Trojan Horse Crypt.AQLW

Solved
By RedEd
Feb 29, 2012
  1. Hi, AVG tells me I'm infected with Trojan Horse Crypt.AQLW and does not seem able to remove the infection. Following the 5 steps here are the results. Thank you for any help.

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.29.02

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Ed :: ED-PC [administrator]

    Protection: Enabled

    29/02/2012 11:04:28
    mbam-log-2012-02-29 (11-04-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 284139
    Time elapsed: 53 minute(s), 46 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\Recycle.Bin (Trojan.Spyeyes) -> Quarantined and deleted successfully.

    Files Detected: 2
    C:\Recycle.Bin\B6232F3AA59.exe (Trojan.Spyeyes) -> Quarantined and deleted successfully.
    C:\Recycle.Bin\481D2A6DA7EAFE9 (Trojan.Spyeyes) -> Quarantined and deleted successfully.

    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-29 16:33:48
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Maxtor_6Y120L0 rev.YAR41BW0
    Running: p5vthjdp.exe; Driver: C:\Users\Ed\AppData\Local\Temp\pxldapoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C7C369 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB5D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? System32\drivers\jewk.sys The system cannot find the path specified. !
    .text C:\Windows\System32\Drivers\dfsc.sys section is writeable [0x8E2C7000, 0x3C9C, 0xE8000020]
    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EE13000, 0x38CD55, 0xE8000020]
    PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A08D5000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A08D5123 629 Bytes [05, 8D, A0, FE, 05, 34, 05, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 5329 A08D5399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 538F A08D53FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
    PAGE spsys.sys!?SPRevision@@3PADA + 543B A08D54AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
    PAGE ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1556] ntdll.dll!NtProtectVirtualMemory 77485F18 5 Bytes JMP 0052000A
    .text C:\Windows\system32\svchost.exe[1556] ntdll.dll!NtWriteVirtualMemory 77486A98 5 Bytes JMP 0059000A
    .text C:\Windows\system32\svchost.exe[1556] ntdll.dll!KiUserExceptionDispatcher 77486FE8 5 Bytes JMP 001B000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!NtCreateProcess 77485698 5 Bytes JMP 0055000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!NtCreateProcessEx 774856A8 5 Bytes JMP 0056000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!NtCreateUserProcess 77485778 5 Bytes JMP 0057000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!NtProtectVirtualMemory 77485F18 5 Bytes JMP 003E000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!NtWriteVirtualMemory 77486A98 5 Bytes JMP 003F000A
    .text C:\Windows\System32\ping.exe[4392] ntdll.dll!KiUserExceptionDispatcher 77486FE8 5 Bytes JMP 003D000A
    .text C:\Windows\System32\ping.exe[4392] USER32.dll!GetCursorPos 7516A4B3 5 Bytes JMP 008F000A
    .text C:\Windows\System32\ping.exe[4392] USER32.dll!GetForegroundWindow 7517335D 5 Bytes JMP 0091000A
    .text C:\Windows\System32\ping.exe[4392] USER32.dll!WindowFromPoint 75196BE9 5 Bytes JMP 0090000A
    .text C:\Windows\System32\ping.exe[4392] ole32.dll!CoCreateInstance 75BB9D0B 5 Bytes JMP 005D000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\TEMP\mtbuaj\setup.exe[2176] @ C:\Windows\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\TEMP\mtbuaj\setup.exe[2176] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\TEMP\mtbuaj\setup.exe[2176] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\TEMP\mtbuaj\setup.exe[2176] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\TEMP\mtbuaj\setup.exe[2176] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2552] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2552] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2552] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2552] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2552] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74D0FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000056 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) 8E2A3000-8E2C6000 (143360 bytes)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Windows\System32\ping.exe (*** hidden *** ) 4392

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB9130$\1825098505 0 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553 0 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\@ 2048 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\cfg.ini 296 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\L 0 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\L\xadqgnnk 78336 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\oemid 130 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U 0 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\00000001.@ 2048 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\80000000.@ 66560 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\U\80000032.@ 73216 bytes
    File C:\Windows\$NtUninstallKB9130$\2727051553\version 842 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U9BMHDI\background_gradient[2] 453 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U9BMHDI\bullet[2] 447 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MN4SDEE\bullet[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6M0OIET\httpErrorPagesScripts[1] 0 bytes
    File C:\Windows\Temp\~DF6B742880D68DE119.TMP 0 bytes
    File C:\Windows\Temp\~DFB66948AF3F29F320.TMP 0 bytes

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Ed at 16:36:58 on 2012-02-29
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Windows\TEMP\mtbuaj\setup.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\sppsvc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWlan.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
    C:\totalcmd\TOTALCMD.EXE
    C:\Windows\system32\conhost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\W2ww4sH.com
    C:\Windows\system32\W2WW4S~1.COM
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\W2ww4sH.com
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Ed\Downloads\dds.scr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [<NO NAME>]
    uRun: [NokiaSuite.exe] c:\program files\nokia\nokia suite\NokiaSuite.exe -tray
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    LSP: mswsock.dll
    Trusted Zone: alipay.com
    Trusted Zone: alisoft.com
    Trusted Zone: taobao.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{21C6F387-FCEA-420A-86F4-973DBEC97120} : DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{238FBD14-0FEC-4186-932C-E1225B93772E} : DhcpNameServer = 194.168.4.100 194.168.8.100
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Notify: wemneka - c:\windows\system32\config\systemprofile\appdata\local\wemneka.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\ed\appdata\roaming\mozilla\firefox\profiles\x7uoiu9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\foxit software\foxit phantompdf\plugins\npFoxitPhantomPDFPlugin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwangwang.dll
    FF - plugin: c:\program files\trademanager\npwangwang.dll
    FF - plugin: c:\users\ed\appdata\roaming\mozilla\firefox\profiles\x7uoiu9s.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npAclmPlugin.dll
    FF - plugin: c:\users\ed\appdata\roaming\mozilla\firefox\profiles\x7uoiu9s.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    2 AMService;AMService
    R? avgtdi;EUSBMSD
    R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
    R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? mcafeeframework;Tpkmpsvc
    R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service
    R? osppsvc;Office Software Protection Platform
    R? PEVSystemStart;Avpnnic
    R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
    R? Synth3dVsc;Synth3dVsc
    R? TsUsbFlt;TsUsbFlt
    R? tsusbhub;tsusbhub
    R? umpusbvista;Texas Instruments USB Serial Driver
    R? vet-filt;Wdmaud
    R? VGPU;VGPU
    R? WatAdminSvc;Windows Activation Technologies Service
    S? AMD External Events Utility;AMD External Events Utility
    S? amdkmdag;amdkmdag
    S? amdkmdap;amdkmdap
    S? AVGIDSEH;AVGIDSEH
    S? Avgldx86;AVG AVI Loader Driver
    S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
    S? Avgrkx86;AVG Anti-Rootkit Driver
    S? avgwd;AVG WatchDog
    S? MBAMProtector;MBAMProtector
    S? MBAMService;MBAMService
    S? Realtek11nCU;Realtek11nCU
    S? RTL8167;Realtek 8167 NT Driver
    S? RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter
    S? vwififlt;Virtual WiFi Filter Driver
    .
    =============== Created Last 30 ================
    .
    2012-02-29 11:02:24 -------- d-----w- c:\users\ed\appdata\roaming\Malwarebytes
    2012-02-29 11:02:05 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-29 11:02:04 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-29 11:02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-29 05:34:02 83456 ----a-w- c:\windows\system32\W2ww4sH.com
    2012-02-29 02:03:52 83456 ----a-w- c:\windows\system32\W2ww4sH.com_
    2012-02-28 22:32:21 -------- d--h--w- C:\$AVG
    2012-02-28 22:31:21 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-28 20:21:00 -------- d-----w- c:\users\ed\appdata\local\ReliefJet Essentials
    2012-02-28 19:47:03 -------- d--h--w- c:\programdata\Common Files
    2012-02-28 19:46:59 -------- d-----w- c:\users\ed\appdata\roaming\AVG2012
    2012-02-28 19:45:13 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-02-28 19:45:13 -------- d-----w- c:\programdata\AVG2012
    2012-02-28 19:43:53 -------- d-----w- c:\program files\AVG
    2012-02-28 19:36:43 -------- d-----w- c:\programdata\MFAData
    2012-02-28 10:23:19 -------- d-----w- c:\users\ed\appdata\local\{928C28D1-CF31-40B0-80C6-40ED46AAD963}
    2012-02-28 10:23:07 -------- d-----w- c:\users\ed\appdata\local\{59D9C12F-AE5C-45A0-B534-62DAC15E1F5E}
    2012-02-27 16:49:36 -------- d-----w- c:\users\ed\appdata\local\{306C849C-CB13-48A1-863E-C353BF9A5A5C}
    2012-02-27 16:49:24 -------- d-----w- c:\users\ed\appdata\local\{1EEB30EC-52DA-4E18-A50C-AF2326DB4178}
    2012-02-27 16:49:12 -------- d-----w- c:\users\ed\appdata\roaming\Windows Live Writer
    2012-02-27 16:49:12 -------- d-----w- c:\users\ed\appdata\local\Windows Live Writer
    2012-02-27 16:38:08 -------- d-----w- c:\users\ed\appdata\local\Windows Live
    2012-02-27 16:38:00 -------- d-----w- c:\program files\common files\Windows Live
    2012-02-26 15:30:20 -------- d-----w- C:\Jan
    2012-02-26 13:51:56 -------- d-----w- c:\program files\MSXML 4.0
    2012-02-24 23:01:36 -------- d-----w- c:\users\ed\appdata\roaming\Nokia Suite
    2012-02-24 22:59:00 -------- d-----w- c:\users\ed\appdata\local\NokiaAccount
    2012-02-24 22:50:02 -------- d-----w- c:\users\ed\appdata\local\Nokia
    2012-02-24 22:49:00 -------- d-----w- c:\programdata\Nokia
    2012-02-24 22:49:00 -------- d-----w- c:\program files\common files\Nokia
    2012-02-24 22:48:01 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2012-02-24 22:47:40 -------- d-----w- c:\program files\PC Connectivity Solution
    2012-02-24 22:47:20 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
    2012-02-24 22:46:44 -------- d-----w- c:\programdata\NokiaInstallerCache
    2012-02-24 22:46:44 -------- d-----w- c:\program files\Nokia
    2012-02-24 22:17:10 -------- d-----w- c:\users\ed\appdata\roaming\Blackberry Desktop
    2012-02-24 22:05:47 -------- d-----w- c:\users\ed\appdata\local\Research In Motion
    2012-02-24 22:05:46 -------- d-----w- c:\users\ed\appdata\roaming\Research In Motion
    2012-02-24 22:04:04 35328 ----a-w- c:\windows\system32\drivers\RimSerial.sys
    2012-02-24 22:03:33 -------- d-----w- c:\programdata\Research In Motion
    2012-02-24 22:03:20 -------- d-----w- c:\program files\Research In Motion
    2012-02-24 22:03:20 -------- d-----w- c:\program files\common files\Research In Motion
    2012-02-24 17:20:47 -------- d-----w- c:\windows\system32\aliedit
    2012-02-24 17:20:39 -------- d-----w- c:\program files\Trademanager
    2012-02-24 17:17:47 -------- d-----w- c:\users\ed\appdata\local\Alibaba
    2012-02-18 11:19:03 -------- d-----w- c:\users\ed\appdata\roaming\Scooter Software
    2012-02-18 11:18:56 -------- d-----w- c:\program files\Beyond Compare 3
    2012-02-18 03:10:38 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c968969d-d305-4e77-a2be-728079485787}\mpengine.dll
    2012-02-17 17:57:03 -------- d-----w- c:\program files\IMAPSize
    2012-02-17 17:09:45 -------- d-----w- c:\users\ed\appdata\roaming\Helios
    2012-02-17 17:09:11 49152 ----a-r- c:\users\ed\appdata\roaming\microsoft\installer\{b6ec7388-e277-4a5b-8c8f-71067a41ba64}\NewShortcut1.exe
    2012-02-17 17:09:11 49152 ----a-r- c:\users\ed\appdata\roaming\microsoft\installer\{b6ec7388-e277-4a5b-8c8f-71067a41ba64}\ARPPRODUCTICON.exe
    2012-02-17 17:09:08 -------- d-----w- c:\program files\TextPad 5
    2012-02-15 17:24:18 89600 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
    2012-02-15 17:21:11 -------- d-----w- c:\users\ed\appdata\local\ElevatedDiagnostics
    2012-02-15 17:02:07 -------- d-----w- c:\program files\HP
    2012-02-15 15:18:35 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 15:16:33 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-04 12:59:55 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2012-02-04 12:59:55 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2012-02-04 12:59:19 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2012-02-04 12:59:01 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2012-02-01 22:42:55 -------- d-----w- c:\users\ed\appdata\roaming\River Past G2
    2012-01-31 21:54:25 -------- d-----w- c:\users\ed\appdata\local\Adobe
    2012-01-31 21:53:37 -------- d-----w- c:\users\ed\appdata\roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    2012-01-31 21:53:25 -------- d-----w- c:\program files\MrSmooth
    2012-01-31 21:52:29 -------- d-----w- c:\program files\Mr Smooth
    .
    ==================== Find3M ====================
    .
    2012-02-17 19:51:03 286720 ------w- c:\windows\Setup1.exe
    2012-02-17 19:50:59 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-01-28 19:37:18 87608 ----a-w- c:\users\ed\appdata\roaming\inst.exe
    2012-01-28 19:37:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2012-01-28 19:37:18 47360 ----a-w- c:\users\ed\appdata\roaming\pcouffin.sys
    2012-01-27 00:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-17 22:58:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-08 13:27:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-07 17:23:59 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-01-07 15:11:00 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-01-07 10:01:56 0 ----a-w- c:\windows\ativpsrm.bin
    2012-01-06 08:00:00 545 ----a-w- c:\windows\UC.PIF
    2012-01-06 08:00:00 545 ----a-w- c:\windows\RAR.PIF
    2012-01-06 08:00:00 545 ----a-w- c:\windows\PKZIP.PIF
    2012-01-06 08:00:00 545 ----a-w- c:\windows\PKUNZIP.PIF
    2012-01-06 08:00:00 545 ----a-w- c:\windows\LHA.PIF
    2012-01-06 08:00:00 545 ----a-w- c:\windows\ARJ.PIF
    2011-12-29 18:00:00 79360 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-12-21 18:14:02 151552 ----a-w- c:\windows\system32\ac3acm.acm
    2011-12-19 14:12:00 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2011-12-19 14:11:58 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2011-12-19 14:11:58 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2011-12-19 14:11:58 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2011-12-19 14:11:56 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
    2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 16:45:35.16 ===============
  2. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ....cont

