Solved Funmoods and redirect troubles

Mister Ed · Nov 8, 2012

Somehow I have picked up Funmoods and cannot get rid of it. I ununstalled it ... but it is still there and will not let me change my primary seaarch provider. Also started to see some redirect issues in Internet Explorer.

Here is the MalwareBytes log (it was a full scan, I had completed it prior to realizing I needed to come to this site for help):
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.07.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ed :: ED-NXAIBJWWPXN5 [administrator]
11/7/2012 8:20:38 PM
mbam-log-2012-11-07 (20-20-38).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 288255
Time elapsed: 5 hour(s), 9 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 12
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: af47eb11d2c194b396ff726a469ec377 -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 15
C:\Documents and Settings\Ed\My Documents\Downloads\JDast_installer.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033402.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033426.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033427.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033428.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033429.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033432.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP299\A0033486.exe (Trojan.AVKill) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\is263093\escort.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\is263093\escortApp.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\is263093\escortEng.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\is263093\escorTlbr.dll (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\is263093\funmoodssrv.exe (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ed\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
(end)
GMER Log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-11-08 20:23:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75DEA0 rev.05.03E05
Running: rr94c86h.exe; Driver: C:\WINDOWS\TEMP\awaiyuoc.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G Data Software AG)
Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G Data Software AG)
Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G Data Software AG)
Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G Data Software AG)
---- EOF - GMER 1.0.15 ----

DDS Logs:

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Ed at 20:26:30 on 2012-11-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.469 [GMT -5:00]
.
AV: G Data TotalSecurity 2012 *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: G Data Personal Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
mStart Page = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files\g data\totalsecurity\webfilter\AvkWebIE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: G Data BankGuard: {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - c:\program files\common files\g data\avkproxy\BanksafeBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files\g data\totalsecurity\webfilter\AvkWebIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [G Data AntiVirus Tray Application] c:\program files\g data\totalsecurity\avktray\AVKTray.exe
mRun: [GDFirewallTray] c:\program files\g data\totalsecurity\firewall\GDFirewallTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5A0DE531-0B77-487D-B443-F8C892D9FD93} : DHCPNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2012-2-11 40440]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2012-2-11 30200]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2012-2-11 79992]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2012-2-12 69112]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2012-2-11 40568]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2011-5-3 1499656]
R2 AVKService;G Data Scheduler;c:\program files\g data\totalsecurity\avk\AVKService.exe [2011-5-3 409608]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\g data\totalsecurity\avk\AVKWCtl.exe [2011-5-3 1554184]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2012-2-11 52216]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-7 399432]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\totalsecurity\firewall\GDFwSvc.exe [2011-5-3 1613424]
R3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2011-5-3 457536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-7 22856]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-7 676936]
S3 GDBackupSvc;G Data Backup Service;c:\program files\g data\totalsecurity\avkbackup\AVKBackupService.exe [2011-5-3 1498616]
S3 GDTunerSvc;G Data Tuner Service;c:\program files\g data\totalsecurity\avktuner\AVKTunerService.exe [2011-5-3 960504]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-4 16968]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-08 18:03:37 -------- d-----w- c:\program files\MSXML 4.0
2012-11-08 18:01:30 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-08 17:31:09 -------- d-----w- c:\program files\Microsoft Download Manager
2012-11-07 16:42:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-07 02:41:14 -------- d-----w- c:\documents and settings\ed\application data\Funmoods
2012-11-07 02:20:41 -------- d-----w- c:\documents and settings\ed\application data\jdnetmon
2012-11-07 01:53:58 -------- d-----w- c:\documents and settings\ed\application data\jdast
2012-11-07 01:53:57 -------- d-----w- c:\program files\JDAST
2012-11-07 01:52:02 -------- d-----w- c:\documents and settings\ed\local settings\application data\Wajam
2012-10-21 15:40:28 -------- d-----w- c:\program files\common files\Symantec Shared
2012-10-21 15:40:04 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-10-21 15:39:57 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-10-10 03:05:04 -------- d-----w- C:\128908204b16f6cc63734c
.
==================== Find3M ====================
.
2012-11-08 18:00:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-08 18:00:58 473072 -c--a-w- c:\windows\system32\deployJava1.dll
2012-11-08 06:48:15 858424 -c--a-w- c:\windows\system32\sig.bin
2012-10-09 17:00:21 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 17:00:21 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 17:01:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 17:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 13:29:19 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 20:27:26.09 ===============
And:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-07.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2009 8:51:45 PM
System Uptime: 11/8/2012 12:16:24 PM (8 hours ago)
.
Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2660/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 17.015 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Service: E100B
.
==== System Restore Points ===================
.
RP281: 10/19/2012 6:25:49 AM - System Checkpoint
RP282: 10/20/2012 6:49:35 AM - System Checkpoint
RP283: 10/21/2012 7:38:44 AM - System Checkpoint
RP284: 10/22/2012 7:56:36 AM - System Checkpoint
RP285: 10/23/2012 8:14:43 AM - System Checkpoint
RP286: 10/24/2012 9:42:22 AM - System Checkpoint
RP287: 10/25/2012 10:40:31 AM - System Checkpoint
RP288: 10/26/2012 11:52:13 AM - System Checkpoint
RP289: 10/27/2012 12:08:55 PM - System Checkpoint
RP290: 10/28/2012 12:17:37 PM - System Checkpoint
RP291: 10/29/2012 12:49:49 PM - System Checkpoint
RP292: 10/30/2012 1:49:19 PM - System Checkpoint
RP293: 10/31/2012 2:44:09 PM - System Checkpoint
RP294: 11/1/2012 5:53:22 PM - System Checkpoint
RP295: 11/2/2012 6:01:31 PM - System Checkpoint
RP296: 11/3/2012 6:08:02 PM - System Checkpoint
RP297: 11/4/2012 6:20:18 PM - System Checkpoint
RP298: 11/5/2012 6:25:17 PM - System Checkpoint
RP299: 11/6/2012 10:47:09 PM - System Checkpoint
RP300: 11/8/2012 3:00:20 AM - Software Distribution Service 3.0
RP301: 11/8/2012 12:31:07 PM - Installed Microsoft Download Manager
RP302: 11/8/2012 1:03:35 PM - Installed MSXML 4.0 SP3 Parser
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AVG 2012
Bonjour
Canon Camera Access Library
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Digital Photo Professional 3.10
Canon Utilities EOS Utility
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities ZoomBrowser EX
CCleaner
Compatibility Pack for the 2007 Office system
Dell Picture Studio - Dell Image Expert
G Data TotalSecurity 2012
Google Earth Plug-in
Google SketchUp 8
Google Toolbar for Internet Explorer
Google Update Helper
H&R Block Deluxe + Efile + State 2010
H&R Block Deluxe + Efile + State 2011
H&R Block Michigan 2010
H&R Block Michigan 2011
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB954550-v5)
ieSpell
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 37
JDs Auto Speed Tester
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft ASP.NET Web Pages
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Download Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft Silverlight
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server System CLR Types
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
NVIDIA Windows 2000/XP Display Drivers
Primo
QuickTime
Registry Mechanic 10.0
Runtime
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923789)
Sony Picture Utility
SoundMAX
swMSM
Uniblue SpeedUpMyPC
Uniblue SystemTweaker
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
11/8/2012 12:13:16 PM, error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
11/8/2012 1:21:28 PM, error: Service Control Manager [7031] - The G Data AntiVirus Proxy service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/5/2012 5:21:42 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
11/5/2012 3:40:15 PM, error: Service Control Manager [7034] - The Secunia Update Agent service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:15 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:14 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Secunia PSI Agent service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:13 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
11/5/2012 3:40:10 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================

Broni · Nov 8, 2012

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.
Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

