104 aic78u2 - ok
    11:15:19.0203 3104 aic78xx - ok
    11:15:19.0281 3104 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
    11:15:19.0281 3104 ALG - ok
    11:15:19.0296 3104 AliIde - ok
    11:15:19.0312 3104 amsint - ok
    11:15:19.0625 3104 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    11:15:19.0625 3104 Apple Mobile Device - ok
    11:15:19.0640 3104 AppMgmt - ok
    11:15:19.0640 3104 asc - ok
    11:15:19.0656 3104 asc3350p - ok
    11:15:19.0671 3104 asc3550 - ok
    11:15:19.0953 3104 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    11:15:19.0953 3104 aspnet_state - ok
    11:15:20.0015 3104 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    11:15:20.0062 3104 AsyncMac - ok
    11:15:20.0109 3104 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
    11:15:20.0109 3104 atapi - ok
    11:15:20.0125 3104 Atdisk - ok
    11:15:20.0171 3104 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    11:15:20.0171 3104 Atmarpc - ok
    11:15:20.0296 3104 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
    11:15:20.0296 3104 AudioSrv - ok
    11:15:20.0359 3104 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
    11:15:20.0359 3104 audstub - ok
    11:15:20.0796 3104 [ B1CE458A6F330FA4369D1B3A65169C0C ] AVKProxy C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
    11:15:21.0140 3104 AVKProxy - ok
    11:15:21.0437 3104 [ BA79FA9DB53879C2A05A181C3F40C76D ] AVKService C:\Program Files\G Data\TotalSecurity\AVK\AVKService.exe
    11:15:21.0515 3104 AVKService - ok
    11:15:21.0937 3104 [ AACB33AD6E29704BBA20BCAF55E5AB76 ] AVKWCtl C:\Program Files\G Data\TotalSecurity\AVK\AVKWCtl.exe
    11:15:22.0265 3104 AVKWCtl - ok
    11:15:22.0375 3104 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
    11:15:22.0375 3104 Beep - ok
    11:15:22.0625 3104 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
    11:15:22.0656 3104 BITS - ok
    11:15:23.0015 3104 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
    11:15:23.0093 3104 Bonjour Service - ok
    11:15:23.0234 3104 [ 248DFA5762DDE38DFDDBBD44149E9D7A ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
    11:15:23.0265 3104 BVRPMPR5 - ok
    11:15:23.0406 3104 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
    11:15:23.0437 3104 cbidf2k - ok
    11:15:23.0625 3104 [ 359E5A91D26D0439933BEF1C29CEDEF7 ] CCALib8 C:\Program Files\Canon\CAL\CALMAIN.exe
    11:15:23.0640 3104 CCALib8 - ok
    11:15:23.0640 3104 cd20xrnt - ok
    11:15:23.0750 3104 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
    11:15:23.0765 3104 Cdaudio - ok
    11:15:23.0812 3104 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
    11:15:23.0812 3104 Cdfs - ok
    11:15:23.0890 3104 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
    11:15:23.0906 3104 Cdrom - ok
    11:15:23.0906 3104 Changer - ok
    11:15:24.0015 3104 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
    11:15:24.0046 3104 CiSvc - ok
    11:15:24.0093 3104 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
    11:15:24.0125 3104 ClipSrv - ok
    11:15:24.0203 3104 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    11:15:24.0484 3104 clr_optimization_v2.0.50727_32 - ok
    11:15:24.0640 3104 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    11:15:24.0953 3104 clr_optimization_v4.0.30319_32 - ok
    11:15:24.0953 3104 CmdIde - ok
    11:15:24.0968 3104 COMSysApp - ok
    11:15:25.0000 3104 Cpqarray - ok
    11:15:25.0125 3104 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
    11:15:25.0125 3104 CryptSvc - ok
    11:15:25.0125 3104 dac2w2k - ok
    11:15:25.0156 3104 dac960nt - ok
    11:15:25.0312 3104 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
    11:15:25.0390 3104 DcomLaunch - ok
    11:15:25.0515 3104 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
    11:15:25.0531 3104 Dhcp - ok
    11:15:25.0593 3104 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
    11:15:25.0593 3104 Disk - ok
    11:15:25.0609 3104 dmadmin - ok
    11:15:25.0921 3104 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
    11:15:26.0000 3104 dmboot - ok
    11:15:26.0109 3104 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
    11:15:26.0140 3104 dmio - ok
    11:15:26.0281 3104 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
    11:15:26.0312 3104 dmload - ok
    11:15:26.0468 3104 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
    11:15:26.0500 3104 dmserver - ok
    11:15:26.0562 3104 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
    11:15:26.0593 3104 DMusic - ok
    11:15:26.0687 3104 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
    11:15:26.0687 3104 Dnscache - ok
    11:15:26.0921 3104 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
    11:15:26.0984 3104 Dot3svc - ok
    11:15:27.0000 3104 dpti2o - ok
    11:15:27.0156 3104 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
    11:15:27.0187 3104 drmkaud - ok
    11:15:27.0343 3104 [ 98B46B331404A951CABAD8B4877E1276 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
    11:15:27.0359 3104 E100B - ok
    11:15:27.0500 3104 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
    11:15:27.0531 3104 EapHost - ok
    11:15:27.0734 3104 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
    11:15:27.0750 3104 ERSvc - ok
    11:15:27.0875 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
    11:15:27.0953 3104 Eventlog - ok
    11:15:28.0046 3104 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll
    11:15:28.0093 3104 EventSystem - ok
    11:15:28.0218 3104 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
    11:15:28.0234 3104 Fastfat - ok
    11:15:28.0359 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
    11:15:28.0375 3104 FastUserSwitchingCompatibility - ok
    11:15:28.0437 3104 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
    11:15:28.0437 3104 Fdc - ok
    11:15:28.0468 3104 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
    11:15:28.0484 3104 Fips - ok
    11:15:28.0546 3104 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    11:15:28.0546 3104 Flpydisk - ok
    11:15:28.0656 3104 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
    11:15:28.0671 3104 FltMgr - ok
    11:15:29.0078 3104 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    11:15:29.0250 3104 FontCache3.0.0.0 - ok
    11:15:29.0296 3104 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
    11:15:29.0312 3104 Fs_Rec - ok
    11:15:29.0343 3104 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    11:15:29.0343 3104 Ftdisk - ok
    11:15:30.0906 3104 [ BE8D41CDF5DEC88C55C8B559AD6C9F4A ] GDBackupSvc C:\Program Files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe
    11:15:32.0093 3104 GDBackupSvc - ok
    11:15:32.0203 3104 [ 1B519753DA1E7E51F37001E23F1BB045 ] GDBehave C:\WINDOWS\system32\drivers\GDBehave.sys
    11:15:32.0203 3104 GDBehave - ok
    11:15:32.0968 3104 [ 05787ED926CD5CD2FDAC57F9ADC22DEC ] GDFwSvc C:\Program Files\G Data\TotalSecurity\Firewall\GDFwSvc.exe
    11:15:33.0250 3104 GDFwSvc - ok
    11:15:33.0359 3104 [ CD58774324A78BBA15B89C35BED81593 ] GDMnIcpt C:\WINDOWS\system32\drivers\MiniIcpt.sys
    11:15:33.0375 3104 GDMnIcpt - ok
    11:15:33.0453 3104 [ 4E7F16B1698772D4B57B989E569C14DB ] GDNdisIc C:\WINDOWS\system32\drivers\GDNdisIc.sys