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 05/01/2012 23:12:18
    System Uptime: 29/02/2012 12:18:24 (4 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA785GM-US2H
    Processor: AMD Phenom(tm) 9850 Quad-Core Processor | Socket M2 | 1300/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 114 GiB total, 53.721 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP46: 28/02/2012 20:19:56 - Installed ReliefJet Essentials for Outlook
    .
    ==== Installed Programs ======================
    .
    5Spice Analysis 1.65
    7-Zip 9.20
    Acronis True Image Home
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    µTorrent
    AVG 2012
    Beyond Compare Version 3.3.3
    BlackBerry Desktop Software 6.1
    Bonjour
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    ConvertXtoDVD 4.0.9.322
    D3DX10
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    File Shredder 2.0
    Foxit PhantomPDF
    Google Earth
    Google Update Helper
    Hewlett-Packard ACLM.NET v1.1.0.0
    HP Product Detection
    IMAPSize 0.3.7
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 29
    Junk Mail filter update
    K-Lite Codec Pack 8.1.0 (Full)
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft IntelliPoint 8.2
    Microsoft IntelliType Pro 8.2
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Project MUI (English) 2010
    Microsoft Office Project Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Project 2010 Service Pack 1 (SP1)
    Microsoft Project Professional 2010
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC100_CRT_SP1_x86
    MozBackup 1.5.1
    Mozilla Firefox 9.0.1 (x86 en-GB)
    Mozilla Thunderbird 10.0.2 (x86 en-GB)
    Mr Smooth v1.0
    MrSmooth
    MSVC80_x86_v2
    MSVC90_x86
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nokia Connectivity Cable Driver
    Nokia Suite
    Oracle VM VirtualBox 4.1.8
    PC Connectivity Solution
    Polipo 1.0.4.1
    Pool-Mate Link
    Pool-Mate Pro Vista and Windows 7
    Pool-Mate Pro Vista and Windows 7 (C:\Program Files\Pool-Mate Pro\)
    REALTEK Wireless LAN Driver and Utility
    ReliefJet Essentials for Outlook
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
    Skype™ 5.5
    Texas Instruments TUSB3410 drivers.
    TextPad 5
    Tor 0.2.2.35
    Total Commander (Remove or Repair)
    TrueCrypt
    TUSB3410
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
    Update for Microsoft Outlook Social Connector (KB2583935)
    Vidalia 0.2.15
    VirtualCloneDrive
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live MIME IFilter
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Xilisoft Video Converter Ultimate 6
    Youtube Downloader HD v. 2.8
    .
    ==== Event Viewer Messages From Past Week ========
    .
    29/02/2012 16:45:46, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    29/02/2012 16:36:20, Error: Service Control Manager [7023] - The HECI service terminated with the following error: Access is denied.
    29/02/2012 12:26:01, Error: Service Control Manager [7023] - The Hpzipr12 service terminated with the following error: Access is denied.
    29/02/2012 12:25:07, Error: Service Control Manager [7023] - The SNDO763 service terminated with the following error: Access is denied.
    29/02/2012 12:23:47, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    29/02/2012 12:19:02, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Zenos1 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The ZDPSp50 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Wlancig service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Wdmaud service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Vet-filt service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Vaiomediaplatform-integratedserver-http service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The UVCFTR service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The USB11LDR service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The UimBus service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Tpkmpsvc service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Szserver service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Sysmonlog service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The SWNC5E00 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The SrvcEPIOMngr service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The SQLWriter service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The SprintRcAppSvc service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Sis162u service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Si3132r5 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Sgeclient service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The SenFiltService service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Scdemu service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Rvsinst service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Rdpnp service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Procexp90 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Pnkbstra service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Nipsvc service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Nim32 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Monfilt service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Ma_cmidi_installerservice service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Ltxred service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The LoopBeMidi1 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Lmimirr service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The KS0108 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The K750mgmt service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Iaimfp3 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Hpwirelessmgr service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Fips service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The FETNDIS service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The EUSBMSD service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Emproxy service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The DynDNS_Updater_Service service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Dell1100_FUService service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Dcstor32 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Db2das00 service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Cvsnt service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Compaq_rba service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The CdaD10BA service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Bt3cser service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Beatjammusicstreamingserver service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Bdfdll service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Aw_host service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Avsinc service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The Avpnnic service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The ALYac_PZSrv service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The A016mdm service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7023] - The 3dkeybd service terminated with the following error: The specified module could not be found.
    29/02/2012 12:19:01, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    29/02/2012 12:19:01, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    29/02/2012 12:18:59, Error: Service Control Manager [7023] - The W550mdfl service terminated with the following error: The specified module could not be found.
    29/02/2012 12:11:31, Error: Service Control Manager [7023] - The Sgeclient service terminated with the following error: Access is denied.
    29/02/2012 11:56:32, Error: Service Control Manager [7023] - The Pnkbstra service terminated with the following error: Access is denied.
    29/02/2012 11:41:31, Error: Service Control Manager [7023] - The A016mdm service terminated with the following error: Access is denied.
    29/02/2012 11:26:31, Error: Service Control Manager [7023] - The Avsinc service terminated with the following error: Access is denied.
    29/02/2012 11:11:32, Error: Service Control Manager [7023] - The UimBus service terminated with the following error: Access is denied.
    29/02/2012 10:56:32, Error: Service Control Manager [7023] - The Si3132r5 service terminated with the following error: Access is denied.
    29/02/2012 10:41:33, Error: Service Control Manager [7023] - The Rvsinst service terminated with the following error: Access is denied.
    29/02/2012 10:26:32, Error: Service Control Manager [7023] - The KS0108 service terminated with the following error: Access is denied.
    29/02/2012 10:11:32, Error: Service Control Manager [7023] - The Zenos1 service terminated with the following error: Access is denied.
    29/02/2012 10:07:21, Error: Service Control Manager [7030] - The AMService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    29/02/2012 10:04:33, Error: Service Control Manager [7023] - The W550mdfl service terminated with the following error: Access is denied.
    29/02/2012 09:56:32, Error: Service Control Manager [7023] - The Fips service terminated with the following error: Access is denied.
    29/02/2012 09:41:32, Error: Service Control Manager [7023] - The Vaiomediaplatform-integratedserver-http service terminated with the following error: Access is denied.
    29/02/2012 09:26:31, Error: Service Control Manager [7023] - The DynDNS_Updater_Service service terminated with the following error: Access is denied.
    29/02/2012 09:14:17, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Realtek11nCU service.
    29/02/2012 09:11:31, Error: Service Control Manager [7023] - The Sis162u service terminated with the following error: Access is denied.
    29/02/2012 08:56:31, Error: Service Control Manager [7023] - The Db2das00 service terminated with the following error: Access is denied.
    29/02/2012 08:41:31, Error: Service Control Manager [7023] - The CdaD10BA service terminated with the following error: Access is denied.
    29/02/2012 08:26:31, Error: Service Control Manager [7023] - The Ma_cmidi_installerservice service terminated with the following error: Access is denied.
    29/02/2012 08:11:31, Error: Service Control Manager [7023] - The USB11LDR service terminated with the following error: Access is denied.
    29/02/2012 07:56:31, Error: Service Control Manager [7023] - The Compaq_rba service terminated with the following error: Access is denied.
    29/02/2012 07:55:31, Error: Service Control Manager [7023] - The SprintRcAppSvc service terminated with the following error: Access is denied.
    29/02/2012 07:47:44, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0x8cbfc000, 0x00000000, 0x861d07f0, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 022912-133536-01.
    29/02/2012 07:47:28, Error: Service Control Manager [7023] - The SrvcEPIOMngr service terminated with the following error: Access is denied.
    29/02/2012 07:47:27, Error: Service Control Manager [7023] - The ZDPSp50 service terminated with the following error: Access is denied.
    29/02/2012 07:47:27, Error: Service Control Manager [7023] - The Wdmaud service terminated with the following error: Access is denied.
    29/02/2012 07:47:27, Error: Service Control Manager [7023] - The SenFiltService service terminated with the following error: Access is denied.
    29/02/2012 07:47:27, Error: Service Control Manager [7023] - The Rdpnp service terminated with the following error: Access is denied.
    29/02/2012 07:47:27, Error: Service Control Manager [7023] - The Ltxred service terminated with the following error: Access is denied.
    29/02/2012 07:47:26, Error: Service Control Manager [7023] - The Sysmonlog service terminated with the following error: Access is denied.
    29/02/2012 07:47:26, Error: Service Control Manager [7023] - The Lmimirr service terminated with the following error: Access is denied.
    29/02/2012 07:47:26, Error: Service Control Manager [7023] - The Dcstor32 service terminated with the following error: Access is denied.
    29/02/2012 07:47:25, Error: Service Control Manager [7023] - The Scdemu service terminated with the following error: Access is denied.
    29/02/2012 07:47:25, Error: Service Control Manager [7023] - The Dell1100_FUService service terminated with the following error: Access is denied.
    29/02/2012 07:47:25, Error: Service Control Manager [7023] - The Cvsnt service terminated with the following error: Access is denied.
    29/02/2012 07:47:25, Error: Service Control Manager [7023] - The Bt3cser service terminated with the following error: Access is denied.
    29/02/2012 07:47:24, Error: Service Control Manager [7023] - The Iaimfp3 service terminated with the following error: Access is denied.
    29/02/2012 07:47:23, Error: Service Control Manager [7023] - The Vet-filt service terminated with the following error: Access is denied.
    29/02/2012 07:47:23, Error: Service Control Manager [7023] - The Szserver service terminated with the following error: Access is denied.
    29/02/2012 07:47:23, Error: Service Control Manager [7023] - The Procexp90 service terminated with the following error: Access is denied.
    29/02/2012 07:47:23, Error: Service Control Manager [7023] - The Hpwirelessmgr service terminated with the following error: Access is denied.
    29/02/2012 07:47:23, Error: Service Control Manager [7023] - The Bdfdll service terminated with the following error: Access is denied.
    29/02/2012 07:47:22, Error: Service Control Manager [7023] - The Tpkmpsvc service terminated with the following error: Access is denied.
    29/02/2012 07:47:22, Error: Service Control Manager [7023] - The K750mgmt service terminated with the following error: Access is denied.
    29/02/2012 07:47:22, Error: Service Control Manager [7023] - The FETNDIS service terminated with the following error: Access is denied.
    29/02/2012 07:47:22, Error: Service Control Manager [7023] - The ALYac_PZSrv service terminated with the following error: Access is denied.
    29/02/2012 07:47:21, Error: Service Control Manager [7023] - The UVCFTR service terminated with the following error: Access is denied.
    29/02/2012 07:47:21, Error: Service Control Manager [7023] - The Monfilt service terminated with the following error: Access is denied.
    29/02/2012 07:47:20, Error: Service Control Manager [7023] - The SQLWriter service terminated with the following error: Access is denied.
    29/02/2012 01:27:12, Error: Service Control Manager [7023] - The Aw_host service terminated with the following error: Access is denied.
    29/02/2012 01:12:24, Error: Service Control Manager [7023] - The Wlancig service terminated with the following error: Access is denied.
    29/02/2012 00:59:11, Error: Service Control Manager [7023] - The Emproxy service terminated with the following error: Access is denied.
    29/02/2012 00:57:06, Error: Service Control Manager [7023] - The LoopBeMidi1 service terminated with the following error: Access is denied.
    29/02/2012 00:42:22, Error: Service Control Manager [7023] - The EUSBMSD service terminated with the following error: Access is denied.
    29/02/2012 00:27:13, Error: Service Control Manager [7023] - The Beatjammusicstreamingserver service terminated with the following error: Access is denied.
    29/02/2012 00:26:14, Error: Service Control Manager [7023] - The Avpnnic service terminated with the following error: Access is denied.
    29/02/2012 00:12:03, Error: Service Control Manager [7023] - The 3dkeybd service terminated with the following error: Access is denied.
    28/02/2012 22:51:34, Error: Service Control Manager [7023] - The SWNC5E00 service terminated with the following error: Access is denied.
    28/02/2012 22:32:22, Error: Service Control Manager [7023] - The Nim32 service terminated with the following error: Access is denied.
    28/02/2012 22:31:23, Error: Service Control Manager [7023] - The Nipsvc service terminated with the following error: Access is denied.
    26/02/2012 15:16:17, Error: Microsoft-Windows-BitLocker-Driver [24620] - Encrypted volume check: Volume information on cannot be read.
    25/02/2012 10:44:27, Error: VDS Dynamic Provider [22] - The provider encountered an error while converting the basic disk to a dynamic disk. status=C00000BB, Disk number=3
    25/02/2012 10:40:01, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
    25/02/2012 08:54:33, Error: Ntfs [137] - The default transaction resource manager on volume D: encountered a non-retryable error and could not start. The data contains the error code.
    25/02/2012 08:54:27, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR3.
    24/02/2012 22:47:55, Error: Service Control Manager [7030] - The ServiceLayer service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    24/02/2012 22:11:59, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
    24/02/2012 12:03:17, Error: Ntfs [137] - The default transaction resource manager on volume L: encountered a non-retryable error and could not start. The data contains the error code.
    22/02/2012 23:24:50, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    .
    ==== End Of File ===========================
  3. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  4. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-29 17:52:25
    -----------------------------
    17:52:25.401 OS Version: Windows 6.1.7601 Service Pack 1
    17:52:25.401 Number of processors: 4 586 0x203
    17:52:25.404 ComputerName: ED-PC UserName: Ed
    17:53:54.845 Initialize success
    17:57:14.787 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    17:57:14.791 Disk 0 Vendor: Maxtor_6Y120L0 YAR41BW0 Size: 117246MB BusType: 3
    17:57:14.796 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-4
    17:57:14.798 Disk 1 Vendor: ST3400832AS 3.03 Size: 381554MB BusType: 11
    17:57:15.169 Disk 0 MBR read successfully
    17:57:15.175 Disk 0 MBR scan
    17:57:15.181 Disk 0 Windows 7 default MBR code
    17:57:15.208 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    17:57:15.217 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 117144 MB offset 206848
    17:57:15.367 Disk 0 scanning sectors +240117760
    17:57:15.434 Disk 0 scanning C:\Windows\system32\drivers
    18:00:54.301 Service scanning
    18:02:05.249 Modules scanning
    18:03:09.399 Module: C:\Windows\System32\Drivers\dfsc.sys **SUSPICIOUS**
    18:04:18.438 Disk 0 trace - called modules:
    18:04:18.490 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860d1fd0]<<
    18:04:18.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d7e030]
    18:04:18.506 3 CLASSPNP.SYS[88c6459e] -> nt!IofCallDriver -> [0x8612bb68]
    18:04:18.513 \Driver\00000749[0x8612bca0] -> IRP_MJ_CREATE -> 0x860d1fd0
    18:04:18.520 Scan finished successfully
    18:16:18.236 Disk 0 MBR has been saved successfully to "C:\Users\Ed\Desktop\MBR.dat"
    18:16:18.242 The log file has been saved successfully to "C:\Users\Ed\Desktop\aswMBR.txt"


    RogueKiller V7.2.1 [02/29/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User: Ed [Admin rights]
    Mode: Scan -- Date: 02/29/2012 18:18:39