=====================================

Download RogueKiller on the desktop
Close all the running programs
Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
Otherwise just double-click on RogueKiller.exe
Pre-scan will start. Let it finish.
Click on SCAN button.
Wait until the Status box shows Scan Finished
Click on Delete.
Wait until the Status box shows Deleting Finished.
Click on Report and copy/paste the content of the Notepad into your next reply.
RKreport.txt could also be found on your desktop.
If more than one log is produced post all logs.
If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

===================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Mister Ed · Nov 9, 2012

TDS Log:
11:15:08.0625 4080 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
11:15:10.0625 4080 ============================================================
11:15:10.0625 4080 Current date / time: 2012/11/09 11:15:10.0625
11:15:10.0625 4080 SystemInfo:
11:15:10.0625 4080
11:15:10.0625 4080 OS Version: 5.1.2600 ServicePack: 3.0
11:15:10.0625 4080 Product type: Workstation
11:15:10.0625 4080 ComputerName: ED-NXAIBJWWPXN5
11:15:10.0625 4080 UserName: Ed
11:15:10.0625 4080 Windows directory: C:\WINDOWS
11:15:10.0625 4080 System windows directory: C:\WINDOWS
11:15:10.0625 4080 Processor architecture: Intel x86
11:15:10.0625 4080 Number of processors: 1
11:15:10.0625 4080 Page size: 0x1000
11:15:10.0625 4080 Boot type: Normal boot
11:15:10.0625 4080 ============================================================
11:15:12.0937 4080 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:15:12.0968 4080 ============================================================
11:15:12.0968 4080 \Device\Harddisk0\DR0:
11:15:12.0968 4080 MBR partitions:
11:15:12.0968 4080 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x4A69BB9
11:15:12.0968 4080 ============================================================
11:15:13.0046 4080 C: <-> \Device\Harddisk0\DR0\Partition1
11:15:13.0046 4080 ============================================================
11:15:13.0046 4080 Initialize success
11:15:13.0046 4080 ============================================================
11:15:15.0109 3104 ============================================================
11:15:15.0109 3104 Scan started
11:15:15.0109 3104 Mode: Manual;
11:15:15.0109 3104 ============================================================
11:15:16.0937 3104 ================ Scan system memory ========================
11:15:16.0937 3104 System memory - ok
11:15:16.0953 3104 ================ Scan services =============================
11:15:18.0187 3104 [ F82AB4A2A26E172B929D27D60B637973 ] 3c1807pd C:\WINDOWS\system32\DRIVERS\3c1807pd.sys
11:15:18.0250 3104 3c1807pd - ok
11:15:18.0265 3104 Abiosdsk - ok
11:15:18.0265 3104 abp480n5 - ok
11:15:18.0343 3104 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:15:18.0421 3104 ACPI - ok
11:15:18.0500 3104 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
11:15:18.0500 3104 ACPIEC - ok
11:15:18.0687 3104 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
11:15:18.0765 3104 AdobeFlashPlayerUpdateSvc - ok
11:15:18.0781 3104 adpu160m - ok
11:15:18.0875 3104 [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
11:15:18.0875 3104 aeaudio - ok
11:15:18.0906 3104 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
11:15:18.0937 3104 aec - ok
11:15:19.0000 3104 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
11:15:19.0062 3104 AFD - ok
11:15:19.0078 3104 AFGMp50 - ok
11:15:19.0093 3104 AFGSp50 - ok
11:15:19.0171 3104 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
11:15:19.0171 3104 agp440 - ok
11:15:19.0187 3104 Aha154x - ok
11:15:19.0203 3104 aic78u2 - ok
11:15:19.0203 3104 aic78xx - ok
11:15:19.0281 3104 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
11:15:19.0281 3104 ALG - ok
11:15:19.0296 3104 AliIde - ok
11:15:19.0312 3104 amsint - ok
11:15:19.0625 3104 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
11:15:19.0625 3104 Apple Mobile Device - ok
11:15:19.0640 3104 AppMgmt - ok
11:15:19.0640 3104 asc - ok
11:15:19.0656 3104 asc3350p - ok
11:15:19.0671 3104 asc3550 - ok
11:15:19.0953 3104 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:15:19.0953 3104 aspnet_state - ok
11:15:20.0015 3104 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:15:20.0062 3104 AsyncMac - ok
11:15:20.0109 3104 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
11:15:20.0109 3104 atapi - ok
11:15:20.0125 3104 Atdisk - ok
11:15:20.0171 3104 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:15:20.0171 3104 Atmarpc - ok
11:15:20.0296 3104 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
11:15:20.0296 3104 AudioSrv - ok
11:15:20.0359 3104 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
11:15:20.0359 3104 audstub - ok
11:15:20.0796 3104 [ B1CE458A6F330FA4369D1B3A65169C0C ] AVKProxy C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
11:15:21.0140 3104 AVKProxy - ok
11:15:21.0437 3104 [ BA79FA9DB53879C2A05A181C3F40C76D ] AVKService C:\Program Files\G Data\TotalSecurity\AVK\AVKService.exe
11:15:21.0515 3104 AVKService - ok
11:15:21.0937 3104 [ AACB33AD6E29704BBA20BCAF55E5AB76 ] AVKWCtl C:\Program Files\G Data\TotalSecurity\AVK\AVKWCtl.exe
11:15:22.0265 3104 AVKWCtl - ok
11:15:22.0375 3104 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
11:15:22.0375 3104 Beep - ok
11:15:22.0625 3104 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
11:15:22.0656 3104 BITS - ok
11:15:23.0015 3104 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
11:15:23.0093 3104 Bonjour Service - ok
11:15:23.0234 3104 [ 248DFA5762DDE38DFDDBBD44149E9D7A ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
11:15:23.0265 3104 BVRPMPR5 - ok
11:15:23.0406 3104 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
11:15:23.0437 3104 cbidf2k - ok
11:15:23.0625 3104 [ 359E5A91D26D0439933BEF1C29CEDEF7 ] CCALib8 C:\Program Files\Canon\CAL\CALMAIN.exe
11:15:23.0640 3104 CCALib8 - ok
11:15:23.0640 3104 cd20xrnt - ok
11:15:23.0750 3104 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
11:15:23.0765 3104 Cdaudio - ok
11:15:23.0812 3104 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
11:15:23.0812 3104 Cdfs - ok
11:15:23.0890 3104 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:15:23.0906 3104 Cdrom - ok
11:15:23.0906 3104 Changer - ok
11:15:24.0015 3104 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
11:15:24.0046 3104 CiSvc - ok
11:15:24.0093 3104 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
11:15:24.0125 3104 ClipSrv - ok
11:15:24.0203 3104 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:15:24.0484 3104 clr_optimization_v2.0.50727_32 - ok
11:15:24.0640 3104 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:15:24.0953 3104 clr_optimization_v4.0.30319_32 - ok
11:15:24.0953 3104 CmdIde - ok
11:15:24.0968 3104 COMSysApp - ok
11:15:25.0000 3104 Cpqarray - ok
11:15:25.0125 3104 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
11:15:25.0125 3104 CryptSvc - ok
11:15:25.0125 3104 dac2w2k - ok
11:15:25.0156 3104 dac960nt - ok
11:15:25.0312 3104 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
11:15:25.0390 3104 DcomLaunch - ok
11:15:25.0515 3104 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
11:15:25.0531 3104 Dhcp - ok
11:15:25.0593 3104 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
11:15:25.0593 3104 Disk - ok
11:15:25.0609 3104 dmadmin - ok
11:15:25.0921 3104 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
11:15:26.0000 3104 dmboot - ok
11:15:26.0109 3104 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
11:15:26.0140 3104 dmio - ok
11:15:26.0281 3104 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
11:15:26.0312 3104 dmload - ok
11:15:26.0468 3104 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
11:15:26.0500 3104 dmserver - ok
11:15:26.0562 3104 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
11:15:26.0593 3104 DMusic - ok
11:15:26.0687 3104 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
11:15:26.0687 3104 Dnscache - ok
11:15:26.0921 3104 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
11:15:26.0984 3104 Dot3svc - ok
11:15:27.0000 3104 dpti2o - ok
11:15:27.0156 3104 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
11:15:27.0187 3104 drmkaud - ok
11:15:27.0343 3104 [ 98B46B331404A951CABAD8B4877E1276 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:15:27.0359 3104 E100B - ok
11:15:27.0500 3104 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
11:15:27.0531 3104 EapHost - ok
11:15:27.0734 3104 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
11:15:27.0750 3104 ERSvc - ok
11:15:27.0875 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
11:15:27.0953 3104 Eventlog - ok
11:15:28.0046 3104 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll
11:15:28.0093 3104 EventSystem - ok
11:15:28.0218 3104 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
11:15:28.0234 3104 Fastfat - ok
11:15:28.0359 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
11:15:28.0375 3104 FastUserSwitchingCompatibility - ok
11:15:28.0437 3104 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
11:15:28.0437 3104 Fdc - ok
11:15:28.0468 3104 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
11:15:28.0484 3104 Fips - ok
11:15:28.0546 3104 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:15:28.0546 3104 Flpydisk - ok
11:15:28.0656 3104 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
11:15:28.0671 3104 FltMgr - ok
11:15:29.0078 3104 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:15:29.0250 3104 FontCache3.0.0.0 - ok
11:15:29.0296 3104 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:15:29.0312 3104 Fs_Rec - ok
11:15:29.0343 3104 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:15:29.0343 3104 Ftdisk - ok
11:15:30.0906 3104 [ BE8D41CDF5DEC88C55C8B559AD6C9F4A ] GDBackupSvc C:\Program Files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe
11:15:32.0093 3104 GDBackupSvc - ok
11:15:32.0203 3104 [ 1B519753DA1E7E51F37001E23F1BB045 ] GDBehave C:\WINDOWS\system32\drivers\GDBehave.sys
11:15:32.0203 3104 GDBehave - ok
11:15:32.0968 3104 [ 05787ED926CD5CD2FDAC57F9ADC22DEC ] GDFwSvc C:\Program Files\G Data\TotalSecurity\Firewall\GDFwSvc.exe
