Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Generic Dropper.P, perhaps? - WMI not working properly folders not dis

Started by RichofCamelot , Jun 16 2012 06:20 AM

  • This topic is locked This topic is locked

#1
RichofCamelot
Posted 16 June 2012 - 06:20 AM

RichofCamelot

    Member

  • Member
  • PipPip
  • 46 posts
Any Help please?

I was running Malware bytes occasionally but with permanent Mcafee. Mcafee had an error and with their support I have removed and reloaded Mcafee 3 times, having removed Malwarebytes at their request. generic Dropper.p has been removed by Macafee in a file named desktop.ini

Now Microsoft fixit will not work an error occurs;

system information says "Can't collect information cannot access windows management information software. windows management files may be moved or missing;

Mcafee virtual technician says "Problem corrupt DAT issue"

My other symptoms are that I cannot fix the positions of icons on my desktop and folders do not remain as I put them (Icons for control panel and details for most others) despite many checks.

I have checked Ms system files by running SFC at the command prompt.

I have googled the problems individually but despite trying many of the proposed solutions I cannot seem to restore normality

Restore does not seem to work (WMI I suspect) and nor does stating in safe mode.

I suspect I had or have an infection and it is either still active or has changed my settings to leave me in this state.

Any help would be much appreciated Thank you

OTL Log:

OTL logfile created on: 16/06/12 11:44:16 - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Documents and Settings\richards\Desktop\TOOLS\Tools Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yy

1021.99 Mb Total Physical Memory | 310.77 Mb Available Physical Memory | 30.41% Memory free
2.07 Gb Paging File | 1.14 Gb Available in Paging File | 54.81% Paging File free
Paging file location(s): C:\pagefile.sys 1200 2400 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.06 Gb Total Space | 35.72 Gb Free Space | 38.38% Space Free | Partition Type: NTFS
Drive H: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS
Drive M: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS
Drive O: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS

Computer Name: CAMELOT | User Name: richards | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/16 11:42:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\richards\Desktop\TOOLS\Tools Downloads\OTL.exe
PRC - [2012/06/14 13:14:30 | 000,159,608 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2012/03/21 21:16:10 | 001,318,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2012/02/15 17:10:32 | 012,319,504 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Outlook\OFFICE11\WINWORD.EXE
PRC - [2011/11/11 17:26:16 | 000,010,752 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2011/11/11 17:26:06 | 000,188,416 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
PRC - [2011/11/11 17:25:40 | 000,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2011/11/11 17:24:23 | 000,315,392 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\common\DataServer.exe
PRC - [2011/11/11 17:24:21 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2011/11/11 17:24:16 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2011/11/11 17:24:14 | 000,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/11/30 14:16:18 | 000,029,184 | ---- | M] () -- C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe
PRC - [2010/10/27 20:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/06/23 18:17:12 | 000,196,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
PRC - [2009/12/07 12:56:00 | 001,584,640 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2009/09/25 10:14:37 | 001,369,792 | ---- | M] (TrueCrypt Foundation) -- C:\Program Files\TrueCrypt\truecrypt.exe
PRC - [2008/04/14 01:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/14 13:28:03 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/06/14 09:18:13 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\359fd69eb60e9844ffd497e92345178c\Microsoft.VisualBasic.ni.dll
MOD - [2012/06/14 08:36:56 | 003,186,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012/06/14 08:36:50 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/06/14 08:36:48 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2012/06/14 08:36:23 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2012/06/14 08:36:21 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/06/14 08:36:18 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2012/06/14 08:36:11 | 000,659,456 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
MOD - [2012/06/14 08:35:56 | 000,839,680 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
MOD - [2012/06/14 08:35:52 | 005,246,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
MOD - [2012/05/12 17:41:57 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\9080c8e8e7b6dfb502c1328673d636f8\System.Management.ni.dll
MOD - [2012/05/12 17:39:02 | 000,679,936 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\129b15861e200613ff78ae15581f9093\System.Security.ni.dll
MOD - [2012/05/12 17:38:55 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012/05/12 08:35:27 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012/05/12 08:32:37 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/05/12 08:32:26 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2012/03/05 21:03:44 | 000,175,616 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\fb87e9e7\00ad4c0b_aa97cb01\MBSchemeManager.DLL
MOD - [2012/03/05 21:03:44 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\6d6eb4e6\004d5d2a_0b3acb01\MBQuickCalculatorManager.DLL
MOD - [2012/03/05 21:03:43 | 000,061,440 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\638a1b1b\002960ec_0a3acb01\MBLenderPanelData.DLL
MOD - [2012/03/05 21:03:43 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\de46c531\003ddfcd_7b59cb01\MBSettingsData.DLL
MOD - [2012/03/05 21:03:43 | 000,045,056 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1087cab2\0091e9f5_0a3acb01\MBProcFeeData.DLL
MOD - [2012/03/05 21:03:43 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\a94a4ec5\005671f0_7b59cb01\MBSettingsManager.DLL
MOD - [2012/03/05 21:03:42 | 000,168,960 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\21540dac\00791824_17accb01\MBScheme.DLL
MOD - [2012/03/05 21:03:42 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\3d264949\00f1c3cf_0a3acb01\MBCompanyData.DLL
MOD - [2012/03/05 21:03:42 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\52053979\000287c5_7b59cb01\MBKFIData.DLL
MOD - [2012/03/05 21:03:41 | 000,413,696 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\c7e46120\00a202ee_f45fcb01\MBKFIManager.DLL
MOD - [2012/03/05 21:03:40 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1a6e6ad9\0048a0eb_f45fcb01\MBDocumentManager.DLL
MOD - [2012/03/05 21:03:40 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\cea5eacc\00120522_0b3acb01\MBProcFeeManager.DLL
MOD - [2012/03/05 21:03:40 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\78139e24\002fdf8a_1075cb01\mbMTEForms.DLL
MOD - [2012/03/05 21:03:40 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1a9d2087\004ee984_1075cb01\MBLenderManager.DLL
MOD - [2012/03/05 21:03:39 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\29e0446b\00e5d320_0b3acb01\MBLenderPanelManager.DLL
MOD - [2012/03/05 21:03:39 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\14981b07\002fd8c3_0a3acb01\MBEventLogManager.DLL
MOD - [2012/03/05 21:03:37 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\4d71d4fe\00ee196e_571fcb01\mbHost.DLL
MOD - [2012/03/05 21:02:42 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\a7d2e126\00d575c1_0a3acb01\mbGeneric.DLL
MOD - [2012/03/05 21:02:41 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\0e4a2cdb\001b4b6f_571fcb01\mbSystemManager.DLL
MOD - [2011/11/11 17:26:06 | 000,188,416 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
MOD - [2011/11/02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/11/30 14:16:18 | 000,029,184 | ---- | M] () -- C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe
MOD - [2010/06/11 07:59:37 | 005,967,872 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
MOD - [2010/06/11 07:59:35 | 000,970,752 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
MOD - [2010/06/11 07:59:34 | 000,438,272 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
MOD - [2010/06/11 07:59:34 | 000,110,592 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMDiagnostics.dll
MOD - [2009/08/15 03:17:24 | 000,139,264 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll
MOD - [2009/08/15 03:17:17 | 000,667,648 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
MOD - [2009/08/15 03:17:06 | 000,507,904 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\System.WorkflowServices.dll
MOD - [2009/08/15 03:17:05 | 000,569,344 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
MOD - [2009/08/05 10:45:04 | 000,106,312 | ---- | M] () -- C:\Program Files\Microsoft Outlook\OFFICE11\OUTLCTL.DLL
MOD - [2009/01/18 16:50:02 | 000,417,792 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\AdobeXMP.dll
MOD - [2008/03/25 05:50:40 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2006/03/09 12:25:24 | 000,286,720 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/03/09 12:24:10 | 000,004,096 | ---- | M] () -- C:\WINDOWS\system32\detoured.dll
MOD - [2006/03/09 12:17:46 | 000,038,400 | ---- | M] () -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WxEtsEula.dll
MOD - [2006/01/19 15:14:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2005/12/28 12:11:34 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll
MOD - [2005/12/28 12:11:34 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2005/12/28 12:11:34 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
MOD - [2005/11/30 13:33:06 | 000,348,160 | ---- | M] () -- C:\WINDOWS\system32\Tsp.dll
MOD - [2005/11/30 13:33:06 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\TspPopup_ENU.dll
MOD - [2004/07/20 17:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/06/14 13:14:30 | 000,159,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2012/04/19 08:21:16 | 000,361,976 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2012/02/29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/11/11 17:26:16 | 000,010,752 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2011/11/11 17:26:06 | 000,188,416 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2011/11/11 17:25:40 | 000,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2011/11/11 17:24:23 | 000,315,392 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\common\DataServer.exe -- (DataSvr2)
SRV - [2011/11/11 17:24:21 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2011/11/11 17:24:19 | 003,883,432 | ---- | M] (CANON INC.) [Disabled | Stopped] -- C:\Program Files\Canon\DIAS\CnxDIAS.exe -- (Canon Driver Information Assist Service)
SRV - [2011/11/11 17:24:16 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2011/11/11 17:24:14 | 000,262,217 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2011/06/13 22:09:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/11/30 14:16:18 | 000,029,184 | ---- | M] () [Auto | Running] -- C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe -- (MBServiceHost)
SRV - [2008/04/14 01:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Start_Pending] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 01:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Start_Pending] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/14 01:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/04/14 01:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/14 01:11:55 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2007/06/15 17:55:00 | 000,300,544 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2005/09/30 19:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/08/30 17:36:00 | 000,188,416 | ---- | M] (Cambridge Silicon Radio) [Disabled | Stopped] -- C:\Program Files\BlueTooth\HidSwitchService\HidSw.exe -- (Bluetooth Hid Switch Service)
SRV - [2000/02/10 12:04:34 | 000,356,352 | ---- | M] (Iomega Corporation) [Auto | Stopped] -- C:\WINDOWS\System32\ZipToA.exe -- (ZipToA)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tfju17xkb.sys -- (tfju17xkb.sys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/06/14 13:14:30 | 000,475,704 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/06/14 13:14:30 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/02/22 13:29:46 | 000,340,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/02/22 13:29:46 | 000,180,848 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/02/22 13:29:46 | 000,121,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/02/22 13:29:46 | 000,089,792 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2012/02/22 13:29:46 | 000,083,856 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2012/02/22 13:29:46 | 000,083,856 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2012/02/22 13:29:46 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/02/22 13:29:46 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/05/19 17:00:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/05/19 17:00:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/09/25 10:14:37 | 000,217,664 | ---- | M] (TrueCrypt Foundation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2009/09/25 10:12:30 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/07/23 13:57:22 | 000,112,640 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/07/23 13:57:22 | 000,102,528 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/07/23 13:57:22 | 000,100,480 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2008/05/08 15:02:52 | 000,203,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)
DRV - [2008/04/13 19:39:44 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)
DRV - [2008/02/27 14:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/12/13 08:44:49 | 000,008,544 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ddnt.sys -- (ddnt)
DRV - [2006/12/06 00:39:13 | 001,964,064 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2006/02/10 03:31:00 | 000,039,936 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2006/01/20 23:08:00 | 000,108,928 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2006/01/11 23:29:42 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2005/12/28 13:22:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/12/09 15:35:00 | 000,018,816 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PBADRV.sys -- (PBADRV)
DRV - [2005/12/05 06:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/11/22 15:47:00 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/11/16 21:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/11/10 16:25:14 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/09/29 01:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/09/15 23:06:08 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/01 21:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 23:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/05/13 22:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2005/04/06 14:54:44 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2005/01/06 19:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/07/22 18:21:38 | 000,268,874 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003/08/28 22:40:26 | 000,189,792 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2003/07/24 19:55:50 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [1998/09/12 09:59:48 | 000,837,696 | ---- | M] (Nokia Mobile Phones Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\NokiaSuite3.sys -- (NokiaSuite3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.bt.com/business/login
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {5C751A3C-901B-45E2-AEF3-E7FC7ADDC77D}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{5C751A3C-901B-45E2-AEF3-E7FC7ADDC77D}: "URL" = http://www.google.co...&rlz=1I7ADFA_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.btbroadba...e.com/homepage"
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.1
FF - prefs.js..keyword.URL: "http://uk.search.yah...h?fr=mcafee&p="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 58727
FF - prefs.js..network.proxy.type: 1