    ¤¤¤ Bad processes: 1 ¤¤¤
    [SUSP PATH] setup.exe -- C:\Windows\TEMP\mtbuaj\setup.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries: 3 ¤¤¤
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Maxtor 6Y120L0 ATA Device +++++
    --- User ---
    [MBR] e7b41c3775155a035b85343ad7abc611
    [BSP] 15f7d13223205021603bad74e2b87df3 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 117144 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST3400832AS ATA Device +++++
    --- User ---
    [MBR] 7f7d2ae37f430e0edc48dac3bcfadcab
    [BSP] f3ef6921d4329cacc5ed5a0b03a8ac3f : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 381552 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
  5. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  6. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ComboFix 12-02-25.02 - Ed 29/02/2012 20:10:06.1.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.1789.1124 [GMT 0:00]
    Running from: c:\users\Ed\Desktop\ComboFix.exe
    AV: AVG Internet Security 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Ed\AppData\Roaming\inst.exe
    c:\users\Ed\AppData\Roaming\vso_ts_preview.xml
    c:\windows\$NtUninstallKB9130$\1825098505
    c:\windows\$NtUninstallKB9130$\2727051553\@
    c:\windows\$NtUninstallKB9130$\2727051553\cfg.ini
    c:\windows\$NtUninstallKB9130$\2727051553\Desktop.ini
    c:\windows\$NtUninstallKB9130$\2727051553\L\xadqgnnk
    c:\windows\$NtUninstallKB9130$\2727051553\oemid
    c:\windows\$NtUninstallKB9130$\2727051553\U\00000001.@
    c:\windows\$NtUninstallKB9130$\2727051553\U\00000002.@
    c:\windows\$NtUninstallKB9130$\2727051553\U\00000004.@
    c:\windows\$NtUninstallKB9130$\2727051553\U\80000000.@
    c:\windows\$NtUninstallKB9130$\2727051553\U\80000004.@
    c:\windows\$NtUninstallKB9130$\2727051553\U\80000032.@
    c:\windows\$NtUninstallKB9130$\2727051553\version
    c:\windows\pkunzip.pif
    c:\windows\pkzip.pif
    c:\windows\$NtUninstallKB9130$ . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_AMService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-29 20:36 . 2012-02-29 01:02 83456 ----a-w- c:\windows\system32\W2ww4sH.com
    2012-02-29 20:24 . 2012-02-29 20:55 -------- d-----w- c:\users\Ed\AppData\Local\temp
    2012-02-29 20:24 . 2012-02-29 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\users\Ed\AppData\Roaming\Malwarebytes
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-29 11:02 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-28 22:31 . 2012-02-29 19:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-28 20:21 . 2012-02-28 22:12 -------- d-----w- c:\users\Ed\AppData\Local\ReliefJet Essentials
    2012-02-28 19:47 . 2012-02-28 19:47 -------- d--h--w- c:\programdata\Common Files
    2012-02-28 19:43 . 2012-02-28 19:43 -------- d-----w- c:\program files\AVG
    2012-02-28 19:36 . 2012-02-29 18:43 -------- d-----w- c:\programdata\MFAData
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live Writer
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Roaming\Windows Live Writer
    2012-02-27 16:43 . 2012-02-27 16:46 -------- d-----w- c:\program files\Windows Live
    2012-02-27 16:38 . 2012-02-28 10:23 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live
    2012-02-27 16:38 . 2012-02-27 16:38 -------- d-----w- c:\program files\Common Files\Windows Live
    2012-02-26 15:30 . 2012-02-26 15:38 -------- d-----w- C:\Jan
    2012-02-26 13:51 . 2012-02-26 13:51 -------- d-----w- c:\program files\MSXML 4.0
    2012-02-24 23:01 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia Suite
    2012-02-24 22:50 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia
    2012-02-24 22:50 . 2012-02-24 22:52 -------- d-----w- c:\users\Ed\AppData\Local\Nokia
    2012-02-24 22:49 . 2012-02-24 22:57 -------- d-----w- c:\programdata\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:59 -------- d-----w- c:\users\Ed\AppData\Roaming\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\program files\Common Files\Nokia
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\programdata\Nokia
    2012-02-24 22:48 . 2012-02-24 22:48 -------- d-----w- c:\program files\DIFX
    2012-02-24 22:48 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2012-02-24 22:47 . 2012-02-24 22:47 -------- d-----w- c:\program files\PC Connectivity Solution
    2012-02-24 22:47 . 2011-11-01 10:07 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
    2012-02-24 22:46 . 2012-02-24 22:49 -------- d-----w- c:\program files\Nokia
    2012-02-24 22:17 . 2012-02-24 22:17 -------- d-----w- c:\users\Ed\AppData\Roaming\Blackberry Desktop
    2012-02-24 22:05 . 2012-02-24 22:05 -------- d-----w- c:\users\Ed\AppData\Local\Research In Motion
    2012-02-24 22:05 . 2012-02-24 22:11 -------- d-----w- c:\users\Ed\AppData\Roaming\Research In Motion
    2012-02-24 22:04 . 2011-07-20 15:13 35328 ----a-w- c:\windows\system32\drivers\RimSerial.sys
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\programdata\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Common Files\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Research In Motion
    2012-02-24 17:20 . 2012-02-24 17:20 -------- d-----w- c:\windows\system32\aliedit
    2012-02-24 17:20 . 2012-02-27 13:17 -------- d-----w- c:\program files\Trademanager
    2012-02-24 17:17 . 2012-02-24 17:17 -------- d-----w- c:\users\Ed\AppData\Local\Alibaba
    2012-02-18 11:19 . 2012-02-18 11:19 -------- d-----w- c:\users\Ed\AppData\Roaming\Scooter Software
    2012-02-18 11:18 . 2012-02-18 11:19 -------- d-----w- c:\program files\Beyond Compare 3
    2012-02-18 03:10 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C968969D-D305-4E77-A2BE-728079485787}\mpengine.dll
    2012-02-17 17:57 . 2012-02-17 17:57 -------- d-----w- c:\program files\IMAPSize
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\users\Ed\AppData\Roaming\Helios
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\NewShortcut1.exe
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\ARPPRODUCTICON.exe
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\program files\TextPad 5
    2012-02-15 17:24 . 2009-06-22 18:58 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
    2012-02-15 17:21 . 2012-02-15 17:21 -------- d-----w- c:\users\Ed\AppData\Local\ElevatedDiagnostics
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\Hewlett-Packard
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\HP
    2012-02-15 15:18 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 15:16 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-14 00:52 . 2012-02-14 00:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-02-07 08:06 . 2012-02-07 08:07 -------- d-----w- c:\users\Jan
    2012-02-04 12:59 . 2012-02-04 12:59 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2012-02-04 12:59 . 2012-02-04 12:59 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2012-02-04 12:59 . 2012-02-04 12:59 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2012-02-04 12:59 . 2012-02-04 12:59 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Common Files\Acronis
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Acronis
    2012-02-01 22:42 . 2012-02-01 22:42 -------- d-----w- c:\users\Ed\AppData\Roaming\River Past G2
    2012-02-01 21:25 . 2012-02-01 21:25 -------- d-----w- c:\program files\7-Zip
    2012-02-01 20:13 . 2012-02-01 20:13 -------- d-----w- c:\windows\Sun
    2012-01-31 21:54 . 2012-01-31 21:54 -------- d-----w- c:\users\Ed\AppData\Local\Adobe
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\program files\MrSmooth
    2012-01-31 21:53 . 2012-02-01 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2012-01-31 21:52 . 2012-01-31 21:52 -------- d-----w- c:\program files\Mr Smooth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 16:44 . 2011-03-28 18:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-02-17 19:51 . 2012-01-15 19:35 286720 ------w- c:\windows\Setup1.exe
    2012-02-17 19:50 . 2012-01-15 19:35 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\users\Ed\AppData\Roaming\pcouffin.sys
    2012-01-27 00:21 . 2012-01-06 21:41 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-17 22:58 . 2012-01-07 18:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-08 13:27 . 2012-01-08 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-07 17:23 . 2012-01-07 17:23 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-01-07 15:11 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-01-07 12:50 . 2012-01-07 12:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-01-07 12:50 . 2012-01-07 12:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-01-07 12:50 . 2012-01-07 12:50 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-01-07 12:50 . 2012-01-07 12:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-01-07 12:50 . 2012-01-07 12:50 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-01-07 12:50 . 2012-01-07 12:50 367104 ----a-w- c:\windows\system32\html.iec
    2012-01-07 12:50 . 2012-01-07 12:50 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-01-07 12:50 . 2012-01-07 12:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-01-07 12:50 . 2012-01-07 12:50 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-01-07 12:50 . 2012-01-07 12:50 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-01-07 12:50 . 2012-01-07 12:50 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-01-07 12:50 . 2012-01-07 12:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-01-07 12:50 . 2012-01-07 12:50 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-01-07 12:50 . 2012-01-07 12:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-01-07 12:50 . 2012-01-07 12:50 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\UC.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\RAR.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\LHA.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\ARJ.PIF
    2011-12-29 18:00 . 2012-01-22 20:26 79360 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-12-21 18:14 . 2012-01-22 20:26 151552 ----a-w- c:\windows\system32\ac3acm.acm
    2011-12-19 14:12 . 2011-12-19 14:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2011-12-19 14:11 . 2012-01-07 19:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2011-12-19 14:11 . 2012-01-07 19:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2011-12-19 14:11 . 2011-12-19 14:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2011-12-19 14:11 . 2011-12-19 14:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2011-12-21 07:47 . 2012-01-07 10:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wemneka]
    2012-02-29 10:07 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\wemneka.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 umpusbvista;Texas Instruments USB Serial Driver;c:\windows\system32\DRIVERS\umpusbvista.sys [2009-10-20 47104]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-07 1343400]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 Realtek11nCU;Realtek11nCU;c:\program files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-01-28 47360]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-02-11 728064]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
    .
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    AeLookupSvc
    CertPropSvc
    SCPolicySvc
    lanmanserver
    gpsvc
    IKEEXT
    AudioSrv
    FastUserSwitchingCompatibility
    Ias
    Irmon
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Wmi
    WmdmPmSp
    ibmsmbus
    dpti2o
    PEVSystemStart
    avgtdi
    hpdskflt
    z800mdfl
    s117obex
    WmVirHid
    Si3132
    HSFHWALI
    W8100PCI
    X10UIF
    bcm4sbxp
    wdm_au8820
    SymIM
    dbmanagerscheduler
    PciBus
    uphclean
    npfmntor
    rslinx
    thotkey
    nHancer
    mlkkbdntdriver
    bwsvc
    SE27mdm
    epstnt01
    mssql$soshome22
    se59mgmt
    roxwatch9
    aswrdr
    PGPsdkDriver
    hpqddsvc
    dlcf_device
    sis162u
    mxssvr
    coste
    pctfw1
    vetefile
    cdr4_2k
    enxpsvc
    transactional
    NWSNS
    atmarpc
    NeroMediaHomeService.4
    VAIOMediaPlatform-VideoServer-UPnP
    DSDrv4
    adobeversioncue
    cm102u32
    MSICPL
    vzupsvc
    fsma
    AtiHdmiService
    SE2Bmdfl
    cdvp
    licenseservice
    se26nd5
    mcafeeframework
    VCAM
    pdlndldl
    vet-filt
    hsfhwbs2
    SaiMini
    roxupnpserver
    NsTrcNT
    umpusbxp
    tvichw32
    inotask
    Eplpdx02
    w800mdfl
    ooclevercacheagent
    TermService
    wuauserv
    BITS
    ShellHWDetection
    LogonHours
    PCAudit
    helpsvc
    uploadmgr
    iphlpsvc
    seclogon
    AppInfo
    msiscsi
    MMCSS
    wercplsupport
    EapHost
    ProfSvc
    schedule
    hkmsvc
    SessionEnv
    winmgmt
    browser
    Themes
    BDESVC
    AppMgmt
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-29 c:\windows\Tasks\At1.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At10.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At11.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At12.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At13.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At14.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At15.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At16.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At17.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At18.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At19.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At2.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At20.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At21.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At22.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At23.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At24.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At25.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At26.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At27.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At28.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At29.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At3.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At30.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At31.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At32.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At33.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At34.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At35.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At36.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At37.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At38.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At39.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At4.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At40.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At41.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At42.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At43.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At44.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At45.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At46.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At47.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At48.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At5.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At6.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At7.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At8.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At9.job
    - c:\windows\system32\W2ww4sH.com [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    Trusted Zone: alipay.com
    Trusted Zone: alisoft.com
    Trusted Zone: taobao.com
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    FF - ProfilePath - c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:96,ce,0e,42,83,f6,cc,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(744)
    c:\windows\system32\relog_ap.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\atieclxx.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\taskhost.exe
    c:\program files\REALTEK\11n USB Wireless LAN Utility\RtWlan.exe
    c:\windows\system32\conhost.exe
    c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\windows\system32\DllHost.exe
    c:\program files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-29 21:05:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-29 21:05
    .
    Pre-Run: 69,992,087,552 bytes free
    Post-Run: 70,047,584,256 bytes free
    .
    - - End Of File - - 08D6CB038DD78D98446F291C941300C6
  7. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\W2ww4sH.com
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\System32\config\systemprofile\AppData\Local\wemneka.dll
    
    At::
    
    DDS::
    Trusted Zone: alipay.com
    Trusted Zone: alisoft.com
    Trusted Zone: taobao.com
    