11:15:33.0250 3104 GDFwSvc - ok
11:15:33.0359 3104 [ CD58774324A78BBA15B89C35BED81593 ] GDMnIcpt C:\WINDOWS\system32\drivers\MiniIcpt.sys
11:15:33.0375 3104 GDMnIcpt - ok
11:15:33.0453 3104 [ 4E7F16B1698772D4B57B989E569C14DB ] GDNdisIc C:\WINDOWS\system32\drivers\GDNdisIc.sys
11:15:33.0453 3104 GDNdisIc - ok
11:15:33.0609 3104 [ 7641143D7CAE05AE5E07AA517A09FAD3 ] GDScan C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
11:15:33.0656 3104 GDScan - ok
11:15:33.0828 3104 [ 564777071576CE55B9204A02EC8FD645 ] GDTdiInterceptor C:\WINDOWS\system32\drivers\GDTdiIcpt.sys
11:15:33.0843 3104 GDTdiInterceptor - ok
11:15:34.0187 3104 [ 7EC5CEEFED97F1AB48A48C1DF1D0AF7F ] GDTunerSvc C:\Program Files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe
11:15:34.0437 3104 GDTunerSvc - ok
11:15:34.0546 3104 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
11:15:34.0562 3104 GEARAspiWDM - ok
11:15:34.0625 3104 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:15:34.0625 3104 Gpc - ok
11:15:34.0703 3104 [ 7706FF2240FB112AF8C2A02558E2A1CD ] GRD C:\WINDOWS\system32\drivers\GRD.sys
11:15:34.0703 3104 GRD - ok
11:15:34.0812 3104 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
11:15:34.0828 3104 gupdate - ok
11:15:34.0859 3104 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
11:15:34.0859 3104 gupdatem - ok
11:15:34.0968 3104 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:15:34.0968 3104 gusvc - ok
11:15:35.0109 3104 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:15:35.0125 3104 helpsvc - ok
11:15:35.0125 3104 HidServ - ok
11:15:35.0203 3104 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:15:35.0218 3104 hidusb - ok
11:15:35.0281 3104 [ 30B90793A568281BEF70FA57DDE305A2 ] hitmanpro35 C:\WINDOWS\system32\drivers\hitmanpro35.sys
11:15:35.0281 3104 hitmanpro35 - ok
11:15:35.0328 3104 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
11:15:35.0328 3104 hkmsvc - ok
11:15:35.0453 3104 [ F60C377C72BB24F5212FF994420F511F ] HookCentre C:\WINDOWS\system32\drivers\HookCentre.sys
11:15:35.0468 3104 HookCentre - ok
11:15:35.0484 3104 hpn - ok
11:15:35.0578 3104 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
11:15:35.0609 3104 HTTP - ok
11:15:35.0703 3104 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
11:15:35.0718 3104 HTTPFilter - ok
11:15:35.0734 3104 i2omgmt - ok
11:15:35.0750 3104 i2omp - ok
11:15:35.0765 3104 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:15:35.0781 3104 i8042prt - ok
11:15:36.0218 3104 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:15:36.0484 3104 idsvc - ok
11:15:36.0500 3104 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
11:15:36.0515 3104 Imapi - ok
11:15:36.0687 3104 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
11:15:36.0703 3104 ImapiService - ok
11:15:36.0718 3104 ini910u - ok
11:15:36.0734 3104 IntelIde - ok
11:15:36.0812 3104 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:15:36.0828 3104 intelppm - ok
11:15:36.0843 3104 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
11:15:36.0843 3104 ip6fw - ok
11:15:36.0937 3104 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:15:36.0968 3104 IpFilterDriver - ok
11:15:37.0046 3104 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:15:37.0062 3104 IpInIp - ok
11:15:37.0078 3104 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:15:37.0093 3104 IpNat - ok
11:15:37.0500 3104 [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
11:15:37.0921 3104 iPod Service - ok
11:15:37.0984 3104 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:15:38.0031 3104 IPSec - ok
11:15:38.0046 3104 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
11:15:38.0078 3104 IRENUM - ok
11:15:38.0203 3104 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:15:38.0218 3104 isapnp - ok
11:15:38.0609 3104 [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
11:15:38.0640 3104 JavaQuickStarterService - ok
11:15:38.0687 3104 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:15:38.0734 3104 Kbdclass - ok
11:15:38.0796 3104 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
11:15:38.0859 3104 kmixer - ok
11:15:39.0000 3104 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
11:15:39.0000 3104 KSecDD - ok
11:15:39.0031 3104 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
11:15:39.0046 3104 lanmanserver - ok
11:15:39.0062 3104 lbrtfdc - ok
11:15:39.0203 3104 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
11:15:39.0250 3104 LmHosts - ok
11:15:39.0390 3104 [ 500D089CE760D83DA2B6CBA681AA9949 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
11:15:39.0390 3104 MBAMProtector - ok
11:15:39.0703 3104 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
11:15:39.0734 3104 MBAMScheduler - ok
11:15:40.0078 3104 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
11:15:40.0203 3104 MBAMService - ok
11:15:40.0265 3104 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
11:15:40.0296 3104 mnmdd - ok
11:15:40.0421 3104 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
11:15:40.0453 3104 mnmsrvc - ok
11:15:40.0593 3104 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
11:15:40.0625 3104 Modem - ok
11:15:40.0718 3104 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:15:40.0750 3104 Mouclass - ok
11:15:40.0843 3104 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:15:40.0859 3104 mouhid - ok
11:15:40.0937 3104 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
11:15:40.0937 3104 MountMgr - ok
11:15:40.0937 3104 mraid35x - ok
11:15:41.0187 3104 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:15:41.0218 3104 MRxDAV - ok
11:15:41.0343 3104 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
11:15:41.0343 3104 MSDTC - ok
11:15:41.0406 3104 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
11:15:41.0421 3104 Msfs - ok
11:15:41.0421 3104 MSIServer - ok
11:15:41.0484 3104 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:15:41.0531 3104 MSKSSRV - ok
11:15:41.0593 3104 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:15:41.0609 3104 MSPCLOCK - ok
11:15:41.0687 3104 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
11:15:41.0687 3104 MSPQM - ok
11:15:41.0734 3104 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:15:41.0734 3104 mssmbios - ok
11:15:41.0812 3104 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
11:15:41.0812 3104 Mup - ok
11:15:41.0968 3104 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
11:15:41.0984 3104 napagent - ok
11:15:42.0171 3104 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
11:15:42.0187 3104 NDIS - ok
11:15:42.0265 3104 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:15:42.0265 3104 NdisTapi - ok
11:15:42.0281 3104 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:15:42.0281 3104 Ndisuio - ok
11:15:42.0359 3104 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:15:42.0359 3104 NdisWan - ok
11:15:42.0437 3104 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
11:15:42.0453 3104 NDProxy - ok
11:15:42.0468 3104 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
11:15:42.0468 3104 NetBT - ok
11:15:42.0531 3104 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
11:15:42.0531 3104 NetDDE - ok
11:15:42.0546 3104 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
11:15:42.0546 3104 NetDDEdsdm - ok
11:15:42.0593 3104 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
11:15:42.0609 3104 Netman - ok
11:15:42.0656 3104 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:15:42.0671 3104 NetTcpPortSharing - ok
11:15:42.0734 3104 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
11:15:42.0734 3104 Nla - ok
11:15:42.0796 3104 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
11:15:42.0796 3104 Npfs - ok
11:15:42.0843 3104 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
11:15:42.0875 3104 Ntfs - ok
11:15:42.0937 3104 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
11:15:42.0953 3104 NtmsSvc - ok
11:15:43.0000 3104 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
11:15:43.0000 3104 Null - ok
11:15:43.0109 3104 [ 5D701FCA6F7DB7A8A7D21F80A84D291A ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:15:43.0171 3104 nv - ok
11:15:43.0187 3104 [ 26712CF8BE48BC767854927435C0B6A9 ] NVSvc C:\WINDOWS\System32\nvsvc32.exe
11:15:43.0203 3104 NVSvc - ok
11:15:43.0250 3104 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:15:43.0250 3104 NwlnkFlt - ok
11:15:43.0265 3104 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:15:43.0265 3104 NwlnkFwd - ok
11:15:43.0312 3104 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
11:15:43.0312 3104 OMCI - ok
11:15:43.0375 3104 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:15:43.0390 3104 ose - ok
11:15:43.0453 3104 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
11:15:43.0468 3104 Parport - ok
11:15:43.0484 3104 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
11:15:43.0484 3104 PartMgr - ok
11:15:43.0546 3104 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
11:15:43.0546 3104 ParVdm - ok
11:15:43.0562 3104 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
11:15:43.0578 3104 PCI - ok
11:15:43.0578 3104 PCIDump - ok
11:15:43.0625 3104 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
11:15:43.0625 3104 PCIIde - ok
11:15:43.0656 3104 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
11:15:43.0656 3104 Pcmcia - ok
11:15:43.0671 3104 PDCOMP - ok
11:15:43.0687 3104 PDFRAME - ok
11:15:43.0703 3104 PDRELI - ok
11:15:43.0718 3104 PDRFRAME - ok
11:15:43.0718 3104 perc2 - ok
11:15:43.0734 3104 perc2hib - ok
11:15:43.0796 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
11:15:43.0812 3104 PlugPlay - ok
11:15:43.0875 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
11:15:43.0875 3104 PolicyAgent - ok
11:15:43.0890 3104 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:15:43.0890 3104 PptpMiniport - ok
11:15:43.0921 3104 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
11:15:43.0921 3104 Processor - ok
11:15:43.0937 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
11:15:43.0937 3104 ProtectedStorage - ok
11:15:43.0953 3104 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
11:15:43.0953 3104 PSched - ok
11:15:44.0031 3104 [ D24DFD16A1E2A76034DF5AA18125C35D ] PSI C:\WINDOWS\system32\DRIVERS\psi_mf.sys