    11:15:33.0453 3104 GDNdisIc - ok
    11:15:33.0609 3104 [ 7641143D7CAE05AE5E07AA517A09FAD3 ] GDScan C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
    11:15:33.0656 3104 GDScan - ok
    11:15:33.0828 3104 [ 564777071576CE55B9204A02EC8FD645 ] GDTdiInterceptor C:\WINDOWS\system32\drivers\GDTdiIcpt.sys
    11:15:33.0843 3104 GDTdiInterceptor - ok
    11:15:34.0187 3104 [ 7EC5CEEFED97F1AB48A48C1DF1D0AF7F ] GDTunerSvc C:\Program Files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe
    11:15:34.0437 3104 GDTunerSvc - ok
    11:15:34.0546 3104 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    11:15:34.0562 3104 GEARAspiWDM - ok
    11:15:34.0625 3104 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
    11:15:34.0625 3104 Gpc - ok
    11:15:34.0703 3104 [ 7706FF2240FB112AF8C2A02558E2A1CD ] GRD C:\WINDOWS\system32\drivers\GRD.sys
    11:15:34.0703 3104 GRD - ok
    11:15:34.0812 3104 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
    11:15:34.0828 3104 gupdate - ok
    11:15:34.0859 3104 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
    11:15:34.0859 3104 gupdatem - ok
    11:15:34.0968 3104 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    11:15:34.0968 3104 gusvc - ok
    11:15:35.0109 3104 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    11:15:35.0125 3104 helpsvc - ok
    11:15:35.0125 3104 HidServ - ok
    11:15:35.0203 3104 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
    11:15:35.0218 3104 hidusb - ok
    11:15:35.0281 3104 [ 30B90793A568281BEF70FA57DDE305A2 ] hitmanpro35 C:\WINDOWS\system32\drivers\hitmanpro35.sys
    11:15:35.0281 3104 hitmanpro35 - ok
    11:15:35.0328 3104 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
    11:15:35.0328 3104 hkmsvc - ok
    11:15:35.0453 3104 [ F60C377C72BB24F5212FF994420F511F ] HookCentre C:\WINDOWS\system32\drivers\HookCentre.sys
    11:15:35.0468 3104 HookCentre - ok
    11:15:35.0484 3104 hpn - ok
    11:15:35.0578 3104 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
    11:15:35.0609 3104 HTTP - ok
    11:15:35.0703 3104 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
    11:15:35.0718 3104 HTTPFilter - ok
    11:15:35.0734 3104 i2omgmt - ok
    11:15:35.0750 3104 i2omp - ok
    11:15:35.0765 3104 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    11:15:35.0781 3104 i8042prt - ok
    11:15:36.0218 3104 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    11:15:36.0484 3104 idsvc - ok
    11:15:36.0500 3104 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
    11:15:36.0515 3104 Imapi - ok
    11:15:36.0687 3104 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
    11:15:36.0703 3104 ImapiService - ok
    11:15:36.0718 3104 ini910u - ok
    11:15:36.0734 3104 IntelIde - ok
    11:15:36.0812 3104 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
    11:15:36.0828 3104 intelppm - ok
    11:15:36.0843 3104 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
    11:15:36.0843 3104 ip6fw - ok
    11:15:36.0937 3104 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    11:15:36.0968 3104 IpFilterDriver - ok
    11:15:37.0046 3104 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
    11:15:37.0062 3104 IpInIp - ok
    11:15:37.0078 3104 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
    11:15:37.0093 3104 IpNat - ok
    11:15:37.0500 3104 [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
    11:15:37.0921 3104 iPod Service - ok
    11:15:37.0984 3104 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
    11:15:38.0031 3104 IPSec - ok
    11:15:38.0046 3104 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
    11:15:38.0078 3104 IRENUM - ok
    11:15:38.0203 3104 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
    11:15:38.0218 3104 isapnp - ok
    11:15:38.0609 3104 [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
    11:15:38.0640 3104 JavaQuickStarterService - ok
    11:15:38.0687 3104 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    11:15:38.0734 3104 Kbdclass - ok
    11:15:38.0796 3104 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
    11:15:38.0859 3104 kmixer - ok
    11:15:39.0000 3104 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
    11:15:39.0000 3104 KSecDD - ok
    11:15:39.0031 3104 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
    11:15:39.0046 3104 lanmanserver - ok
    11:15:39.0062 3104 lbrtfdc - ok
    11:15:39.0203 3104 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
    11:15:39.0250 3104 LmHosts - ok
    11:15:39.0390 3104 [ 500D089CE760D83DA2B6CBA681AA9949 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
    11:15:39.0390 3104 MBAMProtector - ok
    11:15:39.0703 3104 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    11:15:39.0734 3104 MBAMScheduler - ok
    11:15:40.0078 3104 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    11:15:40.0203 3104 MBAMService - ok
    11:15:40.0265 3104 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
    11:15:40.0296 3104 mnmdd - ok
    11:15:40.0421 3104 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
    11:15:40.0453 3104 mnmsrvc - ok
    11:15:40.0593 3104 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
    11:15:40.0625 3104 Modem - ok
    11:15:40.0718 3104 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
    11:15:40.0750 3104 Mouclass - ok
    11:15:40.0843 3104 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
    11:15:40.0859 3104 mouhid - ok
    11:15:40.0937 3104 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
    11:15:40.0937 3104 MountMgr - ok
    11:15:40.0937 3104 mraid35x - ok
    11:15:41.0187 3104 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    11:15:41.0218 3104 MRxDAV - ok
    11:15:41.0343 3104 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
    11:15:41.0343 3104 MSDTC - ok
    11:15:41.0406 3104 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
    11:15:41.0421 3104 Msfs - ok
    11:15:41.0421 3104 MSIServer - ok
    11:15:41.0484 3104 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
    11:15:41.0531 3104 MSKSSRV - ok
    11:15:41.0593 3104 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    11:15:41.0609 3104 MSPCLOCK - ok
    11:15:41.0687 3104 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
    11:15:41.0687 3104 MSPQM - ok
    11:15:41.0734 3104 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    11:15:41.0734 3104 mssmbios - ok
    11:15:41.0812 3104 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
    11:15:41.0812 3104 Mup - ok
    11:15:41.0968 3104 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
    11:15:41.0984 3104 napagent - ok
    11:15:42.0171 3104 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
    11:15:42.0187 3104 NDIS - ok
    11:15:42.0265 3104 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    11:15:42.0265 3104 NdisTapi - ok
    11:15:42.0281 3104 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    11:15:42.0281 3104 Ndisuio - ok
    11:15:42.0359 3104 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    11:15:42.0359 3104 NdisWan - ok
    11:15:42.0437 3104 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
    11:15:42.0453 3104 NDProxy - ok
    11:15:42.0468 3104 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
    11:15:42.0468 3104 NetBT - ok