    Driver::
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wemneka]
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  8. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ComboFix 12-02-25.02 - Ed 29/02/2012 21:59:32.2.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.1789.972 [GMT 0:00]
    Running from: c:\users\Ed\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ed\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\System32\config\systemprofile\AppData\Local\wemneka.dll"
    "c:\windows\system32\dds_trash_log.cmd"
    "c:\windows\system32\W2ww4sH.com"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\System32\config\systemprofile\AppData\Local\wemneka.dll
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\W2ww4sH.com
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-29 22:10 . 2012-02-29 22:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-29 20:24 . 2012-02-29 22:10 -------- d-----w- c:\users\Ed\AppData\Local\temp
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\users\Ed\AppData\Roaming\Malwarebytes
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-29 11:02 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-29 02:03 . 2012-02-29 01:02 83456 ----a-w- c:\windows\system32\W2ww4sH.com_
    2012-02-28 20:21 . 2012-02-28 22:12 -------- d-----w- c:\users\Ed\AppData\Local\ReliefJet Essentials
    2012-02-28 19:47 . 2012-02-28 19:47 -------- d--h--w- c:\programdata\Common Files
    2012-02-28 19:43 . 2012-02-28 19:43 -------- d-----w- c:\program files\AVG
    2012-02-28 19:36 . 2012-02-29 18:43 -------- d-----w- c:\programdata\MFAData
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live Writer
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Roaming\Windows Live Writer
    2012-02-27 16:43 . 2012-02-27 16:46 -------- d-----w- c:\program files\Windows Live
    2012-02-27 16:38 . 2012-02-28 10:23 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live
    2012-02-27 16:38 . 2012-02-27 16:38 -------- d-----w- c:\program files\Common Files\Windows Live
    2012-02-26 15:30 . 2012-02-26 15:38 -------- d-----w- C:\Jan
    2012-02-26 13:51 . 2012-02-26 13:51 -------- d-----w- c:\program files\MSXML 4.0
    2012-02-24 23:01 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia Suite
    2012-02-24 22:50 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia
    2012-02-24 22:50 . 2012-02-24 22:52 -------- d-----w- c:\users\Ed\AppData\Local\Nokia
    2012-02-24 22:49 . 2012-02-24 22:57 -------- d-----w- c:\programdata\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:59 -------- d-----w- c:\users\Ed\AppData\Roaming\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\program files\Common Files\Nokia
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\programdata\Nokia
    2012-02-24 22:48 . 2012-02-24 22:48 -------- d-----w- c:\program files\DIFX
    2012-02-24 22:48 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2012-02-24 22:47 . 2012-02-24 22:47 -------- d-----w- c:\program files\PC Connectivity Solution
    2012-02-24 22:47 . 2011-11-01 10:07 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
    2012-02-24 22:46 . 2012-02-24 22:49 -------- d-----w- c:\program files\Nokia
    2012-02-24 22:17 . 2012-02-24 22:17 -------- d-----w- c:\users\Ed\AppData\Roaming\Blackberry Desktop
    2012-02-24 22:05 . 2012-02-24 22:05 -------- d-----w- c:\users\Ed\AppData\Local\Research In Motion
    2012-02-24 22:05 . 2012-02-24 22:11 -------- d-----w- c:\users\Ed\AppData\Roaming\Research In Motion
    2012-02-24 22:04 . 2011-07-20 15:13 35328 ----a-w- c:\windows\system32\drivers\RimSerial.sys
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\programdata\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Common Files\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Research In Motion
    2012-02-24 17:20 . 2012-02-24 17:20 -------- d-----w- c:\windows\system32\aliedit
    2012-02-24 17:20 . 2012-02-27 13:17 -------- d-----w- c:\program files\Trademanager
    2012-02-24 17:17 . 2012-02-24 17:17 -------- d-----w- c:\users\Ed\AppData\Local\Alibaba
    2012-02-18 11:19 . 2012-02-18 11:19 -------- d-----w- c:\users\Ed\AppData\Roaming\Scooter Software
    2012-02-18 11:18 . 2012-02-18 11:19 -------- d-----w- c:\program files\Beyond Compare 3
    2012-02-18 03:10 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C968969D-D305-4E77-A2BE-728079485787}\mpengine.dll
    2012-02-17 17:57 . 2012-02-17 17:57 -------- d-----w- c:\program files\IMAPSize
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\users\Ed\AppData\Roaming\Helios
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\NewShortcut1.exe
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\ARPPRODUCTICON.exe
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\program files\TextPad 5
    2012-02-15 17:24 . 2009-06-22 18:58 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
    2012-02-15 17:21 . 2012-02-15 17:21 -------- d-----w- c:\users\Ed\AppData\Local\ElevatedDiagnostics
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\Hewlett-Packard
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\HP
    2012-02-15 15:18 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 15:16 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-14 00:52 . 2012-02-14 00:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-02-07 08:06 . 2012-02-07 08:07 -------- d-----w- c:\users\Jan
    2012-02-04 12:59 . 2012-02-04 12:59 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2012-02-04 12:59 . 2012-02-04 12:59 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2012-02-04 12:59 . 2012-02-04 12:59 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2012-02-04 12:59 . 2012-02-04 12:59 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Common Files\Acronis
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Acronis
    2012-02-01 22:42 . 2012-02-01 22:42 -------- d-----w- c:\users\Ed\AppData\Roaming\River Past G2
    2012-02-01 21:25 . 2012-02-01 21:25 -------- d-----w- c:\program files\7-Zip
    2012-02-01 20:13 . 2012-02-01 20:13 -------- d-----w- c:\windows\Sun
    2012-01-31 21:54 . 2012-01-31 21:54 -------- d-----w- c:\users\Ed\AppData\Local\Adobe
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\program files\MrSmooth
    2012-01-31 21:53 . 2012-02-01 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2012-01-31 21:52 . 2012-01-31 21:52 -------- d-----w- c:\program files\Mr Smooth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 16:44 . 2011-03-28 18:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-02-17 19:51 . 2012-01-15 19:35 286720 ------w- c:\windows\Setup1.exe
    2012-02-17 19:50 . 2012-01-15 19:35 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\users\Ed\AppData\Roaming\pcouffin.sys
    2012-01-27 00:21 . 2012-01-06 21:41 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-17 22:58 . 2012-01-07 18:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-08 13:27 . 2012-01-08 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-07 17:23 . 2012-01-07 17:23 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-01-07 15:11 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-01-07 12:50 . 2012-01-07 12:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-01-07 12:50 . 2012-01-07 12:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-01-07 12:50 . 2012-01-07 12:50 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-01-07 12:50 . 2012-01-07 12:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-01-07 12:50 . 2012-01-07 12:50 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-01-07 12:50 . 2012-01-07 12:50 367104 ----a-w- c:\windows\system32\html.iec
    2012-01-07 12:50 . 2012-01-07 12:50 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-01-07 12:50 . 2012-01-07 12:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-01-07 12:50 . 2012-01-07 12:50 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-01-07 12:50 . 2012-01-07 12:50 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-01-07 12:50 . 2012-01-07 12:50 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-01-07 12:50 . 2012-01-07 12:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-01-07 12:50 . 2012-01-07 12:50 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-01-07 12:50 . 2012-01-07 12:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-01-07 12:50 . 2012-01-07 12:50 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\UC.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\RAR.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\LHA.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\ARJ.PIF
    2011-12-29 18:00 . 2012-01-22 20:26 79360 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-12-21 18:14 . 2012-01-22 20:26 151552 ----a-w- c:\windows\system32\ac3acm.acm
    2011-12-19 14:12 . 2011-12-19 14:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2011-12-19 14:11 . 2012-01-07 19:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2011-12-19 14:11 . 2012-01-07 19:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2011-12-19 14:11 . 2011-12-19 14:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2011-12-19 14:11 . 2011-12-19 14:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2011-12-21 07:47 . 2012-01-07 10:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 umpusbvista;Texas Instruments USB Serial Driver;c:\windows\system32\DRIVERS\umpusbvista.sys [2009-10-20 47104]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-07 1343400]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 Realtek11nCU;Realtek11nCU;c:\program files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-01-28 47360]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-02-11 728064]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
    .
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    AeLookupSvc
    CertPropSvc
    SCPolicySvc
    lanmanserver
    gpsvc
    IKEEXT
    AudioSrv
    FastUserSwitchingCompatibility
    Ias
    Irmon
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Wmi
    WmdmPmSp
    ibmsmbus
    dpti2o
    PEVSystemStart
    avgtdi
    hpdskflt
    z800mdfl
    s117obex
    WmVirHid
    Si3132
    HSFHWALI
    W8100PCI
    X10UIF
    bcm4sbxp
    wdm_au8820
    SymIM
    dbmanagerscheduler
    PciBus
    uphclean
    npfmntor
    rslinx
    thotkey
    nHancer
    mlkkbdntdriver
    bwsvc
    SE27mdm
    epstnt01
    mssql$soshome22
    se59mgmt
    roxwatch9
    aswrdr
    PGPsdkDriver
    hpqddsvc
    dlcf_device
    sis162u
    mxssvr
    coste
    pctfw1
    vetefile
    cdr4_2k
    enxpsvc
    transactional
    NWSNS
    atmarpc
    NeroMediaHomeService.4
    VAIOMediaPlatform-VideoServer-UPnP
    DSDrv4
    adobeversioncue
    cm102u32
    MSICPL
    vzupsvc
    fsma
    AtiHdmiService
    SE2Bmdfl
    cdvp
    licenseservice
    se26nd5
    mcafeeframework
    VCAM
    pdlndldl
    vet-filt
    hsfhwbs2
    SaiMini
    roxupnpserver
    NsTrcNT
    umpusbxp
    tvichw32
    inotask
    Eplpdx02
    w800mdfl
    ooclevercacheagent
    TermService
    wuauserv
    BITS
    ShellHWDetection
    LogonHours
    PCAudit
    helpsvc
    uploadmgr
    iphlpsvc
    seclogon
    AppInfo
    msiscsi
    MMCSS
    wercplsupport
    EapHost
    ProfSvc
    schedule
    hkmsvc
    SessionEnv
    winmgmt
    browser
    Themes
    BDESVC
    AppMgmt
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-29 c:\windows\Tasks\At10.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At12.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At14.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At16.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At18.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At2.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At20.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At22.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At24.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At26.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At28.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At30.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At32.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At34.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At36.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At38.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At4.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At40.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At42.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At44.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At46.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At48.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At6.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\At8.job
    - c:\windows\system32\W2ww4sH.com_ [2012-02-29 01:02]
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    FF - ProfilePath - c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:96,ce,0e,42,83,f6,cc,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(744)
    c:\windows\system32\relog_ap.DLL
    .
    Completion time: 2012-02-29 22:15:19
    ComboFix-quarantined-files.txt 2012-02-29 22:15
    ComboFix2.txt 2012-02-29 21:05
    .
    Pre-Run: 70,145,544,192 bytes free
    Post-Run: 70,125,527,040 bytes free
    .
    - - End Of File - - F8311CECE18D4A69C7C181513401D5BC
  9. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\W2ww4sH.com_
    