11:15:44.0031 3104 PSI - ok
11:15:44.0093 3104 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:15:44.0093 3104 Ptilink - ok
11:15:44.0140 3104 [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:15:44.0140 3104 PxHelp20 - ok
11:15:44.0156 3104 ql1080 - ok
11:15:44.0171 3104 Ql10wnt - ok
11:15:44.0187 3104 ql12160 - ok
11:15:44.0203 3104 ql1240 - ok
11:15:44.0203 3104 ql1280 - ok
11:15:44.0250 3104 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:15:44.0250 3104 RasAcd - ok
11:15:44.0296 3104 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
11:15:44.0312 3104 RasAuto - ok
11:15:44.0359 3104 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:15:44.0359 3104 Rasl2tp - ok
11:15:44.0437 3104 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
11:15:44.0437 3104 RasMan - ok
11:15:44.0453 3104 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:15:44.0453 3104 RasPppoe - ok
11:15:44.0484 3104 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
11:15:44.0484 3104 Raspti - ok
11:15:44.0500 3104 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:15:44.0500 3104 RDPCDD - ok
11:15:44.0562 3104 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
11:15:44.0578 3104 RDPWD - ok
11:15:44.0593 3104 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
11:15:44.0609 3104 RDSessMgr - ok
11:15:44.0656 3104 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
11:15:44.0656 3104 redbook - ok
11:15:44.0718 3104 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
11:15:44.0718 3104 RemoteAccess - ok
11:15:44.0750 3104 [ D8B0B4ADE32574B2D9C5CC34DC0DBBE7 ] ROOTMODEM C:\WINDOWS\system32\Drivers\RootMdm.sys
11:15:44.0750 3104 ROOTMODEM - ok
11:15:44.0828 3104 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
11:15:44.0828 3104 RpcSs - ok
11:15:44.0875 3104 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
11:15:44.0890 3104 RSVP - ok
11:15:44.0937 3104 [ 3DEE06E12BAC87168089040D3C86FBEA ] RTL8023 C:\WINDOWS\system32\DRIVERS\GA311ND5.SYS
11:15:44.0953 3104 RTL8023 - ok
11:15:44.0968 3104 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
11:15:44.0968 3104 SamSs - ok
11:15:45.0015 3104 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
11:15:45.0031 3104 SCardSvr - ok
11:15:45.0078 3104 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
11:15:45.0093 3104 Schedule - ok
11:15:45.0156 3104 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:15:45.0156 3104 Secdrv - ok
11:15:45.0187 3104 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
11:15:45.0187 3104 seclogon - ok
11:15:45.0375 3104 [ 5B66DB4877BBAC9F7493AA8D84421E49 ] Secunia PSI Agent C:\Program Files\Secunia\PSI\PSIA.exe
11:15:45.0468 3104 Secunia PSI Agent - ok
11:15:45.0531 3104 [ 0E88FDF474F2CDD370A4A6CE77D018F0 ] Secunia Update Agent C:\Program Files\Secunia\PSI\sua.exe
11:15:45.0562 3104 Secunia Update Agent - ok
11:15:45.0640 3104 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
11:15:45.0640 3104 SENS - ok
11:15:45.0656 3104 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
11:15:45.0656 3104 serenum - ok
11:15:45.0687 3104 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
11:15:45.0687 3104 Serial - ok
11:15:45.0796 3104 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
11:15:45.0796 3104 Sfloppy - ok
11:15:45.0890 3104 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
11:15:45.0921 3104 SharedAccess - ok
11:15:45.0953 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
11:15:45.0953 3104 ShellHWDetection - ok
11:15:45.0968 3104 Simbad - ok
11:15:46.0062 3104 [ 5018A9DB5EB62E3EDB3110F82F556285 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
11:15:46.0078 3104 smwdm - ok
11:15:46.0093 3104 Sparrow - ok
11:15:46.0156 3104 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
11:15:46.0171 3104 splitter - ok
11:15:46.0234 3104 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
11:15:46.0265 3104 Spooler - ok
11:15:46.0281 3104 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
11:15:46.0281 3104 sr - ok
11:15:46.0359 3104 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
11:15:46.0359 3104 srservice - ok
11:15:46.0437 3104 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
11:15:46.0453 3104 Srv - ok
11:15:46.0468 3104 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
11:15:46.0468 3104 SSDPSRV - ok
11:15:46.0562 3104 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
11:15:46.0609 3104 stisvc - ok
11:15:46.0687 3104 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
11:15:46.0687 3104 swenum - ok
11:15:46.0718 3104 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
11:15:46.0718 3104 swmidi - ok
11:15:46.0734 3104 SwPrv - ok
11:15:46.0750 3104 sxuptp - ok
11:15:46.0765 3104 symc810 - ok
11:15:46.0781 3104 symc8xx - ok
11:15:46.0796 3104 sym_hi - ok
11:15:46.0796 3104 sym_u3 - ok
11:15:46.0828 3104 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
11:15:46.0828 3104 sysaudio - ok
11:15:46.0890 3104 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
11:15:46.0890 3104 SysmonLog - ok
11:15:46.0953 3104 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
11:15:46.0968 3104 TapiSrv - ok
11:15:47.0046 3104 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:15:47.0078 3104 Tcpip - ok
11:15:47.0140 3104 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
11:15:47.0140 3104 TDPIPE - ok
11:15:47.0156 3104 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
11:15:47.0156 3104 TDTCP - ok
11:15:47.0203 3104 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
11:15:47.0203 3104 TermDD - ok
11:15:47.0296 3104 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
11:15:47.0312 3104 TermService - ok
11:15:47.0343 3104 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
11:15:47.0343 3104 Themes - ok
11:15:47.0359 3104 TosIde - ok
11:15:47.0406 3104 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
11:15:47.0406 3104 TrkWks - ok
11:15:47.0437 3104 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
11:15:47.0453 3104 Udfs - ok
11:15:47.0453 3104 ultra - ok
11:15:47.0531 3104 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
11:15:47.0546 3104 Update - ok
11:15:47.0593 3104 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
11:15:47.0609 3104 upnphost - ok
11:15:47.0640 3104 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
11:15:47.0640 3104 UPS - ok
11:15:47.0703 3104 [ 73B41F4EAD65F355962168D766AF0F2E ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
11:15:47.0703 3104 USBAAPL - ok
11:15:47.0734 3104 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:15:47.0734 3104 usbccgp - ok
11:15:47.0812 3104 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:15:47.0812 3104 usbehci - ok
11:15:47.0875 3104 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:15:47.0890 3104 usbhub - ok
11:15:47.0906 3104 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:15:47.0906 3104 usbprint - ok
11:15:47.0984 3104 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:15:47.0984 3104 usbscan - ok
11:15:48.0000 3104 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:15:48.0000 3104 USBSTOR - ok
11:15:48.0031 3104 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:15:48.0031 3104 usbuhci - ok
11:15:48.0093 3104 [ 497F2190E87D58FD68E559E083796EDC ] USRpdA C:\WINDOWS\system32\DRIVERS\USRpdA.sys
11:15:48.0109 3104 USRpdA - ok
11:15:48.0125 3104 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
11:15:48.0125 3104 VgaSave - ok
11:15:48.0140 3104 ViaIde - ok
11:15:48.0156 3104 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
11:15:48.0156 3104 VolSnap - ok
11:15:48.0218 3104 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
11:15:48.0250 3104 VSS - ok
11:15:48.0312 3104 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
11:15:48.0312 3104 W32Time - ok
11:15:48.0390 3104 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:15:48.0390 3104 Wanarp - ok
11:15:48.0406 3104 WDICA - ok
11:15:48.0468 3104 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
11:15:48.0484 3104 wdmaud - ok
11:15:48.0515 3104 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
11:15:48.0531 3104 WebClient - ok
11:15:48.0656 3104 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
11:15:48.0656 3104 winmgmt - ok
11:15:48.0718 3104 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
11:15:48.0718 3104 WmdmPmSN - ok
11:15:48.0765 3104 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
11:15:48.0765 3104 WmiApSrv - ok
11:15:48.0859 3104 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
11:15:48.0890 3104 WMPNetworkSvc - ok
11:15:49.0046 3104 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:15:49.0109 3104 WPFFontCache_v0400 - ok
11:15:49.0187 3104 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
11:15:49.0187 3104 wscsvc - ok
11:15:49.0218 3104 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
11:15:49.0218 3104 wuauserv - ok
11:15:49.0312 3104 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
11:15:49.0343 3104 WZCSVC - ok
11:15:49.0406 3104 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
11:15:49.0406 3104 xmlprov - ok
11:15:49.0421 3104 ================ Scan global ===============================
11:15:49.0468 3104 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
11:15:49.0546 3104 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
11:15:49.0578 3104 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
11:15:49.0593 3104 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
11:15:49.0593 3104 [Global] - ok
11:15:49.0609 3104 ================ Scan MBR ==================================
11:15:49.0640 3104 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
11:15:49.0843 3104 \Device\Harddisk0\DR0 - ok
11:15:49.0843 3104 ================ Scan VBR ==================================
11:15:49.0859 3104 [ 6C35032B15A67BBBA1E0AA1A237FF28E ] \Device\Harddisk0\DR0\Partition1
11:15:49.0859 3104 \Device\Harddisk0\DR0\Partition1 - ok
11:15:49.0859 3104 ============================================================
11:15:49.0859 3104 Scan finished
11:15:49.0859 3104 ============================================================
11:15:49.0875 0224 Detected object count: 0
11:15:49.0875 0224 Actual detected object count: 0