    11:15:42.0531 3104 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
    11:15:42.0531 3104 NetDDE - ok
    11:15:42.0546 3104 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
    11:15:42.0546 3104 NetDDEdsdm - ok
    11:15:42.0593 3104 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
    11:15:42.0609 3104 Netman - ok
    11:15:42.0656 3104 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    11:15:42.0671 3104 NetTcpPortSharing - ok
    11:15:42.0734 3104 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
    11:15:42.0734 3104 Nla - ok
    11:15:42.0796 3104 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
    11:15:42.0796 3104 Npfs - ok
    11:15:42.0843 3104 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
    11:15:42.0875 3104 Ntfs - ok
    11:15:42.0937 3104 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
    11:15:42.0953 3104 NtmsSvc - ok
    11:15:43.0000 3104 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
    11:15:43.0000 3104 Null - ok
    11:15:43.0109 3104 [ 5D701FCA6F7DB7A8A7D21F80A84D291A ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    11:15:43.0171 3104 nv - ok
    11:15:43.0187 3104 [ 26712CF8BE48BC767854927435C0B6A9 ] NVSvc C:\WINDOWS\System32\nvsvc32.exe
    11:15:43.0203 3104 NVSvc - ok
    11:15:43.0250 3104 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    11:15:43.0250 3104 NwlnkFlt - ok
    11:15:43.0265 3104 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    11:15:43.0265 3104 NwlnkFwd - ok
    11:15:43.0312 3104 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    11:15:43.0312 3104 OMCI - ok
    11:15:43.0375 3104 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    11:15:43.0390 3104 ose - ok
    11:15:43.0453 3104 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
    11:15:43.0468 3104 Parport - ok
    11:15:43.0484 3104 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
    11:15:43.0484 3104 PartMgr - ok
    11:15:43.0546 3104 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
    11:15:43.0546 3104 ParVdm - ok
    11:15:43.0562 3104 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
    11:15:43.0578 3104 PCI - ok
    11:15:43.0578 3104 PCIDump - ok
    11:15:43.0625 3104 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
    11:15:43.0625 3104 PCIIde - ok
    11:15:43.0656 3104 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
    11:15:43.0656 3104 Pcmcia - ok
    11:15:43.0671 3104 PDCOMP - ok
    11:15:43.0687 3104 PDFRAME - ok
    11:15:43.0703 3104 PDRELI - ok
    11:15:43.0718 3104 PDRFRAME - ok
    11:15:43.0718 3104 perc2 - ok
    11:15:43.0734 3104 perc2hib - ok
    11:15:43.0796 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
    11:15:43.0812 3104 PlugPlay - ok
    11:15:43.0875 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
    11:15:43.0875 3104 PolicyAgent - ok
    11:15:43.0890 3104 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
    11:15:43.0890 3104 PptpMiniport - ok
    11:15:43.0921 3104 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
    11:15:43.0921 3104 Processor - ok
    11:15:43.0937 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
    11:15:43.0937 3104 ProtectedStorage - ok
    11:15:43.0953 3104 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
    11:15:43.0953 3104 PSched - ok
    11:15:44.0031 3104 [ D24DFD16A1E2A76034DF5AA18125C35D ] PSI C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    11:15:44.0031 3104 PSI - ok
    11:15:44.0093 3104 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
    11:15:44.0093 3104 Ptilink - ok
    11:15:44.0140 3104 [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
    11:15:44.0140 3104 PxHelp20 - ok
    11:15:44.0156 3104 ql1080 - ok
    11:15:44.0171 3104 Ql10wnt - ok
    11:15:44.0187 3104 ql12160 - ok
    11:15:44.0203 3104 ql1240 - ok
    11:15:44.0203 3104 ql1280 - ok
    11:15:44.0250 3104 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
    11:15:44.0250 3104 RasAcd - ok
    11:15:44.0296 3104 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
    11:15:44.0312 3104 RasAuto - ok
    11:15:44.0359 3104 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    11:15:44.0359 3104 Rasl2tp - ok
    11:15:44.0437 3104 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
    11:15:44.0437 3104 RasMan - ok
    11:15:44.0453 3104 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    11:15:44.0453 3104 RasPppoe - ok
    11:15:44.0484 3104 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
    11:15:44.0484 3104 Raspti - ok
    11:15:44.0500 3104 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    11:15:44.0500 3104 RDPCDD - ok
    11:15:44.0562 3104 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
    11:15:44.0578 3104 RDPWD - ok
    11:15:44.0593 3104 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
    11:15:44.0609 3104 RDSessMgr - ok
    11:15:44.0656 3104 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
    11:15:44.0656 3104 redbook - ok
    11:15:44.0718 3104 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
    11:15:44.0718 3104 RemoteAccess - ok
    11:15:44.0750 3104 [ D8B0B4ADE32574B2D9C5CC34DC0DBBE7 ] ROOTMODEM C:\WINDOWS\system32\Drivers\RootMdm.sys
    11:15:44.0750 3104 ROOTMODEM - ok
    11:15:44.0828 3104 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
    11:15:44.0828 3104 RpcSs - ok
    11:15:44.0875 3104 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
    11:15:44.0890 3104 RSVP - ok
    11:15:44.0937 3104 [ 3DEE06E12BAC87168089040D3C86FBEA ] RTL8023 C:\WINDOWS\system32\DRIVERS\GA311ND5.SYS
    11:15:44.0953 3104 RTL8023 - ok
    11:15:44.0968 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
    11:15:44.0968 3104 SamSs - ok
    11:15:45.0015 3104 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
    11:15:45.0031 3104 SCardSvr - ok
    11:15:45.0078 3104 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
    11:15:45.0093 3104 Schedule - ok
    11:15:45.0156 3104 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
    11:15:45.0156 3104 Secdrv - ok
    11:15:45.0187 3104 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
    11:15:45.0187 3104 seclogon - ok
    11:15:45.0375 3104 [ 5B66DB4877BBAC9F7493AA8D84421E49 ] Secunia PSI Agent C:\Program Files\Secunia\PSI\PSIA.exe
    11:15:45.0468 3104 Secunia PSI Agent - ok
    11:15:45.0531 3104 [ 0E88FDF474F2CDD370A4A6CE77D018F0 ] Secunia Update Agent C:\Program Files\Secunia\PSI\sua.exe
    11:15:45.0562 3104 Secunia Update Agent - ok
    11:15:45.0640 3104 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
    11:15:45.0640 3104 SENS - ok
    11:15:45.0656 3104 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
    11:15:45.0656 3104 serenum - ok
    11:15:45.0687 3104 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
    11:15:45.0687 3104 Serial - ok
    11:15:45.0796 3104 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
    11:15:45.0796 3104 Sfloppy - ok
    11:15:45.0890 3104 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
    11:15:45.0921 3104 SharedAccess - ok
    11:15:45.0953 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
    11:15:45.0953 3104 ShellHWDetection - ok
    11:15:45.0968 3104 Simbad - ok
    11:15:46.0062 3104 [ 5018A9DB5EB62E3EDB3110F82F556285 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