    At::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  10. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ComboFix 12-02-25.02 - Ed 29/02/2012 22:57:52.3.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.1789.1070 [GMT 0:00]
    Running from: c:\users\Ed\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ed\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\W2ww4sH.com_"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-29 23:08 . 2012-02-29 23:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-29 20:24 . 2012-02-29 23:08 -------- d-----w- c:\users\Ed\AppData\Local\temp
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\users\Ed\AppData\Roaming\Malwarebytes
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-29 11:02 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-29 02:03 . 2012-02-29 01:02 83456 ----a-w- c:\windows\system32\W2ww4sH.com__
    2012-02-28 20:21 . 2012-02-28 22:12 -------- d-----w- c:\users\Ed\AppData\Local\ReliefJet Essentials
    2012-02-28 19:47 . 2012-02-28 19:47 -------- d--h--w- c:\programdata\Common Files
    2012-02-28 19:43 . 2012-02-28 19:43 -------- d-----w- c:\program files\AVG
    2012-02-28 19:36 . 2012-02-29 18:43 -------- d-----w- c:\programdata\MFAData
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live Writer
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Roaming\Windows Live Writer
    2012-02-27 16:43 . 2012-02-27 16:46 -------- d-----w- c:\program files\Windows Live
    2012-02-27 16:38 . 2012-02-28 10:23 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live
    2012-02-27 16:38 . 2012-02-27 16:38 -------- d-----w- c:\program files\Common Files\Windows Live
    2012-02-26 15:30 . 2012-02-26 15:38 -------- d-----w- C:\Jan
    2012-02-26 13:51 . 2012-02-26 13:51 -------- d-----w- c:\program files\MSXML 4.0
    2012-02-24 23:01 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia Suite
    2012-02-24 22:50 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia
    2012-02-24 22:50 . 2012-02-24 22:52 -------- d-----w- c:\users\Ed\AppData\Local\Nokia
    2012-02-24 22:49 . 2012-02-24 22:57 -------- d-----w- c:\programdata\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:59 -------- d-----w- c:\users\Ed\AppData\Roaming\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\program files\Common Files\Nokia
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\programdata\Nokia
    2012-02-24 22:48 . 2012-02-24 22:48 -------- d-----w- c:\program files\DIFX
    2012-02-24 22:48 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2012-02-24 22:47 . 2012-02-24 22:47 -------- d-----w- c:\program files\PC Connectivity Solution
    2012-02-24 22:47 . 2011-11-01 10:07 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
    2012-02-24 22:46 . 2012-02-24 22:49 -------- d-----w- c:\program files\Nokia
    2012-02-24 22:17 . 2012-02-24 22:17 -------- d-----w- c:\users\Ed\AppData\Roaming\Blackberry Desktop
    2012-02-24 22:05 . 2012-02-24 22:05 -------- d-----w- c:\users\Ed\AppData\Local\Research In Motion
    2012-02-24 22:05 . 2012-02-24 22:11 -------- d-----w- c:\users\Ed\AppData\Roaming\Research In Motion
    2012-02-24 22:04 . 2011-07-20 15:13 35328 ----a-w- c:\windows\system32\drivers\RimSerial.sys
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\programdata\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Common Files\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Research In Motion
    2012-02-24 17:20 . 2012-02-24 17:20 -------- d-----w- c:\windows\system32\aliedit
    2012-02-24 17:20 . 2012-02-27 13:17 -------- d-----w- c:\program files\Trademanager
    2012-02-24 17:17 . 2012-02-24 17:17 -------- d-----w- c:\users\Ed\AppData\Local\Alibaba
    2012-02-18 11:19 . 2012-02-18 11:19 -------- d-----w- c:\users\Ed\AppData\Roaming\Scooter Software
    2012-02-18 11:18 . 2012-02-18 11:19 -------- d-----w- c:\program files\Beyond Compare 3
    2012-02-18 03:10 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C968969D-D305-4E77-A2BE-728079485787}\mpengine.dll
    2012-02-17 17:57 . 2012-02-17 17:57 -------- d-----w- c:\program files\IMAPSize
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\users\Ed\AppData\Roaming\Helios
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\NewShortcut1.exe
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\ARPPRODUCTICON.exe
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\program files\TextPad 5
    2012-02-15 17:24 . 2009-06-22 18:58 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
    2012-02-15 17:21 . 2012-02-15 17:21 -------- d-----w- c:\users\Ed\AppData\Local\ElevatedDiagnostics
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\Hewlett-Packard
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\HP
    2012-02-15 15:18 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 15:16 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-14 00:52 . 2012-02-14 00:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-02-07 08:06 . 2012-02-07 08:07 -------- d-----w- c:\users\Jan
    2012-02-04 12:59 . 2012-02-04 12:59 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2012-02-04 12:59 . 2012-02-04 12:59 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2012-02-04 12:59 . 2012-02-04 12:59 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2012-02-04 12:59 . 2012-02-04 12:59 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Common Files\Acronis
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Acronis
    2012-02-01 22:42 . 2012-02-01 22:42 -------- d-----w- c:\users\Ed\AppData\Roaming\River Past G2
    2012-02-01 21:25 . 2012-02-01 21:25 -------- d-----w- c:\program files\7-Zip
    2012-02-01 20:13 . 2012-02-01 20:13 -------- d-----w- c:\windows\Sun
    2012-01-31 21:54 . 2012-01-31 21:54 -------- d-----w- c:\users\Ed\AppData\Local\Adobe
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\program files\MrSmooth
    2012-01-31 21:53 . 2012-02-01 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2012-01-31 21:52 . 2012-01-31 21:52 -------- d-----w- c:\program files\Mr Smooth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 16:44 . 2011-03-28 18:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-02-17 19:51 . 2012-01-15 19:35 286720 ------w- c:\windows\Setup1.exe
    2012-02-17 19:50 . 2012-01-15 19:35 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\users\Ed\AppData\Roaming\pcouffin.sys
    2012-01-27 00:21 . 2012-01-06 21:41 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-17 22:58 . 2012-01-07 18:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-08 13:27 . 2012-01-08 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-07 17:23 . 2012-01-07 17:23 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-01-07 15:11 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-01-07 12:50 . 2012-01-07 12:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-01-07 12:50 . 2012-01-07 12:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-01-07 12:50 . 2012-01-07 12:50 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-01-07 12:50 . 2012-01-07 12:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-01-07 12:50 . 2012-01-07 12:50 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-01-07 12:50 . 2012-01-07 12:50 367104 ----a-w- c:\windows\system32\html.iec
    2012-01-07 12:50 . 2012-01-07 12:50 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-01-07 12:50 . 2012-01-07 12:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-01-07 12:50 . 2012-01-07 12:50 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-01-07 12:50 . 2012-01-07 12:50 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-01-07 12:50 . 2012-01-07 12:50 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-01-07 12:50 . 2012-01-07 12:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-01-07 12:50 . 2012-01-07 12:50 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-01-07 12:50 . 2012-01-07 12:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-01-07 12:50 . 2012-01-07 12:50 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\UC.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\RAR.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\LHA.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\ARJ.PIF
    2011-12-29 18:00 . 2012-01-22 20:26 79360 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-12-21 18:14 . 2012-01-22 20:26 151552 ----a-w- c:\windows\system32\ac3acm.acm
    2011-12-19 14:12 . 2011-12-19 14:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2011-12-19 14:11 . 2012-01-07 19:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2011-12-19 14:11 . 2012-01-07 19:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2011-12-19 14:11 . 2011-12-19 14:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2011-12-19 14:11 . 2011-12-19 14:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2011-12-21 07:47 . 2012-01-07 10:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 umpusbvista;Texas Instruments USB Serial Driver;c:\windows\system32\DRIVERS\umpusbvista.sys [2009-10-20 47104]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-07 1343400]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 Realtek11nCU;Realtek11nCU;c:\program files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-01-28 47360]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-02-11 728064]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
    .
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    AeLookupSvc
    CertPropSvc
    SCPolicySvc
    lanmanserver
    gpsvc
    IKEEXT
    AudioSrv
    FastUserSwitchingCompatibility
    Ias
    Irmon
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Wmi
    WmdmPmSp
    ibmsmbus
    dpti2o
    PEVSystemStart
    avgtdi
    hpdskflt
    z800mdfl
    s117obex
    WmVirHid
    Si3132
    HSFHWALI
    W8100PCI
    X10UIF
    bcm4sbxp
    wdm_au8820
    SymIM
    dbmanagerscheduler
    PciBus
    uphclean
    npfmntor
    rslinx
    thotkey
    nHancer
    mlkkbdntdriver
    bwsvc
    SE27mdm
    epstnt01
    mssql$soshome22
    se59mgmt
    roxwatch9
    aswrdr
    PGPsdkDriver
    hpqddsvc
    dlcf_device
    sis162u
    mxssvr
    coste
    pctfw1
    vetefile
    cdr4_2k
    enxpsvc
    transactional
    NWSNS
    atmarpc
    NeroMediaHomeService.4
    VAIOMediaPlatform-VideoServer-UPnP
    DSDrv4
    adobeversioncue
    cm102u32
    MSICPL
    vzupsvc
    fsma
    AtiHdmiService
    SE2Bmdfl
    cdvp
    licenseservice
    se26nd5
    mcafeeframework
    VCAM
    pdlndldl
    vet-filt
    hsfhwbs2
    SaiMini
    roxupnpserver
    NsTrcNT
    umpusbxp
    tvichw32
    inotask
    Eplpdx02
    w800mdfl
    ooclevercacheagent
    TermService
    wuauserv
    BITS
    ShellHWDetection
    LogonHours
    PCAudit
    helpsvc
    uploadmgr
    iphlpsvc
    seclogon
    AppInfo
    msiscsi
    MMCSS
    wercplsupport
    EapHost
    ProfSvc
    schedule
    hkmsvc
    SessionEnv
    winmgmt
    browser
    Themes
    BDESVC
    AppMgmt
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    FF - ProfilePath - c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:96,ce,0e,42,83,f6,cc,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(744)
    c:\windows\system32\relog_ap.DLL
    .
    Completion time: 2012-02-29 23:13:24
    ComboFix-quarantined-files.txt 2012-02-29 23:13
    ComboFix2.txt 2012-02-29 22:15
    ComboFix3.txt 2012-02-29 21:05
    .
    Pre-Run: 69,780,140,032 bytes free
    Post-Run: 69,732,491,264 bytes free
    .
    - - End Of File - - 7CC4470FF576FACDD6AC94009D5AD3A4
  11. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\W2ww4sH.com__
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  12. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ComboFix 12-02-25.02 - Ed 01/03/2012 17:34:09.4.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.2813.1625 [GMT 0:00]
    Running from: c:\users\Ed\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ed\Desktop\CFScript.txt.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\W2ww4sH.com_"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-01 to 2012-03-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-01 17:42 . 2012-03-01 17:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-29 20:24 . 2012-03-01 17:42 -------- d-----w- c:\users\Ed\AppData\Local\temp
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\users\Ed\AppData\Roaming\Malwarebytes
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-29 11:02 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-29 11:02 . 2012-02-29 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-29 02:03 . 2012-02-29 01:02 83456 ----a-w- c:\windows\system32\W2ww4sH.com__
    2012-02-28 20:21 . 2012-02-28 22:12 -------- d-----w- c:\users\Ed\AppData\Local\ReliefJet Essentials
    2012-02-28 19:47 . 2012-02-28 19:47 -------- d--h--w- c:\programdata\Common Files
    2012-02-28 19:43 . 2012-02-28 19:43 -------- d-----w- c:\program files\AVG
    2012-02-28 19:36 . 2012-02-29 18:43 -------- d-----w- c:\programdata\MFAData
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live Writer
    2012-02-27 16:49 . 2012-02-27 16:49 -------- d-----w- c:\users\Ed\AppData\Roaming\Windows Live Writer
    2012-02-27 16:43 . 2012-02-27 16:46 -------- d-----w- c:\program files\Windows Live
    2012-02-27 16:38 . 2012-02-28 10:23 -------- d-----w- c:\users\Ed\AppData\Local\Windows Live
    2012-02-27 16:38 . 2012-02-27 16:38 -------- d-----w- c:\program files\Common Files\Windows Live
    2012-02-26 15:30 . 2012-02-26 15:38 -------- d-----w- C:\Jan
    2012-02-26 13:51 . 2012-02-26 13:51 -------- d-----w- c:\program files\MSXML 4.0
    2012-02-24 23:01 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia Suite
    2012-02-24 22:50 . 2012-02-24 23:01 -------- d-----w- c:\users\Ed\AppData\Roaming\Nokia
    2012-02-24 22:50 . 2012-02-24 22:52 -------- d-----w- c:\users\Ed\AppData\Local\Nokia
    2012-02-24 22:49 . 2012-02-24 22:57 -------- d-----w- c:\programdata\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:59 -------- d-----w- c:\users\Ed\AppData\Roaming\PC Suite
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\program files\Common Files\Nokia
    2012-02-24 22:49 . 2012-02-24 22:49 -------- d-----w- c:\programdata\Nokia
    2012-02-24 22:48 . 2012-02-24 22:48 -------- d-----w- c:\program files\DIFX
    2012-02-24 22:48 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2012-02-24 22:47 . 2012-02-24 22:47 -------- d-----w- c:\program files\PC Connectivity Solution
    2012-02-24 22:47 . 2011-11-01 10:07 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
    2012-02-24 22:46 . 2012-02-24 22:49 -------- d-----w- c:\program files\Nokia
    2012-02-24 22:17 . 2012-02-24 22:17 -------- d-----w- c:\users\Ed\AppData\Roaming\Blackberry Desktop
    2012-02-24 22:05 . 2012-02-24 22:05 -------- d-----w- c:\users\Ed\AppData\Local\Research In Motion
    2012-02-24 22:05 . 2012-02-24 22:11 -------- d-----w- c:\users\Ed\AppData\Roaming\Research In Motion
    2012-02-24 22:04 . 2011-07-20 15:13 35328 ----a-w- c:\windows\system32\drivers\RimSerial.sys
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\programdata\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Common Files\Research In Motion
    2012-02-24 22:03 . 2012-02-24 22:03 -------- d-----w- c:\program files\Research In Motion
    2012-02-24 17:20 . 2012-02-24 17:20 -------- d-----w- c:\windows\system32\aliedit
    2012-02-24 17:20 . 2012-02-27 13:17 -------- d-----w- c:\program files\Trademanager
    2012-02-24 17:17 . 2012-02-24 17:17 -------- d-----w- c:\users\Ed\AppData\Local\Alibaba
    2012-02-18 11:19 . 2012-02-18 11:19 -------- d-----w- c:\users\Ed\AppData\Roaming\Scooter Software
    2012-02-18 11:18 . 2012-02-18 11:19 -------- d-----w- c:\program files\Beyond Compare 3
    2012-02-18 03:10 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C968969D-D305-4E77-A2BE-728079485787}\mpengine.dll
    2012-02-17 17:57 . 2012-02-17 17:57 -------- d-----w- c:\program files\IMAPSize
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\users\Ed\AppData\Roaming\Helios
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\NewShortcut1.exe
    2012-02-17 17:09 . 2012-02-17 17:09 49152 ----a-r- c:\users\Ed\AppData\Roaming\Microsoft\Installer\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}\ARPPRODUCTICON.exe
    2012-02-17 17:09 . 2012-02-17 17:09 -------- d-----w- c:\program files\TextPad 5
    2012-02-15 17:24 . 2009-06-22 18:58 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
    2012-02-15 17:21 . 2012-02-15 17:21 -------- d-----w- c:\users\Ed\AppData\Local\ElevatedDiagnostics
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\Hewlett-Packard
    2012-02-15 17:02 . 2012-02-15 17:02 -------- d-----w- c:\program files\HP
    2012-02-15 15:18 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 15:16 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-02-14 00:52 . 2012-02-14 00:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-02-07 08:06 . 2012-02-07 08:07 -------- d-----w- c:\users\Jan
    2012-02-04 12:59 . 2012-02-04 12:59 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2012-02-04 12:59 . 2012-02-04 12:59 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
    2012-02-04 12:59 . 2012-02-04 12:59 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
    2012-02-04 12:59 . 2012-02-04 12:59 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Common Files\Acronis
    2012-02-04 12:58 . 2012-02-04 12:58 -------- d-----w- c:\program files\Acronis
    2012-02-01 22:42 . 2012-02-01 22:42 -------- d-----w- c:\users\Ed\AppData\Roaming\River Past G2
    2012-02-01 21:25 . 2012-02-01 21:25 -------- d-----w- c:\program files\7-Zip
    2012-02-01 20:13 . 2012-02-01 20:13 -------- d-----w- c:\windows\Sun
    2012-01-31 21:54 . 2012-01-31 21:54 -------- d-----w- c:\users\Ed\AppData\Local\Adobe
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    2012-01-31 21:53 . 2012-01-31 21:53 -------- d-----w- c:\program files\MrSmooth
    2012-01-31 21:53 . 2012-02-01 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2012-01-31 21:52 . 2012-01-31 21:52 -------- d-----w- c:\program files\Mr Smooth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 16:44 . 2011-03-28 18:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-02-17 19:51 . 2012-01-15 19:35 286720 ------w- c:\windows\Setup1.exe
    2012-02-17 19:50 . 2012-01-15 19:35 73216 ----a-w- c:\windows\ST6UNST.EXE
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2012-01-28 19:37 . 2012-01-28 19:37 47360 ----a-w- c:\users\Ed\AppData\Roaming\pcouffin.sys
    2012-01-27 00:21 . 2012-01-06 21:41 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-17 22:58 . 2012-01-07 18:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-08 13:27 . 2012-01-08 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-07 17:23 . 2012-01-07 17:23 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2012-01-07 15:11 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2012-01-07 12:50 . 2012-01-07 12:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2012-01-07 12:50 . 2012-01-07 12:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-01-07 12:50 . 2012-01-07 12:50 74752 ----a-w- c:\windows\system32\iesetup.dll
    2012-01-07 12:50 . 2012-01-07 12:50 63488 ----a-w- c:\windows\system32\tdc.ocx
    2012-01-07 12:50 . 2012-01-07 12:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-01-07 12:50 . 2012-01-07 12:50 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-01-07 12:50 . 2012-01-07 12:50 367104 ----a-w- c:\windows\system32\html.iec
    2012-01-07 12:50 . 2012-01-07 12:50 35840 ----a-w- c:\windows\system32\imgutil.dll
    2012-01-07 12:50 . 2012-01-07 12:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2012-01-07 12:50 . 2012-01-07 12:50 161792 ----a-w- c:\windows\system32\msls31.dll
    2012-01-07 12:50 . 2012-01-07 12:50 152064 ----a-w- c:\windows\system32\wextract.exe
    2012-01-07 12:50 . 2012-01-07 12:50 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-01-07 12:50 . 2012-01-07 12:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-01-07 12:50 . 2012-01-07 12:50 11776 ----a-w- c:\windows\system32\mshta.exe
    2012-01-07 12:50 . 2012-01-07 12:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-01-07 12:50 . 2012-01-07 12:50 101888 ----a-w- c:\windows\system32\admparse.dll
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\UC.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\RAR.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\LHA.PIF
    2012-01-06 08:00 . 2012-01-07 18:37 545 ----a-w- c:\windows\ARJ.PIF
    2011-12-29 18:00 . 2012-01-22 20:26 79360 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-12-21 18:14 . 2012-01-22 20:26 151552 ----a-w- c:\windows\system32\ac3acm.acm
    2011-12-19 14:12 . 2011-12-19 14:12 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2011-12-19 14:11 . 2012-01-07 19:11 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2011-12-19 14:11 . 2012-01-07 19:11 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2011-12-19 14:11 . 2011-12-19 14:11 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2011-12-19 14:11 . 2011-12-19 14:11 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2011-12-21 07:47 . 2012-01-07 10:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaSuite.exe"="c:\program files\Nokia\Nokia Suite\NokiaSuite.exe" [2012-01-10 1083264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 umpusbvista;Texas Instruments USB Serial Driver;c:\windows\system32\DRIVERS\umpusbvista.sys [2009-10-20 47104]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-07 1343400]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-12-19 158512]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-12-19 91440]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 Realtek11nCU;Realtek11nCU;c:\program files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-01-28 47360]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-02-11 728064]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-12-19 104752]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-12-19 116016]
    .
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    AeLookupSvc
    CertPropSvc
    SCPolicySvc
    lanmanserver
    gpsvc
    IKEEXT
    AudioSrv
    FastUserSwitchingCompatibility
    Ias
    Irmon
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Wmi
    WmdmPmSp
    ibmsmbus
    dpti2o
    PEVSystemStart
    avgtdi
    hpdskflt
    z800mdfl
    s117obex
    WmVirHid
    Si3132
    HSFHWALI
    W8100PCI
    X10UIF
    bcm4sbxp
    wdm_au8820
    SymIM
    dbmanagerscheduler
    PciBus
    uphclean
    npfmntor
    rslinx
    thotkey
    nHancer
    mlkkbdntdriver
    bwsvc
    SE27mdm
    epstnt01
    mssql$soshome22
    se59mgmt
    roxwatch9
    aswrdr
    PGPsdkDriver
    hpqddsvc
    dlcf_device
    sis162u
    mxssvr
    coste
    pctfw1
    vetefile
    cdr4_2k
    enxpsvc
    transactional
    NWSNS
    atmarpc
    NeroMediaHomeService.4
    VAIOMediaPlatform-VideoServer-UPnP
    DSDrv4
    adobeversioncue
    cm102u32
    MSICPL
    vzupsvc
    fsma
    AtiHdmiService
    SE2Bmdfl
    cdvp
    licenseservice
    se26nd5
    mcafeeframework
    VCAM
    pdlndldl
    vet-filt
    hsfhwbs2
    SaiMini
    roxupnpserver
    NsTrcNT
    umpusbxp
    tvichw32
    inotask
    Eplpdx02
    w800mdfl
    ooclevercacheagent
    TermService
    wuauserv
    BITS
    ShellHWDetection
    LogonHours
    PCAudit
    helpsvc
    uploadmgr
    iphlpsvc
    seclogon
    AppInfo
    msiscsi
    MMCSS
    wercplsupport
    EapHost
    ProfSvc
    schedule
    hkmsvc
    SessionEnv
    winmgmt
    browser
    Themes
    BDESVC
    AppMgmt
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-08 01:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    FF - ProfilePath - c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:96,ce,0e,42,83,f6,cc,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(752)
    c:\windows\system32\relog_ap.DLL
    .
    Completion time: 2012-03-01 17:47:30
    ComboFix-quarantined-files.txt 2012-03-01 17:47
    ComboFix2.txt 2012-02-29 23:13
    ComboFix3.txt 2012-02-29 22:15
    ComboFix4.txt 2012-02-29 21:05
    .
    Pre-Run: 67,854,839,808 bytes free
    Post-Run: 67,807,391,744 bytes free
    .
    - - End Of File - - F516BD16E25E20B18E55FFEBFADA98E5
  13. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    DeleteFile: 
    "c:\windows\system32\W2ww4sH.com__"
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
  14. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\w2ww4sh.com__", destinationFile = "(null)", replaceWithDummy = 0
  15. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  16. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    OTL logfile created on: 01/03/2012 18:45:31 - Run 1
    OTL by OldTimer - Version 3.2.34.0 Folder = C:\Users\Ed\Desktop
    Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.75 Gb Total Physical Memory | 1.61 Gb Available Physical Memory | 58.64% Memory free
    5.49 Gb Paging File | 4.31 Gb Available in Paging File | 78.51% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 114.40 Gb Total Space | 63.19 Gb Free Space | 55.24% Space Free | Partition Type: NTFS