Mister Ed · Nov 9, 2012

Rogue Killer:
RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ed [Admin rights]
Mode : Remove -- Date : 11/09/2012 11:26:46
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++

--- User ---
[MBR] 63f767e2998d7fd940fb80bc89ed23a0
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 38099 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2]_D_11092012_02d1126.txt >>
RKreport[1]_S_11092012_02d1126.txt ; RKreport[2]_D_11092012_02d1126.txt

Mister Ed · Nov 9, 2012

aswMBR:
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-09 11:30:45
-----------------------------
11:30:45.437 OS Version: Windows 5.1.2600 Service Pack 3
11:30:45.437 Number of processors: 1 586 0x209
11:30:45.437 ComputerName: ED-NXAIBJWWPXN5 UserName: Ed
11:30:45.984 Initialize success
11:37:22.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:37:22.937 Disk 0 Vendor: WDC_WD400BB-75DEA0 05.03E05 Size: 38146MB BusType: 3
11:37:22.968 Disk 0 MBR read successfully
11:37:22.968 Disk 0 MBR scan
11:37:22.984 Disk 0 Windows XP default MBR code
11:37:22.984 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
11:37:22.984 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38099 MB offset 80325
11:37:22.984 Disk 0 scanning sectors +78108030
11:37:23.062 Disk 0 scanning C:\WINDOWS\system32\drivers
11:37:33.515 Service scanning
11:37:53.171 Modules scanning
11:37:59.703 Disk 0 trace - called modules:
11:37:59.734 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:37:59.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89710ab8]
11:38:00.250 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89764d98]
11:38:00.250 Scan finished successfully
11:38:14.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ed\Desktop\MBR.dat"
11:38:14.578 The log file has been saved successfully to "C:\Documents and Settings\Ed\Desktop\aswMBR.txt"