    11:15:46.0078 3104 smwdm - ok
    11:15:46.0093 3104 Sparrow - ok
    11:15:46.0156 3104 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
    11:15:46.0171 3104 splitter - ok
    11:15:46.0234 3104 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
    11:15:46.0265 3104 Spooler - ok
    11:15:46.0281 3104 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
    11:15:46.0281 3104 sr - ok
    11:15:46.0359 3104 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
    11:15:46.0359 3104 srservice - ok
    11:15:46.0437 3104 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
    11:15:46.0453 3104 Srv - ok
    11:15:46.0468 3104 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
    11:15:46.0468 3104 SSDPSRV - ok
    11:15:46.0562 3104 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
    11:15:46.0609 3104 stisvc - ok
    11:15:46.0687 3104 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
    11:15:46.0687 3104 swenum - ok
    11:15:46.0718 3104 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
    11:15:46.0718 3104 swmidi - ok
    11:15:46.0734 3104 SwPrv - ok
    11:15:46.0750 3104 sxuptp - ok
    11:15:46.0765 3104 symc810 - ok
    11:15:46.0781 3104 symc8xx - ok
    11:15:46.0796 3104 sym_hi - ok
    11:15:46.0796 3104 sym_u3 - ok
    11:15:46.0828 3104 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
    11:15:46.0828 3104 sysaudio - ok
    11:15:46.0890 3104 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
    11:15:46.0890 3104 SysmonLog - ok
    11:15:46.0953 3104 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
    11:15:46.0968 3104 TapiSrv - ok
    11:15:47.0046 3104 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
    11:15:47.0078 3104 Tcpip - ok
    11:15:47.0140 3104 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
    11:15:47.0140 3104 TDPIPE - ok
    11:15:47.0156 3104 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
    11:15:47.0156 3104 TDTCP - ok
    11:15:47.0203 3104 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
    11:15:47.0203 3104 TermDD - ok
    11:15:47.0296 3104 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
    11:15:47.0312 3104 TermService - ok
    11:15:47.0343 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
    11:15:47.0343 3104 Themes - ok
    11:15:47.0359 3104 TosIde - ok
    11:15:47.0406 3104 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
    11:15:47.0406 3104 TrkWks - ok
    11:15:47.0437 3104 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
    11:15:47.0453 3104 Udfs - ok
    11:15:47.0453 3104 ultra - ok
    11:15:47.0531 3104 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
    11:15:47.0546 3104 Update - ok
    11:15:47.0593 3104 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
    11:15:47.0609 3104 upnphost - ok
    11:15:47.0640 3104 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
    11:15:47.0640 3104 UPS - ok
    11:15:47.0703 3104 [ 73B41F4EAD65F355962168D766AF0F2E ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
    11:15:47.0703 3104 USBAAPL - ok
    11:15:47.0734 3104 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    11:15:47.0734 3104 usbccgp - ok
    11:15:47.0812 3104 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
    11:15:47.0812 3104 usbehci - ok
    11:15:47.0875 3104 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
    11:15:47.0890 3104 usbhub - ok
    11:15:47.0906 3104 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
    11:15:47.0906 3104 usbprint - ok
    11:15:47.0984 3104 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
    11:15:47.0984 3104 usbscan - ok
    11:15:48.0000 3104 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    11:15:48.0000 3104 USBSTOR - ok
    11:15:48.0031 3104 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    11:15:48.0031 3104 usbuhci - ok
    11:15:48.0093 3104 [ 497F2190E87D58FD68E559E083796EDC ] USRpdA C:\WINDOWS\system32\DRIVERS\USRpdA.sys
    11:15:48.0109 3104 USRpdA - ok
    11:15:48.0125 3104 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
    11:15:48.0125 3104 VgaSave - ok
    11:15:48.0140 3104 ViaIde - ok
    11:15:48.0156 3104 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
    11:15:48.0156 3104 VolSnap - ok
    11:15:48.0218 3104 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
    11:15:48.0250 3104 VSS - ok
    11:15:48.0312 3104 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
    11:15:48.0312 3104 W32Time - ok
    11:15:48.0390 3104 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
    11:15:48.0390 3104 Wanarp - ok
    11:15:48.0406 3104 WDICA - ok
    11:15:48.0468 3104 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
    11:15:48.0484 3104 wdmaud - ok
    11:15:48.0515 3104 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
    11:15:48.0531 3104 WebClient - ok
    11:15:48.0656 3104 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
    11:15:48.0656 3104 winmgmt - ok
    11:15:48.0718 3104 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
    11:15:48.0718 3104 WmdmPmSN - ok
    11:15:48.0765 3104 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
    11:15:48.0765 3104 WmiApSrv - ok
    11:15:48.0859 3104 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
    11:15:48.0890 3104 WMPNetworkSvc - ok
    11:15:49.0046 3104 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    11:15:49.0109 3104 WPFFontCache_v0400 - ok
    11:15:49.0187 3104 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
    11:15:49.0187 3104 wscsvc - ok
    11:15:49.0218 3104 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
    11:15:49.0218 3104 wuauserv - ok
    11:15:49.0312 3104 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
    11:15:49.0343 3104 WZCSVC - ok
    11:15:49.0406 3104 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
    11:15:49.0406 3104 xmlprov - ok
    11:15:49.0421 3104 ================ Scan global ===============================
    11:15:49.0468 3104 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
    11:15:49.0546 3104 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
    11:15:49.0578 3104 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
    11:15:49.0593 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
    11:15:49.0593 3104 [Global] - ok
    11:15:49.0609 3104 ================ Scan MBR ==================================
    11:15:49.0640 3104 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
    11:15:49.0843 3104 \Device\Harddisk0\DR0 - ok
    11:15:49.0843 3104 ================ Scan VBR ==================================
    11:15:49.0859 3104 [ 6C35032B15A67BBBA1E0AA1A237FF28E ] \Device\Harddisk0\DR0\Partition1
    11:15:49.0859 3104 \Device\Harddisk0\DR0\Partition1 - ok
    11:15:49.0859 3104 ============================================================
    11:15:49.0859 3104 Scan finished
    11:15:49.0859 3104 ============================================================
    11:15:49.0875 0224 Detected object count: 0
    11:15:49.0875 0224 Actual detected object count: 0
  4. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Rogue Killer:
    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Ed [Admin rights]
    Mode : Remove -- Date : 11/09/2012 11:26:46
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++