    Computer Name: ED-PC | User Name: Ed | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/01 18:28:44 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\Ed\Desktop\OTL.exe
    PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/01/10 18:36:34 | 001,083,264 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe
    PRC - [2012/01/04 13:32:36 | 000,718,888 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    PRC - [2012/01/04 13:32:18 | 000,173,096 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    PRC - [2012/01/04 13:32:06 | 000,148,520 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
    PRC - [2011/09/01 17:47:26 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    PRC - [2011/06/24 04:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2011/04/20 02:04:38 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
    PRC - [2011/04/20 02:04:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
    PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 12:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/07/27 18:33:18 | 001,167,360 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
    PRC - [2010/04/16 16:10:58 | 000,036,864 | ---- | M] (Realtek) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe
    PRC - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    PRC - [2007/10/30 20:11:48 | 000,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    PRC - [2007/10/30 20:07:40 | 000,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    PRC - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    PRC - [2007/10/30 20:06:42 | 002,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/01/10 18:38:40 | 000,423,808 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\ssoengine.dll
    MOD - [2012/01/10 18:38:38 | 000,058,240 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\securestorage.dll
    MOD - [2012/01/10 18:38:34 | 000,095,104 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\qjson.dll
    MOD - [2012/01/10 18:38:32 | 000,272,768 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\phonon4.dll
    MOD - [2012/01/10 18:38:00 | 000,384,896 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QxtCore.dll
    MOD - [2012/01/10 18:38:00 | 000,165,248 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QxtWeb.dll
    MOD - [2012/01/10 18:37:58 | 002,557,312 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtXmlPatterns4.dll
    MOD - [2012/01/10 18:37:56 | 000,346,496 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtXml4.dll
    MOD - [2012/01/10 18:37:54 | 010,843,520 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtWebKit4.dll
    MOD - [2012/01/10 18:37:48 | 000,196,480 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtSql4.dll
    MOD - [2012/01/10 18:37:46 | 001,294,208 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtScript4.dll
    MOD - [2012/01/10 18:37:44 | 000,682,880 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtOpenGL4.dll
    MOD - [2012/01/10 18:37:42 | 000,919,936 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtNetwork4.dll
    MOD - [2012/01/10 18:37:40 | 000,517,504 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtMultimediaKit1.dll
    MOD - [2012/01/10 18:37:38 | 008,172,928 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtGui4.dll
    MOD - [2012/01/10 18:37:36 | 002,252,672 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtDeclarative4.dll
    MOD - [2012/01/10 18:37:34 | 002,288,512 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\QtCore4.dll
    MOD - [2012/01/10 18:37:32 | 000,422,272 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\sqldrivers\qsqlite4.dll
    MOD - [2012/01/10 18:37:22 | 000,202,624 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\Imageformats\qjpeg4.dll
    MOD - [2012/01/10 18:37:20 | 000,034,688 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\Imageformats\qico4.dll
    MOD - [2012/01/10 18:37:18 | 000,032,640 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\Imageformats\qgif4.dll
    MOD - [2012/01/10 18:36:38 | 000,388,480 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\OviShareLib.dll
    MOD - [2012/01/10 18:36:24 | 000,437,632 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\NService.dll
    MOD - [2012/01/10 18:36:02 | 001,037,696 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\Maps Service API.dll
    MOD - [2012/01/10 18:35:06 | 000,758,656 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\CommonUpdateChecker.dll
    MOD - [2012/01/05 16:00:24 | 000,112,640 | ---- | M] () -- C:\Program Files\Nokia\Nokia Suite\mediaservice\dsengine.dll
    MOD - [2011/11/01 23:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/11/01 23:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
    MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    MOD - [2007/10/29 19:53:32 | 001,328,408 | ---- | M] () -- C:\Program Files\Acronis\TrueImageHome\fox.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (z800mdfl)
    SRV - File not found [Auto | Stopped] -- -- (X10UIF)
    SRV - File not found [Auto | Stopped] -- -- (WmVirHid)
    SRV - File not found [Auto | Stopped] -- -- (wdm_au8820)
    SRV - File not found [Auto | Stopped] -- -- (W8100PCI)
    SRV - File not found [Auto | Stopped] -- -- (w800mdfl)
    SRV - File not found [Auto | Stopped] -- -- (vzupsvc)
    SRV - File not found [Auto | Stopped] -- -- (vet-filt)
    SRV - File not found [Auto | Stopped] -- -- (vetefile)
    SRV - File not found [Auto | Stopped] -- -- (VCAM)
    SRV - File not found [Auto | Stopped] -- -- (VAIOMediaPlatform-VideoServer-UPnP)
    SRV - File not found [Auto | Stopped] -- -- (uphclean)
    SRV - File not found [Auto | Stopped] -- -- (umpusbxp)
    SRV - File not found [Auto | Stopped] -- -- (tvichw32)
    SRV - File not found [Auto | Stopped] -- -- (transactional)
    SRV - File not found [Auto | Stopped] -- -- (thotkey)
    SRV - File not found [Auto | Stopped] -- -- (SymIM)
    SRV - File not found [Auto | Stopped] -- -- (sis162u)
    SRV - File not found [Auto | Stopped] -- -- (Si3132)
    SRV - File not found [Auto | Stopped] -- -- (se59mgmt)
    SRV - File not found [Auto | Stopped] -- -- (SE2Bmdfl)
    SRV - File not found [Auto | Stopped] -- -- (SE27mdm)
    SRV - File not found [Auto | Stopped] -- -- (se26nd5)
    SRV - File not found [Auto | Stopped] -- -- (SaiMini)
    SRV - File not found [Auto | Stopped] -- -- (s117obex)
    SRV - File not found [Auto | Stopped] -- -- (rslinx)
    SRV - File not found [Auto | Stopped] -- -- (roxwatch9)
    SRV - File not found [Auto | Stopped] -- -- (roxupnpserver)
    SRV - File not found [Auto | Stopped] -- -- (PGPsdkDriver)
    SRV - File not found [Auto | Stopped] -- -- (pdlndldl)
    SRV - File not found [Auto | Stopped] -- -- (pctfw1)
    SRV - File not found [Auto | Stopped] -- -- (PciBus)
    SRV - File not found [Auto | Stopped] -- -- (ooclevercacheagent)
    SRV - File not found [Auto | Stopped] -- -- (NWSNS)
    SRV - File not found [Auto | Stopped] -- -- (NsTrcNT)
    SRV - File not found [Auto | Stopped] -- -- (npfmntor)
    SRV - File not found [Auto | Stopped] -- -- (nHancer)
    SRV - File not found [Auto | Stopped] -- -- (NeroMediaHomeService.4)
    SRV - File not found [Auto | Stopped] -- -- (mssql$soshome22)
    SRV - File not found [Auto | Stopped] -- -- (MSICPL)
    SRV - File not found [Auto | Stopped] -- -- (mlkkbdntdriver)
    SRV - File not found [Auto | Stopped] -- -- (mcafeeframework)
    SRV - File not found [Auto | Stopped] -- -- (licenseservice)
    SRV - File not found [Auto | Stopped] -- -- (inotask)
    SRV - File not found [Auto | Stopped] -- -- (ibmsmbus)
    SRV - File not found [Auto | Stopped] -- -- (hsfhwbs2)
    SRV - File not found [Auto | Stopped] -- -- (HSFHWALI)
    SRV - File not found [Auto | Stopped] -- -- (hpqddsvc)
    SRV - File not found [Auto | Stopped] -- -- (hpdskflt)
    SRV - File not found [Auto | Stopped] -- -- (fsma)
    SRV - File not found [Auto | Stopped] -- -- (epstnt01)
    SRV - File not found [Auto | Stopped] -- -- (Eplpdx02)
    SRV - File not found [Auto | Stopped] -- -- (enxpsvc)
    SRV - File not found [Auto | Stopped] -- -- (DSDrv4)
    SRV - File not found [Auto | Stopped] -- -- (dpti2o)
    SRV - File not found [Auto | Stopped] -- -- (dlcf_device)
    SRV - File not found [Auto | Stopped] -- -- (dbmanagerscheduler)
    SRV - File not found [Auto | Stopped] -- -- (cm102u32)
    SRV - File not found [Auto | Stopped] -- -- (cdvp)
    SRV - File not found [Auto | Stopped] -- -- (cdr4_2k)
    SRV - File not found [Auto | Stopped] -- -- (bwsvc)
    SRV - File not found [Auto | Stopped] -- -- (bcm4sbxp)
    SRV - File not found [Auto | Stopped] -- -- (avgtdi)
    SRV - File not found [Auto | Stopped] -- -- (atmarpc)
    SRV - File not found [Auto | Stopped] -- -- (AtiHdmiService)
    SRV - File not found [Auto | Stopped] -- -- (aswrdr)
    SRV - File not found [Auto | Stopped] -- -- (adobeversioncue)
    SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/01/07 12:21:24 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2012/01/04 13:32:36 | 000,718,888 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2011/06/12 11:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
    SRV - [2011/04/20 02:04:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
    SRV - [2010/04/16 16:10:58 | 000,036,864 | ---- | M] (Realtek) [Auto | Running] -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe -- (Realtek11nCU)
    SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/14 01:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/07/14 01:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\AtlsAud.dll -- (mxssvr)
    SRV - [2009/07/14 01:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\System32\cltnetcnservice.dll -- (coste)
    SRV - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
    SRV - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)


    ========== Driver Services (SafeList) ==========

    DRV - [2012/02/04 12:59:55 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\timntr.sys -- (timounter)
    DRV - [2012/02/04 12:59:55 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
    DRV - [2012/02/04 12:59:19 | 000,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snapman.sys -- (snapman)
    DRV - [2012/02/04 12:59:01 | 000,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tdrpman.sys -- (tdrpman)
    DRV - [2012/01/07 17:23:59 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
    DRV - [2011/12/19 14:12:00 | 000,104,752 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
    DRV - [2011/12/19 14:11:58 | 000,158,512 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VBoxDrv.sys -- (VBoxDrv)
    DRV - [2011/12/19 14:11:58 | 000,116,016 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VBoxNetFlt.sys -- (VBoxNetFlt)
    DRV - [2011/12/19 14:11:58 | 000,091,440 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
    DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/11/01 10:07:26 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
    DRV - [2011/11/01 10:07:26 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
    DRV - [2011/11/01 10:07:24 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
    DRV - [2011/04/20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
    DRV - [2011/04/20 01:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
    DRV - [2011/02/11 01:35:44 | 000,728,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8192cu.sys -- (RTL8192cu)
    DRV - [2010/11/20 12:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 12:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 12:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 10:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
    DRV - [2010/11/20 09:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 09:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/11/20 08:42:32 | 000,078,336 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\dfsc.sys -- (DfsC)
    DRV - [2009/10/20 20:23:24 | 000,047,104 | ---- | M] (Texas Instruments Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\umpusbvista.sys -- (umpusbvista)
    DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
    IE - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8C 34 32 F3 59 F5 CC 01 [binary data]
    IE - HKU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk"

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\virtualKeyboard@kaspersky.ru
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\KavAntiBanner@kaspersky.ru
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fe_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0 [2012/02/24 22:49:02 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/07 10:52:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/24 17:20:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/01/07 17:41:34 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

    [2012/01/07 10:53:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ed\AppData\Roaming\Mozilla\Extensions
    [2012/02/15 17:00:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\extensions
    [2012/02/15 17:00:14 | 000,000,000 | ---D | M] (HP Detect) -- C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\x7uoiu9s.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
    [2012/01/08 13:29:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/01/08 13:29:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    () (No name found) -- C:\USERS\ED\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X7UOIU9S.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    () (No name found) -- C:\USERS\ED\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X7UOIU9S.DEFAULT\EXTENSIONS\{E0204BD5-9D31-402B-A99D-A6AA8FFEBDCA}.XPI
    [2011/12/21 07:47:04 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/07/29 13:33:40 | 000,108,480 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npwangwang.dll
    [2011/12/21 05:14:26 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2011/12/21 05:02:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/12/21 05:14:26 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2011/12/21 05:14:26 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2011/12/21 05:14:26 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2012/02/29 22:10:02 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
    O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
    O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
    O4 - HKU\S-1-5-21-772813580-1867907093-3800966155-1000..\Run: [NokiaSuite.exe] C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe (Nokia)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-772813580-1867907093-3800966155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
    O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{21C6F387-FCEA-420A-86F4-973DBEC97120}: DhcpNameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{238FBD14-0FEC-4186-932C-E1225B93772E}: DhcpNameServer = 194.168.4.100 194.168.8.100
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: ibmsmbus - File not found
    NetSvcs: dpti2o - File not found
    NetSvcs: PEVSystemStart - File not found
    NetSvcs: avgtdi - File not found
    NetSvcs: hpdskflt - File not found
    NetSvcs: z800mdfl - File not found
    NetSvcs: s117obex - File not found
    NetSvcs: WmVirHid - File not found
    NetSvcs: Si3132 - File not found
    NetSvcs: HSFHWALI - File not found
    NetSvcs: W8100PCI - File not found
    NetSvcs: X10UIF - File not found
    NetSvcs: bcm4sbxp - File not found
    NetSvcs: wdm_au8820 - File not found
    NetSvcs: SymIM - File not found
    NetSvcs: dbmanagerscheduler - File not found
    NetSvcs: PciBus - File not found
    NetSvcs: uphclean - File not found
    NetSvcs: npfmntor - File not found
    NetSvcs: rslinx - File not found
    NetSvcs: thotkey - File not found
    NetSvcs: nHancer - File not found
    NetSvcs: mlkkbdntdriver - File not found
    NetSvcs: bwsvc - File not found
    NetSvcs: SE27mdm - File not found
    NetSvcs: epstnt01 - File not found
    NetSvcs: mssql$soshome22 - File not found
    NetSvcs: se59mgmt - File not found
    NetSvcs: roxwatch9 - File not found
    NetSvcs: aswrdr - File not found
    NetSvcs: PGPsdkDriver - File not found
    NetSvcs: hpqddsvc - File not found
    NetSvcs: dlcf_device - File not found
    NetSvcs: sis162u - File not found
    NetSvcs: mxssvr - C:\Windows\System32\AtlsAud.dll (Oak Technology Inc.)
    NetSvcs: coste - C:\Windows\System32\cltnetcnservice.dll (Oak Technology Inc.)
    NetSvcs: pctfw1 - File not found
    NetSvcs: vetefile - File not found
    NetSvcs: cdr4_2k - File not found
    NetSvcs: enxpsvc - File not found
    NetSvcs: transactional - File not found
    NetSvcs: NWSNS - File not found
    NetSvcs: atmarpc - File not found
    NetSvcs: NeroMediaHomeService.4 - File not found
    NetSvcs: VAIOMediaPlatform-VideoServer-UPnP - File not found
    NetSvcs: DSDrv4 - File not found
    NetSvcs: adobeversioncue - File not found
    NetSvcs: cm102u32 - File not found
    NetSvcs: MSICPL - File not found
    NetSvcs: vzupsvc - File not found
    NetSvcs: fsma - File not found
    NetSvcs: AtiHdmiService - File not found
    NetSvcs: SE2Bmdfl - File not found
    NetSvcs: cdvp - File not found
    NetSvcs: licenseservice - File not found
    NetSvcs: se26nd5 - File not found
    NetSvcs: mcafeeframework - File not found
    NetSvcs: VCAM - File not found
    NetSvcs: pdlndldl - File not found
    NetSvcs: vet-filt - File not found
    NetSvcs: hsfhwbs2 - File not found
    NetSvcs: SaiMini - File not found
    NetSvcs: roxupnpserver - File not found
    NetSvcs: NsTrcNT - File not found
    NetSvcs: umpusbxp - File not found
    NetSvcs: tvichw32 - File not found
    NetSvcs: inotask - File not found
    NetSvcs: Eplpdx02 - File not found
    NetSvcs: w800mdfl - File not found
    NetSvcs: ooclevercacheagent - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.ac3acm - C:\Windows\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\Windows\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
    Drivers32: VIDC.XVID - C:\Windows\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\Windows\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/01 18:28:43 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Users\Ed\Desktop\OTL.exe
    [2012/03/01 18:17:53 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/03/01 17:46:52 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/03/01 17:30:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/03/01 17:30:47 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/02/29 20:24:02 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\temp
    [2012/02/29 19:39:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/02/29 19:39:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/02/29 19:38:45 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/02/29 18:45:47 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/29 18:34:17 | 004,420,481 | R--- | C] (Swearware) -- C:\Users\Ed\Desktop\ComboFix.exe
    [2012/02/29 18:17:06 | 000,000,000 | ---D | C] -- C:\Users\Ed\Desktop\RK_Quarantine
    [2012/02/29 11:02:24 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Malwarebytes
    [2012/02/29 11:02:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/29 11:02:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/02/29 11:02:04 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/02/29 11:02:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/28 20:21:02 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ReliefJet Essentials
    [2012/02/28 20:21:00 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\ReliefJet Essentials
    [2012/02/28 20:01:22 | 000,581,632 | ---- | C] (Joshua F. Madison) -- C:\Users\Ed\Desktop\CONVERT.EXE
    [2012/02/28 19:47:03 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
    [2012/02/28 19:43:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
    [2012/02/28 19:36:43 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2012/02/28 19:34:49 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/02/28 18:07:01 | 000,000,000 | ---D | C] -- C:\Users\Ed\Desktop\email
    [2012/02/28 10:23:19 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\{928C28D1-CF31-40B0-80C6-40ED46AAD963}
    [2012/02/28 10:23:07 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\{59D9C12F-AE5C-45A0-B534-62DAC15E1F5E}
    [2012/02/27 16:49:36 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\{306C849C-CB13-48A1-863E-C353BF9A5A5C}
    [2012/02/27 16:49:24 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\{1EEB30EC-52DA-4E18-A50C-AF2326DB4178}
    [2012/02/27 16:49:12 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Windows Live Writer
    [2012/02/27 16:49:12 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Windows Live Writer
    [2012/02/27 16:43:42 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
    [2012/02/27 16:38:08 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Windows Live
    [2012/02/27 16:38:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
    [2012/02/26 15:30:20 | 000,000,000 | ---D | C] -- C:\Jan
    [2012/02/26 13:51:56 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
    [2012/02/24 23:01:36 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Nokia Suite
    [2012/02/24 22:59:00 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\NokiaAccount
    [2012/02/24 22:50:02 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Nokia
    [2012/02/24 22:50:02 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Nokia
    [2012/02/24 22:49:57 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Suite
    [2012/02/24 22:49:55 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\PC Suite
    [2012/02/24 22:49:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nokia
    [2012/02/24 22:49:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Nokia
    [2012/02/24 22:49:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
    [2012/02/24 22:48:03 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
    [2012/02/24 22:48:01 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
    [2012/02/24 22:47:40 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
    [2012/02/24 22:47:20 | 000,075,264 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
    [2012/02/24 22:46:44 | 000,000,000 | ---D | C] -- C:\ProgramData\NokiaInstallerCache
    [2012/02/24 22:46:44 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
    [2012/02/24 22:17:10 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Blackberry Desktop
    [2012/02/24 22:12:26 | 000,000,000 | ---D | C] -- C:\Users\Ed\Documents\BlackBerry
    [2012/02/24 22:05:47 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Research In Motion
    [2012/02/24 22:05:46 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Research In Motion
    [2012/02/24 22:03:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlackBerry
    [2012/02/24 22:03:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Research In Motion
    [2012/02/24 22:03:20 | 000,000,000 | ---D | C] -- C:\Program Files\Research In Motion
    [2012/02/24 22:03:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research In Motion
    [2012/02/24 17:20:47 | 000,000,000 | ---D | C] -- C:\Windows\System32\aliedit
    [2012/02/24 17:20:39 | 000,000,000 | ---D | C] -- C:\Program Files\Trademanager
    [2012/02/24 17:17:47 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Alibaba
    [2012/02/18 11:19:03 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Scooter Software
    [2012/02/18 11:18:57 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Beyond Compare 3
    [2012/02/18 11:18:56 | 000,000,000 | ---D | C] -- C:\Program Files\Beyond Compare 3
    [2012/02/17 18:41:55 | 000,000,000 | ---D | C] -- C:\Users\Ed\Documents\Outlook Files
    [2012/02/17 18:05:07 | 000,000,000 | ---D | C] -- C:\Users\Ed\Documents\thunderbird emails for import
    [2012/02/17 17:57:03 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMAPSize
    [2012/02/17 17:57:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IMAPSize
    [2012/02/17 17:57:03 | 000,000,000 | ---D | C] -- C:\Program Files\IMAPSize
    [2012/02/17 17:09:45 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Helios
    [2012/02/17 17:09:08 | 000,000,000 | ---D | C] -- C:\Program Files\TextPad 5
    [2012/02/15 17:21:11 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\ElevatedDiagnostics
    [2012/02/15 17:02:43 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
    [2012/02/15 17:02:07 | 000,000,000 | ---D | C] -- C:\Program Files\HP
    [2012/02/12 13:38:02 | 000,000,000 | ---D | C] -- C:\Users\Ed\Documents\Building Regulations
    [2012/02/12 11:37:55 | 000,000,000 | ---D | C] -- C:\Users\Ed\Documents\MS Project
    [2012/02/04 13:00:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Acronis
    [2012/02/04 12:58:52 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Acronis
    [2012/02/04 12:58:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Acronis
    [2012/02/04 12:58:41 | 000,000,000 | ---D | C] -- C:\Program Files\Acronis
    [2012/02/01 22:42:55 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\River Past G2
    [2012/02/01 21:25:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
    [2012/02/01 21:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
    [2012/02/01 20:13:51 | 000,000,000 | ---D | C] -- C:\Windows\Sun
    [2012/01/31 21:55:26 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
    [2012/01/31 21:54:25 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Local\Adobe
    [2012/01/31 21:53:37 | 000,000,000 | ---D | C] -- C:\Users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    [2012/01/31 21:53:25 | 000,000,000 | ---D | C] -- C:\Program Files\MrSmooth
    [2012/01/31 21:53:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mr Smooth
    [2012/01/31 21:53:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
    [2012/01/31 21:53:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
    [2012/01/31 21:52:29 | 000,000,000 | ---D | C] -- C:\Program Files\Mr Smooth
    [2012/01/28 19:37:18 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Ed\AppData\Roaming\pcouffin.sys
  17. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    ========== Files - Modified Within 30 Days ==========