Broni · Nov 9, 2012

Create new restore point before proceeding with the next step....
How to:
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

=============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

Mister Ed · Nov 9, 2012

Combofix:
ComboFix 12-11-09.02 - Ed 11/09/2012 19:08:13.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.647 [GMT -5:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
AV: G Data TotalSecurity 2012 *Disabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: G Data Personal Firewall *Disabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
.
.
2012-11-08 18:03 . 2012-11-08 18:03 -------- d-----w- c:\program files\MSXML 4.0
2012-11-08 18:01 . 2012-11-08 18:01 -------- d-----w- c:\program files\Common Files\Java
2012-11-08 18:01 . 2012-11-08 18:00 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-08 17:31 . 2012-11-08 17:31 -------- d-----w- c:\program files\Microsoft Download Manager
2012-11-07 16:42 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-07 02:41 . 2012-11-07 02:41 -------- d-----w- c:\documents and settings\Ed\Application Data\Funmoods
2012-11-07 02:20 . 2012-11-07 02:20 -------- d-----w- c:\documents and settings\Ed\Application Data\jdnetmon
2012-11-07 02:09 . 2012-11-07 02:09 -------- d-----w- c:\program files\Microsoft.NET
2012-11-07 01:53 . 2012-11-09 18:31 -------- d-----w- c:\documents and settings\Ed\Application Data\jdast
2012-11-07 01:53 . 2012-11-07 03:00 -------- d-----w- c:\program files\JDAST
2012-11-07 01:52 . 2012-11-07 01:52 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Wajam
2012-10-21 15:40 . 2012-10-21 15:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-10-21 15:40 . 2012-10-22 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 18:00 . 2010-07-20 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-08 18:00 . 2010-07-20 18:55 473072 -c--a-w- c:\windows\system32\deployJava1.dll
2012-10-09 17:00 . 2012-03-30 22:34 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:00 . 2011-07-15 02:14 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:14 . 2003-07-16 20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2009-03-21 01:45 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2003-07-16 20:51 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 17:01 . 2006-10-03 23:47 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 17:01 . 2006-09-19 18:44 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 13:29 . 2003-07-16 20:39 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2002-08-29 01:04 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\wuauclt.exe
[7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\dllcache\wuauclt.exe
[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
[7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\$NtServicePackUninstall$\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"G Data AntiVirus Tray Application"="c:\program files\G Data\TotalSecurity\AVKTray\AVKTray.exe" [2011-08-19 921096]
"GDFirewallTray"="c:\program files\G Data\TotalSecurity\Firewall\GDFirewallTray.exe" [2011-11-08 1616392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 01:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 03:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-30 00:54 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2/11/2012 4:32 PM 40440]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2/11/2012 4:32 PM 30200]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2/11/2012 4:32 PM 79992]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2/12/2012 3:08 AM 69112]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2/11/2012 4:32 PM 40568]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\Common Files\G Data\AVKProxy\AVKProxy.exe [5/3/2011 2:21 PM 1499656]
R2 AVKService;G Data Scheduler;c:\program files\G Data\TotalSecurity\AVK\AVKService.exe [5/3/2011 2:21 PM 409608]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\G Data\TotalSecurity\AVK\AVKWCtl.exe [5/3/2011 11:26 AM 1554184]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2/11/2012 4:32 PM 52216]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/7/2012 11:42 AM 399432]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 1:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 1:01 AM 399416]
R3 GDFwSvc;G Data Personal Firewall;c:\program files\G Data\TotalSecurity\Firewall\GDFwSvc.exe [5/3/2011 11:39 AM 1613424]
R3 GDScan;G Data Scanner;c:\program files\Common Files\G Data\GDScan\GDScan.exe [5/3/2011 2:21 PM 457536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/7/2012 11:42 AM 22856]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/7/2012 11:42 AM 676936]
S3 GDBackupSvc;G Data Backup Service;c:\program files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe [5/3/2011 11:18 AM 1498616]
S3 GDTunerSvc;G Data Tuner Service;c:\program files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe [5/3/2011 12:15 PM 960504]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2/4/2011 9:11 PM 16968]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:00]
.
2012-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cce136bb5afc0c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-27 02:20]
.
2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cce136bbbf1ed0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-27 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
mStart Page = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-09 19:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-09 19:24:08
ComboFix-quarantined-files.txt 2012-11-10 00:24
.
Pre-Run: 18,269,474,816 bytes free
Post-Run: 18,289,426,432 bytes free
.
- - End Of File - - 83AE142ECBE942650C139489D145DA80

Broni · Nov 9, 2012

Looks good.

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Mister Ed · Nov 9, 2012

Broni - OTL is running VERY slow (like over a couple hours and still not done). If I look at the processes in Task Mgr, AVKProxy.exe is using 99% of the CPU.

AVKProxy appears to be related to my G Data antivirus. I even tried turning everything off in G Data ... bu had the same result.
Any suggestions?

Broni · Nov 9, 2012

Re-run OTL from safe mode.

Mister Ed · Nov 9, 2012

Much better!!
OTL logfile created on: 11/9/2012 11:07:55 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ed\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: | Country: | Language: | Date Format:

1.25 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 81.47% Memory free
2.98 Gb Paging File | 2.93 Gb Available in Paging File | 98.24% Paging File free
Paging file location(s): C:\pagefile.sys 1917 1917 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 17.02 Gb Free Space | 45.76% Space Free | Partition Type: NTFS