    --- User ---
    [MBR] 63f767e2998d7fd940fb80bc89ed23a0
    [BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 38099 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2]_D_11092012_02d1126.txt >>
    RKreport[1]_S_11092012_02d1126.txt ; RKreport[2]_D_11092012_02d1126.txt
  5. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    aswMBR:
    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-09 11:30:45
    -----------------------------
    11:30:45.437 OS Version: Windows 5.1.2600 Service Pack 3
    11:30:45.437 Number of processors: 1 586 0x209
    11:30:45.437 ComputerName: ED-NXAIBJWWPXN5 UserName: Ed
    11:30:45.984 Initialize success
    11:37:22.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    11:37:22.937 Disk 0 Vendor: WDC_WD400BB-75DEA0 05.03E05 Size: 38146MB BusType: 3
    11:37:22.968 Disk 0 MBR read successfully
    11:37:22.968 Disk 0 MBR scan
    11:37:22.984 Disk 0 Windows XP default MBR code
    11:37:22.984 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
    11:37:22.984 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38099 MB offset 80325
    11:37:22.984 Disk 0 scanning sectors +78108030
    11:37:23.062 Disk 0 scanning C:\WINDOWS\system32\drivers
    11:37:33.515 Service scanning
    11:37:53.171 Modules scanning
    11:37:59.703 Disk 0 trace - called modules:
    11:37:59.734 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    11:37:59.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89710ab8]
    11:38:00.250 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89764d98]
    11:38:00.250 Scan finished successfully
    11:38:14.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ed\Desktop\MBR.dat"
    11:38:14.578 The log file has been saved successfully to "C:\Documents and Settings\Ed\Desktop\aswMBR.txt"
  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    =============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  7. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Combofix:
    ComboFix 12-11-09.02 - Ed 11/09/2012 19:08:13.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.647 [GMT -5:00]
    Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
    AV: G Data TotalSecurity 2012 *Disabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
    FW: G Data Personal Firewall *Disabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-08 18:03 . 2012-11-08 18:03 -------- d-----w- c:\program files\MSXML 4.0
    2012-11-08 18:01 . 2012-11-08 18:01 -------- d-----w- c:\program files\Common Files\Java
    2012-11-08 18:01 . 2012-11-08 18:00 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-11-08 17:31 . 2012-11-08 17:31 -------- d-----w- c:\program files\Microsoft Download Manager
    2012-11-07 16:42 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-07 02:41 . 2012-11-07 02:41 -------- d-----w- c:\documents and settings\Ed\Application Data\Funmoods
    2012-11-07 02:20 . 2012-11-07 02:20 -------- d-----w- c:\documents and settings\Ed\Application Data\jdnetmon
    2012-11-07 02:09 . 2012-11-07 02:09 -------- d-----w- c:\program files\Microsoft.NET
    2012-11-07 01:53 . 2012-11-09 18:31 -------- d-----w- c:\documents and settings\Ed\Application Data\jdast
    2012-11-07 01:53 . 2012-11-07 03:00 -------- d-----w- c:\program files\JDAST
    2012-11-07 01:52 . 2012-11-07 01:52 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Wajam
    2012-10-21 15:40 . 2012-10-21 15:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-10-21 15:40 . 2012-10-22 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-08 18:00 . 2010-07-20 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-11-08 18:00 . 2010-07-20 18:55 473072 -c--a-w- c:\windows\system32\deployJava1.dll
    2012-10-09 17:00 . 2012-03-30 22:34 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-10-09 17:00 . 2011-07-15 02:14 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-28 15:14 . 2003-07-16 20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-08-28 15:14 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-08-28 15:14 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-08-28 12:07 . 2009-03-21 01:45 385024 ----a-w- c:\windows\system32\html.iec
    2012-08-24 13:53 . 2003-07-16 20:51 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-21 17:01 . 2006-10-03 23:47 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-08-21 17:01 . 2006-09-19 18:44 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-08-21 13:29 . 2003-07-16 20:39 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-21 12:58 . 2002-08-29 01:04 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\wuauclt.exe
    [7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\dllcache\wuauclt.exe
    [7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
    [7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
    [7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\$NtServicePackUninstall$\wuauclt.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "G Data AntiVirus Tray Application"="c:\program files\G Data\TotalSecurity\AVKTray\AVKTray.exe" [2011-08-19 921096]
    "GDFirewallTray"="c:\program files\G Data\TotalSecurity\Firewall\GDFirewallTray.exe" [2011-11-08 1616392]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
    c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-07-27 20:51 919008 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-08-28 01:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-09-10 03:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-09-30 00:54 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2/11/2012 4:32 PM 40440]
    R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2/11/2012 4:32 PM 30200]
    R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2/11/2012 4:32 PM 79992]
    R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2/12/2012 3:08 AM 69112]
    R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2/11/2012 4:32 PM 40568]
    R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\Common Files\G Data\AVKProxy\AVKProxy.exe [5/3/2011 2:21 PM 1499656]
    R2 AVKService;G Data Scheduler;c:\program files\G Data\TotalSecurity\AVK\AVKService.exe [5/3/2011 2:21 PM 409608]
    R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\G Data\TotalSecurity\AVK\AVKWCtl.exe [5/3/2011 11:26 AM 1554184]
    R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2/11/2012 4:32 PM 52216]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/7/2012 11:42 AM 399432]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 1:01 AM 994360]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 1:01 AM 399416]
    R3 GDFwSvc;G Data Personal Firewall;c:\program files\G Data\TotalSecurity\Firewall\GDFwSvc.exe [5/3/2011 11:39 AM 1613424]
    R3 GDScan;G Data Scanner;c:\program files\Common Files\G Data\GDScan\GDScan.exe [5/3/2011 2:21 PM 457536]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/7/2012 11:42 AM 22856]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/7/2012 11:42 AM 676936]
    S3 GDBackupSvc;G Data Backup Service;c:\program files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe [5/3/2011 11:18 AM 1498616]
    S3 GDTunerSvc;G Data Tuner Service;c:\program files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe [5/3/2011 12:15 PM 960504]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2/4/2011 9:11 PM 16968]
    S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:00]
    .
    2012-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce136bb5afc0c.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-27 02:20]
    .
    2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cce136bbbf1ed0.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-27 02:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/
    mStart Page = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-11-09 19:20
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2012-11-09 19:24:08
    ComboFix-quarantined-files.txt 2012-11-10 00:24
    .
    Pre-Run: 18,269,474,816 bytes free
    Post-Run: 18,289,426,432 bytes free
    .
    - - End Of File - - 83AE142ECBE942650C139489D145DA80
  8. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Looks good.