    [2012/03/01 18:28:44 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\Ed\Desktop\OTL.exe
    [2012/03/01 18:20:01 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/03/01 18:18:17 | 000,000,874 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/03/01 18:17:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/03/01 18:17:52 | 2212,306,944 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/01 18:16:37 | 000,010,320 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/03/01 18:16:36 | 000,010,320 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/02/29 22:10:02 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/02/29 21:38:24 | 000,015,535 | ---- | M] () -- C:\Users\Ed\Desktop\34119_WMT0920_IMG_01_0000.JPG
    [2012/02/29 18:35:04 | 004,420,481 | R--- | M] (Swearware) -- C:\Users\Ed\Desktop\ComboFix.exe
    [2012/02/29 18:16:18 | 000,000,512 | ---- | M] () -- C:\Users\Ed\Desktop\MBR.dat
    [2012/02/29 12:32:14 | 000,302,592 | ---- | M] () -- C:\Users\Ed\Desktop\p5vthjdp.exe
    [2012/02/29 11:02:12 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 07:45:22 | 281,060,764 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/02/29 07:43:38 | 000,000,112 | ---- | M] () -- C:\ProgramData\aSShX6D.dat
    [2012/02/29 00:13:21 | 000,709,350 | ---- | M] () -- C:\Windows\System32\perfh00C.dat
    [2012/02/29 00:13:21 | 000,704,028 | ---- | M] () -- C:\Windows\System32\perfh010.dat
    [2012/02/29 00:13:21 | 000,658,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat
    [2012/02/29 00:13:21 | 000,638,064 | ---- | M] () -- C:\Windows\System32\perfh005.dat
    [2012/02/29 00:13:21 | 000,630,928 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/02/29 00:13:21 | 000,463,506 | ---- | M] () -- C:\Windows\System32\perfh014.dat
    [2012/02/29 00:13:21 | 000,448,308 | ---- | M] () -- C:\Windows\System32\perfh00B.dat
    [2012/02/29 00:13:21 | 000,414,656 | ---- | M] () -- C:\Windows\System32\perfh012.dat
    [2012/02/29 00:13:21 | 000,392,790 | ---- | M] () -- C:\Windows\System32\prfh0404.dat
    [2012/02/29 00:13:21 | 000,376,688 | ---- | M] () -- C:\Windows\System32\prfh0804.dat
    [2012/02/29 00:13:21 | 000,134,804 | ---- | M] () -- C:\Windows\System32\perfc00C.dat
    [2012/02/29 00:13:21 | 000,134,204 | ---- | M] () -- C:\Windows\System32\perfc007.dat
    [2012/02/29 00:13:21 | 000,131,808 | ---- | M] () -- C:\Windows\System32\perfc010.dat
    [2012/02/29 00:13:21 | 000,126,452 | ---- | M] () -- C:\Windows\System32\perfc005.dat
    [2012/02/29 00:13:21 | 000,111,052 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/02/29 00:13:21 | 000,109,340 | ---- | M] () -- C:\Windows\System32\perfc012.dat
    [2012/02/29 00:13:21 | 000,108,912 | ---- | M] () -- C:\Windows\System32\prfc0804.dat
    [2012/02/29 00:13:21 | 000,103,998 | ---- | M] () -- C:\Windows\System32\prfc0404.dat
    [2012/02/29 00:13:21 | 000,086,812 | ---- | M] () -- C:\Windows\System32\perfc00B.dat
    [2012/02/29 00:13:21 | 000,081,760 | ---- | M] () -- C:\Windows\System32\perfc014.dat
    [2012/02/27 14:31:59 | 000,006,907 | ---- | M] () -- C:\Users\Ed\AppData\Roaming\Comma Separated Values (Windows).EML
    [2012/02/27 14:07:26 | 000,000,948 | ---- | M] () -- C:\Windows\Active Setup Log.BAK
    [2012/02/24 22:57:34 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
    [2012/02/24 22:57:19 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
    [2012/02/24 22:49:07 | 000,002,047 | ---- | M] () -- C:\Users\Public\Desktop\Nokia Suite.lnk
    [2012/02/24 22:12:24 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
    [2012/02/24 22:04:14 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_RimSerial_01007.Wdf
    [2012/02/24 22:03:38 | 000,002,189 | ---- | M] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
    [2012/02/18 11:18:57 | 000,000,953 | ---- | M] () -- C:\Users\Ed\Desktop\Beyond Compare 3.lnk
    [2012/02/17 18:42:01 | 000,001,101 | ---- | M] () -- C:\Users\Ed\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
    [2012/02/17 17:57:04 | 000,000,913 | ---- | M] () -- C:\Users\Ed\Desktop\IMAPSize.lnk
    [2012/02/17 10:58:27 | 000,024,099 | ---- | M] () -- C:\Users\Ed\Desktop\Public-Swimming-Pool-Timetable-November-2011.pdf
    [2012/02/17 10:55:39 | 003,465,897 | ---- | M] () -- C:\Users\Ed\Desktop\flcpooltimetablejanuary2012.pdf
    [2012/02/15 16:47:29 | 000,408,048 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/02/14 13:36:49 | 000,227,764 | ---- | M] () -- C:\enters sink waste here.jpg
    [2012/02/14 13:36:19 | 000,218,793 | ---- | M] () -- C:\spaghetti.jpg
    [2012/02/14 13:35:43 | 000,225,357 | ---- | M] () -- C:\drains enter here.jpg
    [2012/02/14 13:27:46 | 002,346,306 | ---- | M] () -- C:\CIMG5848.JPG
    [2012/02/14 13:27:42 | 002,288,281 | ---- | M] () -- C:\CIMG5847.JPG
    [2012/02/14 13:27:24 | 002,312,729 | ---- | M] () -- C:\CIMG5846.JPG
    [2012/02/04 12:58:59 | 000,001,129 | ---- | M] () -- C:\Users\Ed\Desktop\Acronis True Image Home 11.0.lnk
    [2012/02/02 21:31:32 | 000,000,073 | ---- | M] () -- C:\Windows\cdplayer.ini
    [2012/02/02 21:31:17 | 000,001,534 | ---- | M] () -- C:\ProgramData\ss.ini
    [2012/01/31 22:32:32 | 000,002,056 | ---- | M] () -- C:\Users\Ed\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
    [2012/01/31 21:53:25 | 000,000,841 | ---- | M] () -- C:\Users\Public\Desktop\MrSmooth.lnk

    ========== Files Created - No Company Name ==========

    [2012/02/29 21:38:21 | 000,015,535 | ---- | C] () -- C:\Users\Ed\Desktop\34119_WMT0920_IMG_01_0000.JPG
    [2012/02/29 19:39:23 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/02/29 19:39:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/02/29 19:39:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/02/29 19:39:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/02/29 19:39:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/02/29 18:16:18 | 000,000,512 | ---- | C] () -- C:\Users\Ed\Desktop\MBR.dat
    [2012/02/29 12:32:04 | 000,302,592 | ---- | C] () -- C:\Users\Ed\Desktop\p5vthjdp.exe
    [2012/02/29 11:02:12 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/29 01:02:32 | 000,000,112 | ---- | C] () -- C:\ProgramData\aSShX6D.dat
    [2012/02/27 16:45:45 | 000,001,404 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
    [2012/02/27 14:31:59 | 000,006,907 | ---- | C] () -- C:\Users\Ed\AppData\Roaming\Comma Separated Values (Windows).EML
    [2012/02/27 14:07:15 | 000,000,948 | ---- | C] () -- C:\Windows\Active Setup Log.BAK
    [2012/02/24 22:57:34 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
    [2012/02/24 22:57:19 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
    [2012/02/24 22:49:05 | 000,002,047 | ---- | C] () -- C:\Users\Public\Desktop\Nokia Suite.lnk
    [2012/02/24 22:12:24 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_RimUsb_01007.Wdf
    [2012/02/24 22:04:14 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_RimSerial_01007.Wdf
    [2012/02/24 22:03:38 | 000,002,189 | ---- | C] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
    [2012/02/18 11:18:57 | 000,000,953 | ---- | C] () -- C:\Users\Ed\Desktop\Beyond Compare 3.lnk
    [2012/02/17 18:42:01 | 000,001,101 | ---- | C] () -- C:\Users\Ed\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
    [2012/02/17 17:57:04 | 000,000,913 | ---- | C] () -- C:\Users\Ed\Desktop\IMAPSize.lnk
    [2012/02/17 17:09:12 | 000,000,957 | ---- | C] () -- C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TextPad.lnk
    [2012/02/17 10:58:59 | 000,024,099 | ---- | C] () -- C:\Users\Ed\Desktop\Public-Swimming-Pool-Timetable-November-2011.pdf
    [2012/02/17 10:57:12 | 003,465,897 | ---- | C] () -- C:\Users\Ed\Desktop\flcpooltimetablejanuary2012.pdf
    [2012/02/14 13:36:48 | 000,227,764 | ---- | C] () -- C:\enters sink waste here.jpg
    [2012/02/14 13:36:19 | 000,218,793 | ---- | C] () -- C:\spaghetti.jpg
    [2012/02/14 13:35:43 | 000,225,357 | ---- | C] () -- C:\drains enter here.jpg
    [2012/02/14 13:32:35 | 002,346,306 | ---- | C] () -- C:\CIMG5848.JPG
    [2012/02/14 13:32:35 | 002,312,729 | ---- | C] () -- C:\CIMG5846.JPG
    [2012/02/14 13:32:35 | 002,288,281 | ---- | C] () -- C:\CIMG5847.JPG
    [2012/02/04 12:58:59 | 000,001,129 | ---- | C] () -- C:\Users\Ed\Desktop\Acronis True Image Home 11.0.lnk
    [2012/02/01 22:42:56 | 000,000,073 | ---- | C] () -- C:\Windows\cdplayer.ini
    [2012/02/01 22:39:45 | 000,001,534 | ---- | C] () -- C:\ProgramData\ss.ini
    [2012/01/31 21:53:25 | 000,000,841 | ---- | C] () -- C:\Users\Public\Desktop\MrSmooth.lnk
    [2012/01/28 19:37:18 | 000,007,887 | ---- | C] () -- C:\Users\Ed\AppData\Roaming\pcouffin.cat
    [2012/01/28 19:37:18 | 000,001,144 | ---- | C] () -- C:\Users\Ed\AppData\Roaming\pcouffin.inf
    [2012/01/24 21:31:31 | 000,003,584 | ---- | C] () -- C:\Users\Ed\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/01/22 20:27:00 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
    [2012/01/22 20:26:56 | 000,650,752 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
    [2012/01/22 20:26:56 | 000,243,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
    [2012/01/22 20:26:55 | 000,079,360 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
    [2012/01/08 16:56:06 | 000,007,600 | ---- | C] () -- C:\Users\Ed\AppData\Local\Resmon.ResmonCfg
    [2012/01/07 12:14:05 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
    [2012/01/07 12:12:22 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2012/01/07 12:12:18 | 000,078,336 | ---- | C] () -- C:\Windows\System32\drivers\dfsc.sys
    [2012/01/07 10:34:13 | 000,448,308 | ---- | C] () -- C:\Windows\System32\perfh00B.dat
    [2012/01/07 10:34:13 | 000,279,790 | ---- | C] () -- C:\Windows\System32\perfi00B.dat
    [2012/01/07 10:34:13 | 000,086,812 | ---- | C] () -- C:\Windows\System32\perfc00B.dat
    [2012/01/07 10:34:13 | 000,038,258 | ---- | C] () -- C:\Windows\System32\perfd00B.dat
    [2012/01/07 10:34:12 | 000,463,506 | ---- | C] () -- C:\Windows\System32\perfh014.dat
    [2012/01/07 10:34:12 | 000,392,790 | ---- | C] () -- C:\Windows\System32\prfh0404.dat
    [2012/01/07 10:34:12 | 000,376,688 | ---- | C] () -- C:\Windows\System32\prfh0804.dat
    [2012/01/07 10:34:12 | 000,298,300 | ---- | C] () -- C:\Windows\System32\perfi014.dat
    [2012/01/07 10:34:12 | 000,117,840 | ---- | C] () -- C:\Windows\System32\prfi0404.dat
    [2012/01/07 10:34:12 | 000,111,310 | ---- | C] () -- C:\Windows\System32\prfi0804.dat
    [2012/01/07 10:34:12 | 000,103,998 | ---- | C] () -- C:\Windows\System32\prfc0404.dat
    [2012/01/07 10:34:12 | 000,081,760 | ---- | C] () -- C:\Windows\System32\perfc014.dat
    [2012/01/07 10:34:12 | 000,036,156 | ---- | C] () -- C:\Windows\System32\perfd014.dat
    [2012/01/07 10:34:12 | 000,031,548 | ---- | C] () -- C:\Windows\System32\prfd0804.dat
    [2012/01/07 10:34:12 | 000,031,548 | ---- | C] () -- C:\Windows\System32\prfd0404.dat
    [2012/01/07 10:34:11 | 000,704,028 | ---- | C] () -- C:\Windows\System32\perfh010.dat
    [2012/01/07 10:34:11 | 000,658,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat
    [2012/01/07 10:34:11 | 000,638,064 | ---- | C] () -- C:\Windows\System32\perfh005.dat
    [2012/01/07 10:34:11 | 000,335,478 | ---- | C] () -- C:\Windows\System32\perfi010.dat
    [2012/01/07 10:34:11 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
    [2012/01/07 10:34:11 | 000,292,004 | ---- | C] () -- C:\Windows\System32\perfi005.dat
    [2012/01/07 10:34:11 | 000,134,204 | ---- | C] () -- C:\Windows\System32\perfc007.dat
    [2012/01/07 10:34:11 | 000,126,452 | ---- | C] () -- C:\Windows\System32\perfc005.dat
    [2012/01/07 10:34:11 | 000,108,912 | ---- | C] () -- C:\Windows\System32\prfc0804.dat
    [2012/01/07 10:34:11 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
    [2012/01/07 10:34:11 | 000,037,534 | ---- | C] () -- C:\Windows\System32\perfd010.dat
    [2012/01/07 10:34:11 | 000,036,232 | ---- | C] () -- C:\Windows\System32\perfd005.dat
    [2012/01/07 10:34:10 | 000,709,350 | ---- | C] () -- C:\Windows\System32\perfh00C.dat
    [2012/01/07 10:34:10 | 000,414,656 | ---- | C] () -- C:\Windows\System32\perfh012.dat
    [2012/01/07 10:34:10 | 000,344,522 | ---- | C] () -- C:\Windows\System32\perfi00C.dat
    [2012/01/07 10:34:10 | 000,157,694 | ---- | C] () -- C:\Windows\System32\perfi012.dat
    [2012/01/07 10:34:10 | 000,134,804 | ---- | C] () -- C:\Windows\System32\perfc00C.dat
    [2012/01/07 10:34:10 | 000,131,808 | ---- | C] () -- C:\Windows\System32\perfc010.dat
    [2012/01/07 10:34:10 | 000,109,340 | ---- | C] () -- C:\Windows\System32\perfc012.dat
    [2012/01/07 10:34:10 | 000,038,160 | ---- | C] () -- C:\Windows\System32\perfd00C.dat
    [2012/01/07 10:34:10 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd012.dat
    [2012/01/07 10:01:56 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
    [2012/01/06 19:20:36 | 000,451,072 | ---- | C] () -- C:\Windows\System32\ISSRemoveSP.exe
    [2011/04/20 01:21:02 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
    [2011/03/17 17:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\System32\atipblag.dat
    [2011/02/28 21:30:06 | 000,233,012 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