Computer Name: ED-NXAIBJWWPXN5 | User Name: Ed | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/09 19:48:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/10/09 12:00:31 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/11/08 07:43:11 | 001,499,656 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe -- (AVKProxy)
SRV - [2011/10/28 08:43:51 | 001,498,616 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVKBackup\AVKBackupService.exe -- (GDBackupSvc)
SRV - [2011/10/28 08:36:11 | 000,457,536 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\G Data\GDScan\GDScan.exe -- (GDScan)
SRV - [2011/10/27 20:40:14 | 001,554,184 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVK\AVKWCtl.exe -- (AVKWCtl)
SRV - [2011/10/14 01:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/08/10 07:20:28 | 001,613,424 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\Firewall\GDFwSvc.exe -- (GDFwSvc)
SRV - [2011/05/19 20:40:34 | 000,960,504 | ---- | M] (G Data Software AG) [On_Demand | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVKTuner\AVKTunerService.exe -- (GDTunerSvc)
SRV - [2011/05/03 14:21:16 | 000,409,608 | ---- | M] (G Data Software AG) [Auto | Stopped] -- C:\Program Files\G Data\TotalSecurity\AVK\AVKService.exe -- (AVKService)
SRV - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\sxuptp.sys -- (sxuptp)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\TEMP\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGSp50.sys -- (AFGSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\AFGMp50.sys -- (AFGMp50)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/02/12 03:08:39 | 000,069,112 | ---- | M] (G Data Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\GRD.sys -- (GRD)
DRV - [2012/02/11 18:36:51 | 000,030,200 | ---- | M] (G Data Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GDNdisIc.sys -- (GDNdisIc)
DRV - [2012/02/11 18:36:50 | 000,052,216 | ---- | M] (G Data Software AG) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\GDTdiIcpt.sys -- (GDTdiInterceptor)
DRV - [2012/02/11 18:36:42 | 000,040,568 | ---- | M] (G Data Software AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\HookCentre.sys -- (HookCentre)
DRV - [2012/02/11 18:36:41 | 000,079,992 | ---- | M] (G Data Software AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\MiniIcpt.sys -- (GDMnIcpt)
DRV - [2012/02/11 18:36:40 | 000,040,440 | ---- | M] (G Data Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GDBehave.sys -- (GDBehave)
DRV - [2011/02/04 21:24:12 | 000,016,968 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/06/30 03:27:08 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2004/03/09 09:58:06 | 000,329,088 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\3c1807pd.sys -- (3c1807pd)
DRV - [2003/10/12 10:29:00 | 000,066,688 | R--- | M] (NETGEAR ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 08:28:26 | 000,113,762 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=do...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
IE - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.p...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 12 7A 82 02 C6 0E CD 01 [binary data]
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...&ie={inputEncoding?}&oe={outputEncoding?}&rlz=
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.p...tAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871
IE - HKU\S-1-5-21-73586283-746137067-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2012/11/09 23:02:57 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2011/12/28 00:22:02 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalSecurity\WebFilter\AvkWebIE.dll (G Data Software AG)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O2 - BHO: (G Data BankGuard) - {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - C:\Program Files\Common Files\G Data\AVKProxy\BanksafeBHO.dll (G Data Software AG)
O3 - HKLM\..\Toolbar: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G Data\TotalSecurity\WebFilter\AvkWebIE.dll (G Data Software AG)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [G Data AntiVirus Tray Application] C:\Program Files\G Data\TotalSecurity\AVKTray\AVKTray.exe (G Data Software AG)
O4 - HKLM..\Run: [GDFirewallTray] C:\Program Files\G Data\TotalSecurity\Firewall\GDFirewallTray.exe (G Data Software AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-73586283-746137067-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A0DE531-0B77-487D-B443-F8C892D9FD93}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 19:46:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/09 19:47:58 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
[2012/11/09 18:57:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/11/09 18:57:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/11/09 18:57:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/11/09 18:57:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/11/09 18:56:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/09 18:51:22 | 004,998,937 | R--- | C] (Swearware) -- C:\Documents and Settings\Ed\Desktop\ComboFix.exe
[2012/11/09 11:30:21 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ed\Desktop\aswMBR.exe
[2012/11/09 11:21:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/11/09 11:19:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Desktop\RK_Quarantine
[2012/11/08 20:26:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2012/11/08 18:11:09 | 000,688,901 | R--- | C] (Swearware) -- C:\Documents and Settings\Ed\Desktop\dds.com
[2012/11/08 13:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2012/11/08 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/11/08 12:31:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\My Downloads
[2012/11/08 12:31:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
[2012/11/08 12:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
[2012/11/07 11:42:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/11/07 11:42:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/11/06 21:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Funmoods
[2012/11/06 21:20:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\jdnetmon
[2012/11/06 21:09:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/11/06 21:00:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Speed_Tester
[2012/11/06 20:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Start Menu\Programs\JDs Auto Speed Tester
[2012/11/06 20:53:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\jdast
[2012/11/06 20:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\JDAST
[2012/11/06 20:52:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Wajam
[2012/11/06 20:37:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Downloads
[2012/10/31 21:49:22 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\TDSSKiller.exe
[2012/10/22 19:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Alica
[2012/10/21 10:40:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2012/10/21 10:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2012/10/21 10:39:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller

========== Files - Modified Within 30 Days ==========

[2012/11/09 23:03:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/09 22:30:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA1cce136bbbf1ed0.job
[2012/11/09 22:08:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cce136bb5afc0c.job
[2012/11/09 21:59:06 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/11/09 19:48:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\Desktop\OTL.exe
[2012/11/09 18:51:23 | 004,998,937 | R--- | M] (Swearware) -- C:\Documents and Settings\Ed\Desktop\ComboFix.exe
[2012/11/09 11:38:14 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\MBR.dat
[2012/11/09 11:30:21 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Ed\Desktop\aswMBR.exe
[2012/11/09 11:24:06 | 000,666,112 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\RogueKiller.exe
[2012/11/09 11:14:18 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ed\Desktop\TDSSKiller.exe
[2012/11/09 09:22:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/11/09 00:34:56 | 000,861,312 | ---- | M] () -- C:\WINDOWS\System32\sig.bin
[2012/11/09 00:34:56 | 000,046,027 | ---- | M] () -- C:\WINDOWS\System32\nmp.map
[2012/11/08 18:11:14 | 000,688,901 | R--- | M] (Swearware) -- C:\Documents and Settings\Ed\Desktop\dds.com
[2012/11/08 17:59:27 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\rr94c86h.exe
[2012/11/08 04:47:00 | 000,473,388 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/08 04:47:00 | 000,076,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/07 11:42:36 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/07 07:50:02 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/11/07 07:48:22 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Microsoft Office Word 2003.lnk
[2012/11/06 20:56:18 | 000,001,582 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\JDs Auto Speed Tester.lnk
[2012/11/06 20:51:44 | 000,290,500 | ---- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods-speeddial_sf.crx
[2012/11/04 21:05:53 | 000,002,405 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\Microsoft Office Picture Manager.lnk
[2012/11/01 21:17:22 | 000,002,423 | ---- | M] () -- C:\Documents and Settings\Ed\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Picture Manager.lnk

========== Files Created - No Company Name ==========

[2012/11/09 18:57:16 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/11/09 18:57:16 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/11/09 18:57:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/11/09 18:57:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/11/09 18:57:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/11/09 11:38:14 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\MBR.dat
[2012/11/09 11:24:05 | 000,666,112 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\RogueKiller.exe
[2012/11/08 17:59:26 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\rr94c86h.exe
[2012/11/07 11:42:36 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/06 20:54:00 | 000,001,582 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\JDs Auto Speed Tester.lnk
[2012/11/06 20:51:52 | 000,290,500 | ---- | C] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\funmoods-speeddial_sf.crx
[2012/07/14 12:19:06 | 000,079,520 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/02/14 22:26:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/12 17:31:24 | 000,861,312 | ---- | C] () -- C:\WINDOWS\System32\sig.bin
[2011/12/22 05:29:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/20 18:44:43 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/18 17:42:27 | 000,134,872 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/08 01:14:50 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/02/28 21:29:53 | 000,233,616 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-73586283-746137067-839522115-1004-0.dat
[2011/02/28 21:29:52 | 000,105,722 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/02/04 21:11:32 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/12/21 19:07:25 | 000,018,012 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

========== ZeroAccess Check ==========

[2011/02/28 19:33:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/14 15:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2010/12/14 06:03:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/02/11 17:17:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\G DATA
[2011/02/04 21:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/12/20 19:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/19 19:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2009/03/29 21:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/09/30 17:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/03/04 16:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Canon
[2012/11/06 21:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Funmoods
[2012/01/08 12:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\ieSpell
[2012/11/09 13:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\jdast
[2012/11/06 21:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\jdnetmon
[2012/03/19 20:21:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\TaxCut

========== Purity Check ==========

< End of report >

Mister Ed · Nov 9, 2012

And:
OTL Extras logfile created on: 11/9/2012 11:07:55 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ed\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: | Country: | Language: | Date Format:

1.25 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 81.47% Memory free
2.98 Gb Paging File | 2.93 Gb Available in Paging File | 98.24% Paging File free
Paging file location(s): C:\pagefile.sys 1917 1917 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 17.02 Gb Free Space | 45.76% Space Free | Partition Type: NTFS

Computer Name: ED-NXAIBJWWPXN5 | User Name: Ed | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled

xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F6F6876-6334-4977-B5DD-CFC12E193420}" = iTunes
"{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216037FF}" = Java(TM) 6 Update 37
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{2DFC6D71-EBEC-4236-A13C-2E62307F4C3A}" = H&R Block Michigan 2010
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}" = Google SketchUp 8
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}" = Microsoft ASP.NET Web Pages
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{654977DB-0001-0002-0001-EABD228DDE8B}" = Microsoft Download Manager
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7E5CDECB-726B-4581-BA8C-5B11148C3FA5}" = G Data TotalSecurity 2012
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}" = Microsoft SQL Server System CLR Types
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{B692E59A-055C-43B7-BE0A-9C2FE0AB88B6}" = Microsoft SQL Server 2008 R2 Management Objects
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6006AED-E5A7-4F77-BAD5-95AC43DE04F3}" = H&R Block Deluxe + Efile + State 2011
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4DDFAA1-EC37-4529-AD5B-A433ADE68662}" = Apple Mobile Device Support
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{DBB1F4ED-3212-4F58-A427-9C01DE4A24A5}_is1" = Uniblue SystemTweaker
"{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1" = Uniblue SpeedUpMyPC
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FEF7DCAB-7F2C-4EB1-93B8-96BDC4B5C8DD}" = H&R Block Michigan 2011
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"CAL" = Canon Camera Access Library
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow Launcher
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"CCleaner" = CCleaner
"DPP" = Canon Utilities Digital Photo Professional 3.10
"EOS Utility" = Canon Utilities EOS Utility
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"JDs Auto Speed Tester" = JDs Auto Speed Tester
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCamera Download Plugin" = CANON iMAGE GATEWAY MyCamera Download Plugin
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Registry Mechanic_is1" = Registry Mechanic 10.0
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/15/2012 12:33:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 10.1.3.23, faulting module
acrord32.dll, version 10.1.3.23, fault address 0x0018447f.