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Broni - OTL is running VERY slow (like over a couple hours and still not done). If I look at the processes in Task Mgr, AVKProxy.exe is using 99% of the CPU.

    AVKProxy appears to be related to my G Data antivirus. I even tried turning everything off in G Data ... bu had the same result.
    Any suggestions?
  10. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Re-run OTL from safe mode.
  11. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Much better!!
    OTL logfile created on: 11/9/2012 11:07:55 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ed\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: | Country: | Language: | Date Format:

    1.25 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 81.47% Memory free
    2.98 Gb Paging File | 2.93 Gb Available in Paging File | 98.24% Paging File free
    Paging file location(s): C:\pagefile.sys 1917 1917 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.21 Gb Total Space | 17.02 Gb Free Space | 45.76% Space Free | Partition Type: NTFS

    Computer Name: ED-NXAIBJWWPXN5 | User Name: Ed | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/11/09 19:48:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========


    ========== Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2012/10/09 12:00:31 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2011/11/08 07:43:11 | 001,499,656 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe -- (AVKProxy)
    SRV - [2011/10/28 08:43:51 | 001,498,616 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe -- (GDBackupSvc)
    SRV - [2011/10/28 08:36:11 | 000,457,536 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\G Data\GDScan\GDScan.exe -- (GDScan)
    SRV - [2011/10/27 20:40:14 | 001,554,184 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVK\AVKWCtl.exe -- (AVKWCtl)
    SRV - [2011/10/14 01:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
    SRV - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
    SRV - [2011/08/10 07:20:28 | 001,613,424 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\Firewall\GDFwSvc.exe -- (GDFwSvc)
    SRV - [2011/05/19 20:40:34 | 000,960,504 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe -- (GDTunerSvc)
    SRV - [2011/05/03 14:21:16 | 000,409,608 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVK\AVKService.exe -- (AVKService)
    SRV - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\sxuptp.sys -- (sxuptp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\TEMP\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGSp50.sys -- (AFGSp50)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGMp50.sys -- (AFGMp50)
    DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2012/02/12 03:08:39 | 000,069,112 | ---- | M] (G Data Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\GRD.sys -- (GRD)
    DRV - [2012/02/11 18:36:51 | 000,030,200 | ---- | M] (G Data Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GDNdisIc.sys -- (GDNdisIc)
    DRV - [2012/02/11 18:36:50 | 000,052,216 | ---- | M] (G Data Software AG) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\GDTdiIcpt.sys -- (GDTdiInterceptor)
    DRV - [2012/02/11 18:36:42 | 000,040,568 | ---- | M] (G Data Software AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\HookCentre.sys -- (HookCentre)
    DRV - [2012/02/11 18:36:41 | 000,079,992 | ---- | M] (G Data Software AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\MiniIcpt.sys -- (GDMnIcpt)
    DRV - [2012/02/11 18:36:40 | 000,040,440 | ---- | M] (G Data Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GDBehave.sys -- (GDBehave)
    DRV - [2011/02/04 21:24:12 | 000,016,968 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
    DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2010/06/30 03:27:08 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2004/03/09 09:58:06 | 000,329,088 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\3c1807pd.sys -- (3c1807pd)
    DRV - [2003/10/12 10:29:00 | 000,066,688 | R--- | M] (NETGEAR ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
    DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
    DRV - [2001/08/17 08:28:26 | 000,113,762 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=do...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
    IE - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.p...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 12 7A 82 02 C6 0E CD 01 [binary data]
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...&ie={inputEncoding?}&oe={outputEncoding?}&rlz=
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.p...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
    IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
    FF - HKLM\Software\MozillaPlugins\google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2012/11/09 23:02:57 | 000,000,000 | ---D | M]
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    O1 HOSTS File: ([2011/12/28 00:22:02 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalSecurity\WebFilter\AvkWebIE.dll (G Data Software AG)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
    O2 - BHO: (G Data BankGuard) - {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - C:\Program Files\Common Files\G Data\AVKProxy\BanksafeBHO.dll (G Data Software AG)
    O3 - HKLM\..\Toolbar: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalSecurity\WebFilter\AvkWebIE.dll (G Data Software AG)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [G Data AntiVirus Tray Application] C:\Program Files\G Data\TotalSecurity\AVKTray\AVKTray.exe (G Data Software AG)
    O4 - HKLM..\Run: [GDFirewallTray] C:\Program Files\G Data\TotalSecurity\Firewall\GDFirewallTray.exe (G Data Software AG)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
    O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A0DE531-0B77-487D-B443-F8C892D9FD93}: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/03/20 19:46:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/11/09 19:47:58 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
    [2012/11/09 18:57:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/11/09 18:57:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/11/09 18:57:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/11/09 18:57:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/11/09 18:56:34 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/11/09 18:51:22 | 004,998,937 | R--- | C] (Swearware) -- C:\Documents and Settings\Ed\Desktop\ComboFix.exe
    [2012/11/09 11:30:21 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ed\Desktop\aswMBR.exe
    [2012/11/09 11:21:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2012/11/09 11:19:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Desktop\RK_Quarantine
    [2012/11/08 20:26:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
    [2012/11/08 18:11:09 | 000,688,901 | R--- | C] (Swearware) -- C:\Documents and Settings\Ed\Desktop\dds.com
    [2012/11/08 13:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
    [2012/11/08 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2012/11/08 12:31:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\My Downloads
    [2012/11/08 12:31:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
    [2012/11/08 12:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
    [2012/11/07 11:42:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/11/07 11:42:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/11/06 21:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Funmoods
    [2012/11/06 21:20:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\jdnetmon
    [2012/11/06 21:09:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
    [2012/11/06 21:00:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Speed_Tester
    [2012/11/06 20:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Start Menu\Programs\JDs Auto Speed Tester
    [2012/11/06 20:53:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\jdast
    [2012/11/06 20:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\JDAST
    [2012/11/06 20:52:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Wajam
    [2012/11/06 20:37:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Downloads
    [2012/10/31 21:49:22 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\TDSSKiller.exe
    [2012/10/22 19:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Alica
    [2012/10/21 10:40:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
    [2012/10/21 10:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
    [2012/10/21 10:39:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller

    ========== Files - Modified Within 30 Days ==========

    [2012/11/09 23:03:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/11/09 22:30:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA1cce136bbbf1ed0.job
    [2012/11/09 22:08:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cce136bb5afc0c.job
    [2012/11/09 21:59:06 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/11/09 19:48:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
    [2012/11/09 18:51:23 | 004,998,937 | R--- | M] (Swearware) -- C:\Documents and Settings\Ed\Desktop\ComboFix.exe
    [2012/11/09 11:38:14 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\MBR.dat
    [2012/11/09 11:30:21 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Ed\Desktop\aswMBR.exe
    [2012/11/09 11:24:06 | 000,666,112 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\RogueKiller.exe
    [2012/11/09 11:14:18 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\TDSSKiller.exe
    [2012/11/09 09:22:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2012/11/09 00:34:56 | 000,861,312 | ---- | M] () -- C:\WINDOWS\System32\sig.bin
    [2012/11/09 00:34:56 | 000,046,027 | ---- | M] () -- C:\WINDOWS\System32\nmp.map
    [2012/11/08 18:11:14 | 000,688,901 | R--- | M] (Swearware) -- C:\Documents and Settings\Ed\Desktop\dds.com
    [2012/11/08 17:59:27 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\rr94c86h.exe
    [2012/11/08 04:47:00 | 000,473,388 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/11/08 04:47:00 | 000,076,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/11/07 11:42:36 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/11/07 07:50:02 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/11/07 07:48:22 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Microsoft Office Word 2003.lnk
    [2012/11/06 20:56:18 | 000,001,582 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\JDs Auto Speed Tester.lnk
    [2012/11/06 20:51:44 | 000,290,500 | ---- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods-speeddial_sf.crx
    [2012/11/04 21:05:53 | 000,002,405 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Microsoft Office Picture Manager.lnk
    [2012/11/01 21:17:22 | 000,002,423 | ---- | M] () -- C:\Documents and Settings\Ed\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Picture Manager.lnk

    ========== Files Created - No Company Name ==========

    [2012/11/09 18:57:16 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/11/09 18:57:16 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/11/09 18:57:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/11/09 18:57:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/11/09 18:57:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/11/09 11:38:14 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\MBR.dat
    [2012/11/09 11:24:05 | 000,666,112 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\RogueKiller.exe
    [2012/11/08 17:59:26 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\rr94c86h.exe
    [2012/11/07 11:42:36 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/11/06 20:54:00 | 000,001,582 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\JDs Auto Speed Tester.lnk
    [2012/11/06 20:51:52 | 000,290,500 | ---- | C] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods-speeddial_sf.crx
    [2012/07/14 12:19:06 | 000,079,520 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2012/02/14 22:26:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/12 17:31:24 | 000,861,312 | ---- | C] () -- C:\WINDOWS\System32\sig.bin
    [2011/12/22 05:29:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/12/20 18:44:43 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/12/18 17:42:27 | 000,134,872 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/07/08 01:14:50 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2011/02/28 21:29:53 | 000,233,616 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-73586283-746137067-839522115-1004-0.dat
    [2011/02/28 21:29:52 | 000,105,722 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2011/02/04 21:11:32 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/12/21 19:07:25 | 000,018,012 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

    ========== ZeroAccess Check ==========

    [2011/02/28 19:33:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2012/09/14 15:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    [2010/12/14 06:03:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2012/02/11 17:17:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\G DATA
    [2011/02/04 21:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011/12/20 19:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2012/03/19 19:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
    [2009/03/29 21:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    [2010/09/30 17:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2012/03/04 16:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Canon
    [2012/11/06 21:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Funmoods
    [2012/01/08 12:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\ieSpell
    [2012/11/09 13:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\jdast
    [2012/11/06 21:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\jdnetmon
    [2012/03/19 20:21:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\TaxCut

    ========== Purity Check ==========


    < End of report >
  12. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    And:
    OTL Extras logfile created on: 11/9/2012 11:07:55 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ed\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: | Country: | Language: | Date Format:

    1.25 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 81.47% Memory free
    2.98 Gb Paging File | 2.93 Gb Available in Paging File | 98.24% Paging File free
    Paging file location(s): C:\pagefile.sys 1917 1917 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.21 Gb Total Space | 17.02 Gb Free Space | 45.76% Space Free | Partition Type: NTFS

    Computer Name: ED-NXAIBJWWPXN5 | User Name: Ed | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallOverride" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
    "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
    "C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
    "{0F6F6876-6334-4977-B5DD-CFC12E193420}" = iTunes
    "{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
    "{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
    "{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216037FF}" = Java(TM) 6 Update 37
    "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
    "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
    "{2DFC6D71-EBEC-4236-A13C-2E62307F4C3A}" = H&R Block Michigan 2010
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}" = Google SketchUp 8
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}" = Microsoft ASP.NET Web Pages
    "{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
    "{654977DB-0001-0002-0001-EABD228DDE8B}" = Microsoft Download Manager
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
    "{7E5CDECB-726B-4581-BA8C-5B11148C3FA5}" = G Data TotalSecurity 2012
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
    "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}" = Microsoft SQL Server System CLR Types
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
    "{B692E59A-055C-43B7-BE0A-9C2FE0AB88B6}" = Microsoft SQL Server 2008 R2 Management Objects
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C6006AED-E5A7-4F77-BAD5-95AC43DE04F3}" = H&R Block Deluxe + Efile + State 2011
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D4DDFAA1-EC37-4529-AD5B-A433ADE68662}" = Apple Mobile Device Support
    "{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
    "{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
    "{DBB1F4ED-3212-4F58-A427-9C01DE4A24A5}_is1" = Uniblue SystemTweaker
    "{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1" = Uniblue SpeedUpMyPC
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "{FEF7DCAB-7F2C-4EB1-93B8-96BDC4B5C8DD}" = H&R Block Michigan 2011
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "CAL" = Canon Camera Access Library
    "CameraWindowDC8" = Canon Utilities CameraWindow DC 8
    "CameraWindowLauncher" = Canon Utilities CameraWindow Launcher
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "CCleaner" = CCleaner
    "DPP" = Canon Utilities Digital Photo Professional 3.10
    "EOS Utility" = Canon Utilities EOS Utility
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "ieSpell" = ieSpell
    "JDs Auto Speed Tester" = JDs Auto Speed Tester
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "MyCamera" = Canon Utilities MyCamera
    "MyCamera Download Plugin" = CANON iMAGE GATEWAY MyCamera Download Plugin
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
    "PROSet" = Intel(R) PRO Network Adapters and Drivers
    "Registry Mechanic_is1" = Registry Mechanic 10.0
    "Secunia PSI" = Secunia PSI (2.0.0.4003)
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/15/2012 12:33:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application acrord32.exe, version 10.1.3.23, faulting module
    acrord32.dll, version 10.1.3.23, fault address 0x0018447f.

    Error - 8/1/2012 10:29:50 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
    mshtml.dll, version 8.0.6001.19258, fault address 0x001096ed.

    Error - 8/19/2012 7:06:45 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application applemobilebackup.exe, version 17.1008.10.20,
    faulting module corefoundation.dll, version 1.630.16.0, fault address 0x0006a26a.

    Error - 9/17/2012 7:18:33 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application GDFwSvc.exe, version 4.1.11222.860, faulting
    module GDFwSvc.exe, version 4.1.11222.860, fault address 0x00125f17.

    Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327936
    Description = An error occurred when communicating with the Windows CardSpace service.
    An unknown exception has caused the request to fail. For more information, please
    see the event log. Inner Exception: CryptProtectData failed while running as the
    User account. Additional Information: Microsoft.InfoCards.CommunicationException:
    An unknown exception has caused the request to fail. For more information, please
    see the event log. ---> System.ComponentModel.Win32Exception: CryptProtectData
    failed while running as the User account. at Microsoft.InfoCards.FileDataSource.EncryptAndSaveDPAPIKeyToHeader()
    at Microsoft.InfoCards.FileDataSource.CreateEmptyStore() at Microsoft.InfoCards.FileDataSource.OnLoad()
    at Microsoft.InfoCards.StoreConnection.Load() at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity
    identity, Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.CreateConnection()
    at Microsoft.InfoCards.ClientUIRequest.OnInitializeAsUser() at Microsoft.InfoCards.Request.Initialize()
    --- End of inner exception stack trace ---

    Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327949
    Description = The Windows CardSpace service is too busy to process this request.
    User has too many outstanding requests. Additional Information: at System.Environment.GetStackTrace(Exception
    e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
    ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
    e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
    e) at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
    at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity
    callerIdentity, Int32 tsSessionId) at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle
    monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
    at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
    IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

    Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327937
    Description = An error occurrred while accessing the card collection. Failed to
    open store. Additional Information: at System.Environment.GetStackTrace(Exception
    e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
    ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
    e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
    e) at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity identity,
    Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.GetConnection()
    at Microsoft.InfoCards.GetUserPreferenceRequest.OnProcess() at Microsoft.InfoCards.Request.ProcessRequest()
    at Microsoft.InfoCards.Request.DoProcessRequest(String& extendedMessage) at
    Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
    IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

    Error - 10/16/2012 11:42:29 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
    comctl32.dll, version 6.0.2900.6028, fault address 0x0007475b.

    Error - 10/16/2012 11:42:36 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
    dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

    Error - 11/8/2012 2:20:56 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
    Description = Faulting application AVKProxy.exe, version 1.5.11301.183, faulting
    module AVKProxy.exe, version 1.5.11301.183, fault address 0x00039007.

    [ System Events ]
    Error - 11/9/2012 8:05:44 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7023
    Description = The IPSEC Services service terminated with the following error: %%1747

    Error - 11/9/2012 11:08:03 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7023
    Description = The IPSEC Services service terminated with the following error: %%1747

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
    Description = The DHCP Client service depends on the NetBios over Tcpip service
    which failed to start because of the following error: %%31

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
    Description = The DNS Client service depends on the TCP/IP Protocol Driver service
    which failed to start because of the following error: %%31

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
    Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
    service which failed to start because of the following error: %%31

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
    Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
    service which failed to start because of the following error: %%31

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
    Description = The IPSEC Services service depends on the IPSEC driver service which
    failed to start because of the following error: %%31

    Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD Fips GDMnIcpt HookCentre intelppm IPSec NetBT OMCI RasAcd Tcpip WS2IFSL

    Error - 11/10/2012 12:07:09 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 11/10/2012 12:07:29 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}


    < End of report >
  13. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OTL logs are clean.

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  14. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Security Check:
    Results of screen317's Security Check version 0.99.54
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    AVG 2012
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (2.0.0.4003)
    Malwarebytes Anti-Malware version 1.65.1.1000
    CCleaner
    Java(TM) 6 Update 37
    Java version out of Date!
    Adobe Reader X (10.1.4)
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes' Anti-Malware mbamscheduler.exe
    G Data TotalSecurity Firewall GDFirewallTray.exe
    G Data TotalSecurity Firewall GDFwSvc.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 10%
    ````````````````````End of Log``````````````````````

    FarBar:

    Farbar Service Scanner Version: 09-11-2012
    Ran by Ed (administrator) on 10-11-2012 at 00:30:37
    Running from "C:\Documents and Settings\Ed\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x0B00000005000000010000000200000003000000040000000800000009000000560000005A0000000600000007000000
    IpSec Tag value is correct.
    **** End of log ****
  15. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    # AdwCleaner v2.007 - Logfile created 11/10/2012 at 00:35:36
    # Updated 06/11/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Ed - ED-NXAIBJWWPXN5
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Ed\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Folder Deleted : C:\Documents and Settings\Ed\Application Data\Funmoods
    Folder Deleted : C:\Documents and Settings\Ed\Local Settings\Application Data\Wajam
    Folder Deleted : C:\Program Files\Conduit
    ***** [Registry] *****
    Key Deleted : HKCU\Software\Funmoods
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\Funmoods
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v8.0.6001.18702
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871 --> hxxp://www.google.com
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871 --> hxxp://www.google.com
    *************************
    AdwCleaner[S1].txt - [3154 octets] - [10/11/2012 00:35:36]
    ########## EOF - C:\AdwCleaner[S1].txt - [3214 octets] ##########
  16. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    ESET Log:
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033430.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP299\A0033507.dll a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP300\A0034157.exe Win32/DownloadAdmin.D application cleaned by deleting - quarantined
  17. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Just an update, I no longer see Funmoods when I open a new browser tab, and it is no longer listed in the search Add-ons. :) However, Live Search (Bing?) is now showing up and as default. In manage Add ons, I can not change the default to Google. This was the same way that Funmoods was listed in the Add-on Manager.
  18. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Open IE, go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE.
    Same issue?

    Also, you're running two AV programs, AVG and G Data.
    You must uninstall one of them.
    If AVG use AVG Remover: http://www.avg.com/us-en/utilities
  19. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    AVG - Must have been some residual crud that was left behind. I ran the remover for 32 bit AVG 12. Should be good now?

    Live Search is now gone from the search provider listed in the Manage Add-ons pop up, and google is set as default. So we are getting there. When I open IE (only the first instance) the manage add-ons pop up opens automatically.

    All else appears to be good ... no more funmoods!!
  20. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Good :)

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==============================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  21. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    OTL Log:
    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Administrator.ED-NXAIBJWWPXN5
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Ed
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 20413509 bytes
    ->Java cache emptied: 1880 bytes
    ->Flash cache emptied: 761 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1266942 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 528 bytes

    Total Files Cleaned = 21.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: Administrator.ED-NXAIBJWWPXN5
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: Ed
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: Administrator.ED-NXAIBJWWPXN5

    User: All Users

    User: Default User

    User: Ed
    ->Java cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 11102012_184318
    Files\Folders moved on Reboot...
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
  22. Mister Ed

    Mister Ed Newcomer, in training Topic Starter Posts: 70

    Thanks for your help Boni!!!

    Problem is, you keep helping me fix this old thing (3rd time in 3 years) and then my better half won't let me get a new one!!:D
  23. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Hahaha...

    Good luck and stay safe :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.