    ========== LOP Check ==========

    [2012/02/24 22:17:10 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Blackberry Desktop
    [2012/01/08 12:40:03 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Foxit Software
    [2012/01/19 22:35:04 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Foxreal
    [2012/01/07 18:39:48 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\GHISLER
    [2012/02/17 17:09:45 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Helios
    [2012/01/31 21:53:37 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\MrSmooth.1F1C2CE6230412E7752D206B573506D8446D8E6A.1
    [2012/02/24 23:01:35 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Nokia
    [2012/02/24 23:01:36 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Nokia Suite
    [2012/01/29 17:07:26 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Ousetech
    [2012/02/24 22:59:09 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\PC Suite
    [2012/02/24 22:11:33 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Research In Motion
    [2012/02/01 22:42:55 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\River Past G2
    [2012/02/18 11:19:03 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Scooter Software
    [2012/01/07 17:41:42 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Thunderbird
    [2012/02/07 01:19:54 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\TrueCrypt
    [2012/02/28 22:42:52 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\uTorrent
    [2012/02/11 12:18:29 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Vso
    [2012/02/27 16:49:12 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Windows Live Writer
    [2012/02/27 13:20:46 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Xilisoft
    [2012/01/24 21:28:13 | 000,000,000 | ---D | M] -- C:\Users\Ed\AppData\Roaming\Youtube Downloader HD
    [2009/07/14 04:53:46 | 000,026,404 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2012/03/01 18:17:21 | 000,000,404 | ---- | M] () -- C:\blitzblank.log
    [2012/02/14 13:27:24 | 002,312,729 | ---- | M] () -- C:\CIMG5846.JPG
    [2012/02/14 13:27:42 | 002,288,281 | ---- | M] () -- C:\CIMG5847.JPG
    [2012/02/14 13:27:46 | 002,346,306 | ---- | M] () -- C:\CIMG5848.JPG
    [2012/03/01 17:47:31 | 000,019,585 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 21:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2012/02/14 13:35:43 | 000,225,357 | ---- | M] () -- C:\drains enter here.jpg
    [2012/02/14 13:36:49 | 000,227,764 | ---- | M] () -- C:\enters sink waste here.jpg
    [2012/03/01 18:17:52 | 2212,306,944 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/01 18:17:51 | 2949,742,592 | -HS- | M] () -- C:\pagefile.sys
    [2012/02/14 13:36:19 | 000,218,793 | ---- | M] () -- C:\spaghetti.jpg

    < %systemroot%\Fonts\*.com >
    [2009/07/14 04:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/14 04:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/14 04:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/14 04:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 21:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/06/22 18:58:20 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
    [2009/07/14 01:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
    [2010/11/20 12:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/14 04:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012/01/07 15:29:24 | 000,000,221 | -HS- | M] () -- C:\Users\Ed\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/02/29 18:35:04 | 004,420,481 | R--- | M] (Swearware) -- C:\Users\Ed\Desktop\ComboFix.exe
    [1999/08/17 15:45:32 | 000,581,632 | ---- | M] (Joshua F. Madison) -- C:\Users\Ed\Desktop\CONVERT.EXE
    [2012/03/01 18:28:44 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\Ed\Desktop\OTL.exe
    [2012/02/29 12:32:14 | 000,302,592 | ---- | M] () -- C:\Users\Ed\Desktop\p5vthjdp.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/03/01 18:18:17 | 000,000,874 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/03/01 18:20:01 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/03/01 18:17:55 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2009/07/14 04:53:46 | 000,026,404 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 21:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2012/01/07 15:27:52 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
    [2012/01/07 15:27:52 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
    [2012/01/07 15:27:51 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
    [2012/01/07 15:27:52 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs
    [2012/01/07 15:27:51 | 000,786,432 | ---- | M] () -- C:\Windows\SECURITY\Database\edbtmp.log
    [2012/01/07 15:27:52 | 001,056,768 | ---- | M] () -- C:\Windows\SECURITY\Database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012/01/07 15:29:22 | 000,000,402 | -HS- | M] () -- C:\Users\Ed\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/02/02 21:31:17 | 000,001,534 | ---- | M] () -- C:\ProgramData\ss.ini

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:7BB5E748

    < End of report >
  18. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    OTL Extras logfile created on: 01/03/2012 18:45:31 - Run 1
    OTL by OldTimer - Version 3.2.34.0 Folder = C:\Users\Ed\Desktop
    Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.75 Gb Total Physical Memory | 1.61 Gb Available Physical Memory | 58.64% Memory free
    5.49 Gb Paging File | 4.31 Gb Available in Paging File | 78.51% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 114.40 Gb Total Space | 63.19 Gb Free Space | 55.24% Space Free | Partition Type: NTFS

    Computer Name: ED-PC | User Name: Ed | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-772813580-1867907093-3800966155-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
    "{2BC12CCD-D362-4385-A974-6FA545FC2BBA}" = TUSB3410
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4AA68A73-DB9C-439D-9481-981C82BD008B}" = Nokia Connectivity Cable Driver
    "{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
    "{611E3800-CE31-4953-8AD4-5657B6EE7ACF}" = Oracle VM VirtualBox 4.1.8
    "{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis*True*Image*Home
    "{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
    "{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.0.0
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
    "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2010
    "{90140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPRO_{8A8F117F-8EDB-440D-B679-F08909D729F7}" = Microsoft Project 2010 Service Pack 1 (SP1)
    "{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
    "{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2010
    "{90140000-00B4-0409-0000-0000000FF1CE}_Office14.PRJPRO_{18A0C151-8F8A-4B68-A960-60C464B94329}" = Microsoft Project 2010 Service Pack 1 (SP1)
    "{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
    "{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
    "{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{92D1CEBC-7C72-4ECF-BFC6-C131EF3FE6A7}" = Nokia Suite
    "{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9BD2DD45-8763-4F12-BDC6-958FCFEF0FCB}" = Microsoft IntelliType Pro 8.2
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C049499-055C-4a0c-A916-1D12314F45EB}" = REALTEK Wireless LAN Driver and Utility
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A2AA4204-C05A-4013-888A-AD153139297F}" = PC Connectivity Solution
    "{A344FC3A-9422-4676-A1A6-43D1F9840A5C}" = ReliefJet Essentials for Outlook
    "{A436F67F-687E-4736-BD2B-537121A804CF}" = HP Product Detection
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
    "{AF81A6CC-F27F-2E0C-8B9A-5F6DA8687E0E}" = MrSmooth
    "{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
    "{B405BC85-533C-4D65-A1BC-19294266C9D6}" = Foxit PhantomPDF
    "{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
    "{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
    "{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E3B64CC5-C011-40C0-92BC-7316CD5E5688}" = Microsoft_VC100_CRT_SP1_x86
    "{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
    "{F909BB1B-3FC1-4EDA-AF1F-8F1A89163591}" = BlackBerry Desktop Software 6.1
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    "5Spice Analysis_is1" = 5Spice Analysis 1.65
    "7-Zip" = 7-Zip 9.20
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "BlackBerry_Desktop" = BlackBerry Desktop Software 6.1
    "File Shredder_is1" = File Shredder 2.0
    "IMAPSize_is1" = IMAPSize 0.3.7
    "InstallShield_{2BC12CCD-D362-4385-A974-6FA545FC2BBA}" = Texas Instruments TUSB3410 drivers.
    "KLiteCodecPack_is1" = K-Lite Codec Pack 8.1.0 (Full)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2
    "Microsoft IntelliType Pro 8.2" = Microsoft IntelliType Pro 8.2
    "MozBackup" = MozBackup 1.5.1
    "Mozilla Firefox 9.0.1 (x86 en-GB)" = Mozilla Firefox 9.0.1 (x86 en-GB)
    "Mozilla Thunderbird 10.0.2 (x86 en-GB)" = Mozilla Thunderbird 10.0.2 (x86 en-GB)
    "Mr Smooth_is1" = Mr Smooth v1.0
    "Nokia Suite" = Nokia Suite
    "Office14.PRJPRO" = Microsoft Project Professional 2010
    "Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
    "Polipo" = Polipo 1.0.4.1
    "ST6UNST #1" = Pool-Mate Pro Vista and Windows 7
    "ST6UNST #2" = Pool-Mate Pro Vista and Windows 7 (C:\Program Files\Pool-Mate Pro\)
    "Tor" = Tor 0.2.2.35
    "Totalcmd" = Total Commander (Remove or Repair)
    "TrueCrypt" = TrueCrypt
    "uTorrent" = µTorrent
    "Vidalia" = Vidalia 0.2.15
    "VirtualCloneDrive" = VirtualCloneDrive
    "WinLiveSuite" = Windows Live Essentials
    "Youtube Downloader HD_is1" = Youtube Downloader HD v. 2.8

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-772813580-1867907093-3800966155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "BeyondCompare3_is1" = Beyond Compare Version 3.3.3
    "d4f409e375485076" = Pool-Mate Link
    "Xilisoft Video Converter Ultimate 6" = Xilisoft Video Converter Ultimate 6

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 29/02/2012 12:45:55 | Computer Name = Ed-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
    time stamp: 0x4d76255d Faulting module name: ntdll.dll, version: 6.1.7601.17725,
    time stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00047732 Faulting
    process id: 0x324c Faulting application start time: 0x01ccf701992176c7 Faulting application
    path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: d892f972-62f4-11e1-bd6a-6cf0497d448b

    Error - 29/02/2012 13:44:49 | Computer Name = Ed-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
    time stamp: 0x4d76255d Faulting module name: ntdll.dll, version: 6.1.7601.17725,
    time stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00047732 Faulting
    process id: 0x3764 Faulting application start time: 0x01ccf709d49edd46 Faulting application
    path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: 135b1709-62fd-11e1-bd6a-6cf0497d448b

    Error - 29/02/2012 14:12:32 | Computer Name = Ed-PC | Source = Microsoft-Windows-CAPI2 | ID = 4101
    Description = Failed auto update retrieval of third-party root certificate from:
    <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F.crt>
    with error: 12030 (0x2efe).

    Error - 29/02/2012 14:12:32 | Computer Name = Ed-PC | Source = Microsoft-Windows-CAPI2 | ID = 4101
    Description = Failed auto update retrieval of third-party root certificate from:
    <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F.crt>
    with error: 12030 (0x2efe).

    Error - 29/02/2012 15:38:46 | Computer Name = Ed-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
    time stamp: 0x4d76255d Faulting module name: ntdll.dll, version: 6.1.7601.17725,
    time stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00047732 Faulting
    process id: 0x1574 Faulting application start time: 0x01ccf719bbee9cee Faulting application
    path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: fe2728b4-630c-11e1-931d-6cf0497d448b

    Error - 29/02/2012 19:13:39 | Computer Name = Ed-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: handle.3XE, version: 3.42.0.0, time stamp:
    0x492312a9 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp:
    0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00072840 Faulting process id:
    0x1e70 Faulting application start time: 0x01ccf737be8a4e07 Faulting application path:
    C:\ComboFix\handle.3XE Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report
    Id: 031e6f62-632b-11e1-a9d3-6cf0497d448b

    Error - 29/02/2012 20:30:59 | Computer Name = Ed-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\Research
    In Motion\BlackBerry Desktop\MailServerMAPIProxy64.exe". Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 29/02/2012 20:31:10 | Computer Name = Ed-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\Common
    Files\Research In Motion\AppLoader\MailServerMAPIProxy64.exe". Dependent Assembly
    Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 29/02/2012 20:33:40 | Computer Name = Ed-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\Research
    In Motion\BlackBerry Desktop\MailServerMAPIProxy64.exe". Dependent Assembly Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 29/02/2012 20:33:44 | Computer Name = Ed-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\Common
    Files\Research In Motion\AppLoader\MailServerMAPIProxy64.exe". Dependent Assembly
    Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    [ System Events ]
    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Si3132r5 service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Wlancig service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Ltxred service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The 3dkeybd service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Rdpnp service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The CdaD10BA service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The SenFiltService service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The SrvcEPIOMngr service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Aw_host service terminated with the following error: %%126

    Error - 01/03/2012 14:17:56 | Computer Name = Ed-PC | Source = Service Control Manager | ID = 7023
    Description = The Ma_cmidi_installerservice service terminated with the following
    error: %%126


    < End of report >
  19. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    I can't proceed.
    You didn't say:
    [​IMG]
  20. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    It seems OK.
  21. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Good news :)

    You can reinstall AVG now.

    OTL logs are clean.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  22. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2012
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 31
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-GB..)
    Mozilla Thunderbird (x86 en-GB..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamservice.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    ``````````End of Log````````````
  23. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    Farbar Service Scanner Version: 01-03-2012
    Ran by Ed (administrator) on 01-03-2012 at 19:33:53
    Running from "C:\Users\Ed\Desktop"
    Microsoft Windows 7 Ultimate Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  24. RedEd

    RedEd Newcomer, in training Topic Starter Posts: 45

    C:\Qoobox\Quarantine\C\Windows\System32\W2ww4sH.com.vir a variant of Win32/Kryptik.ABPV trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Local\wemneka.dll.vir Win32/TrojanProxy.Agent.NIK trojan cleaned by deleting - quarantined
    C:\Users\Ed\Desktop\RK_Quarantine\setup.exe.vir a variant of Win32/Kryptik.ABSQ trojan cleaned by deleting - quarantined
    C:\Users\Ed\Downloads\Reliefjet_essentials_for_serial_keygen_by_FFF.zip a variant of Win32/Kryptik.ABOJ trojan deleted - quarantined
    C:\Windows\System32\AtlsAud.dll probably a variant of Win32/Sirefef.ER trojan cleaned by deleting - quarantined
    C:\Windows\System32\cltnetcnservice.dll probably a variant of Win32/Sirefef.ER trojan cleaned by deleting (after the next restart) - quarantined
    C:\Windows\System32\drivers\dfsc.sys a variant of Win32/Rootkit.Kryptik.JV trojan unable to clean
    C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys a variant of Win32/Rootkit.Kryptik.JV trojan cleaned by deleting (after the next restart) - quarantined
  25. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.