Error - 8/1/2012 10:29:50 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
mshtml.dll, version 8.0.6001.19258, fault address 0x001096ed.

Error - 8/19/2012 7:06:45 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application applemobilebackup.exe, version 17.1008.10.20,
faulting module corefoundation.dll, version 1.630.16.0, fault address 0x0006a26a.

Error - 9/17/2012 7:18:33 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application GDFwSvc.exe, version 4.1.11222.860, faulting
module GDFwSvc.exe, version 4.1.11222.860, fault address 0x00125f17.

Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327936
Description = An error occurred when communicating with the Windows CardSpace service.
An unknown exception has caused the request to fail. For more information, please
see the event log. Inner Exception: CryptProtectData failed while running as the
User account. Additional Information: Microsoft.InfoCards.CommunicationException:
An unknown exception has caused the request to fail. For more information, please
see the event log. ---> System.ComponentModel.Win32Exception: CryptProtectData
failed while running as the User account. at Microsoft.InfoCards.FileDataSource.EncryptAndSaveDPAPIKeyToHeader()
at Microsoft.InfoCards.FileDataSource.CreateEmptyStore() at Microsoft.InfoCards.FileDataSource.OnLoad()
at Microsoft.InfoCards.StoreConnection.Load() at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity
identity, Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.CreateConnection()
at Microsoft.InfoCards.ClientUIRequest.OnInitializeAsUser() at Microsoft.InfoCards.Request.Initialize()
--- End of inner exception stack trace ---

Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327949
Description = The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests. Additional Information: at System.Environment.GetStackTrace(Exception
e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
e) at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity
callerIdentity, Int32 tsSessionId) at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle
monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error - 9/29/2012 12:34:55 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = CardSpace 3.0.0.0 | ID = 327937
Description = An error occurrred while accessing the card collection. Failed to
open store. Additional Information: at System.Environment.GetStackTrace(Exception
e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
e) at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity identity,
Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.GetConnection()
at Microsoft.InfoCards.GetUserPreferenceRequest.OnProcess() at Microsoft.InfoCards.Request.ProcessRequest()
at Microsoft.InfoCards.Request.DoProcessRequest(String& extendedMessage) at
Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error - 10/16/2012 11:42:29 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
comctl32.dll, version 6.0.2900.6028, fault address 0x0007475b.

Error - 10/16/2012 11:42:36 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 11/8/2012 2:20:56 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Application Error | ID = 1000
Description = Faulting application AVKProxy.exe, version 1.5.11301.183, faulting
module AVKProxy.exe, version 1.5.11301.183, fault address 0x00039007.

[ System Events ]
Error - 11/9/2012 8:05:44 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 11/9/2012 11:08:03 PM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/10/2012 12:04:38 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips GDMnIcpt HookCentre intelppm IPSec NetBT OMCI RasAcd Tcpip WS2IFSL

Error - 11/10/2012 12:07:09 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/10/2012 12:07:29 AM | Computer Name = ED-NXAIBJWWPXN5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

< End of report >

Broni · Nov 10, 2012

OTL logs are clean.

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

Double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with yes.

4. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

5. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

Mister Ed · Nov 10, 2012

Security Check:
Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG 2012
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Java(TM) 6 Update 37
Java version out of Date!
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes' Anti-Malware mbamscheduler.exe
G Data TotalSecurity Firewall GDFirewallTray.exe
G Data TotalSecurity Firewall GDFwSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````

FarBar:

Farbar Service Scanner Version: 09-11-2012
Ran by Ed (administrator) on 10-11-2012 at 00:30:37
Running from "C:\Documents and Settings\Ed\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0B00000005000000010000000200000003000000040000000800000009000000560000005A0000000600000007000000
IpSec Tag value is correct.
**** End of log ****

Mister Ed · Nov 10, 2012

# AdwCleaner v2.007 - Logfile created 11/10/2012 at 00:35:36
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Ed - ED-NXAIBJWWPXN5
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Ed\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\Documents and Settings\Ed\Application Data\Funmoods
Folder Deleted : C:\Documents and Settings\Ed\Local Settings\Application Data\Wajam
Folder Deleted : C:\Program Files\Conduit
***** [Registry] *****
Key Deleted : HKCU\Software\Funmoods
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Funmoods
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0CtDtA0FtD0EyEtC0D0B0F0Ezy0B0BzytN0D0Tzu0CtAtCtCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=152496871 --> hxxp://www.google.com
*************************
AdwCleaner[S1].txt - [3154 octets] - [10/11/2012 00:35:36]
########## EOF - C:\AdwCleaner[S1].txt - [3214 octets] ##########

Mister Ed · Nov 10, 2012

ESET Log:
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP298\A0033430.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP299\A0033507.dll a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F32A3879-B8DD-4E00-ABC9-14C9B2FD324E}\RP300\A0034157.exe Win32/DownloadAdmin.D application cleaned by deleting - quarantined

Mister Ed · Nov 10, 2012

Just an update, I no longer see Funmoods when I open a new browser tab, and it is no longer listed in the search Add-ons.

However, Live Search (Bing?) is now showing up and as default. In manage Add ons, I can not change the default to Google. This was the same way that Funmoods was listed in the Add-on Manager.

Broni · Nov 10, 2012

Open IE, go Tools>Internet options>Advanced tab and click on "Reset" button.
Restart IE.
Same issue?

Also, you're running two AV programs, AVG and G Data.
You must uninstall one of them.
If AVG use AVG Remover: http://www.avg.com/us-en/utilities

Mister Ed · Nov 10, 2012

AVG - Must have been some residual crud that was left behind. I ran the remover for 32 bit AVG 12. Should be good now?

Live Search is now gone from the search provider listed in the Manage Add-ons pop up, and google is set as default. So we are getting there. When I open IE (only the first instance) the manage add-ons pop up opens automatically.

All else appears to be good ... no more funmoods!!

Broni · Nov 10, 2012

Good

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

==============================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.

Mister Ed · Nov 10, 2012

OTL Log:
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.ED-NXAIBJWWPXN5
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: Ed
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 20413509 bytes
->Java cache emptied: 1880 bytes
->Flash cache emptied: 761 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1266942 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 528 bytes

Total Files Cleaned = 21.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.ED-NXAIBJWWPXN5
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Ed
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: Administrator.ED-NXAIBJWWPXN5

User: All Users

User: Default User

User: Ed
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11102012_184318
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

Mister Ed · Nov 10, 2012

Thanks for your help Boni!!!

Problem is, you keep helping me fix this old thing (3rd time in 3 years) and then my better half won't let me get a new one!!

Broni · Nov 10, 2012

Hahaha...

Good luck and stay safe

Solved Funmoods and redirect troubles

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 70 +0

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 70 +0

Posts: 70 +0

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 56,041 +516

Posts: 70 +0

Posts: 70 +0

Posts: 56,041 +516

Similar threads