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\npmvtplugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/06/13 11:54:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/10 16:54:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/11 12:04:31 | 000,000,000 | ---D | M]

[2010/03/11 15:56:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\richards\Application Data\Mozilla\Extensions
[2010/09/22 15:37:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\richards\Application Data\Mozilla\Firefox\Profiles\bd1egsa0.default\extensions
[2010/08/04 15:52:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\richards\Application Data\Mozilla\Firefox\Profiles\bd1egsa0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/02 11:18:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/02 11:18:40 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/06/13 11:54:04 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2007/02/05 00:02:56 | 001,642,496 | ---- | M] (LizardTech) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll
[2010/01/16 01:55:13 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/16 01:55:13 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/16 01:55:13 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/15 12:47:35 | 000,002,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2010/01/16 01:55:13 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/06/04 23:37:59 | 000,000,771 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20120611084309.dll (McAfee, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon File not found
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Halifax GI - Intermediaries] c:\Program Files\Halifax GI - Intermediaries\Halifax GI - Intermediaries.exe (F1 Computer System Limited)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [McAfee Update] C:\DOCUME~1\richards\LOCALS~1\Temp\mcupdate_1338980300.exe /insfin C:\DOCUME~1\richards\LOCALS~1\Temp\mcupdate_1338980301.ini /syncfin File not found
O4 - HKCU..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Outlook\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000043 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000045 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000046 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000047 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000050 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000051 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000052 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000053 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000054 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: aegonse.co.uk ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: logmeinrescue.com ([secure] https in Trusted sites)
O15 - HKCU\..Trusted Domains: Servant ([]file in Local intranet)
O15 - HKCU\..Trusted Domains: uk.com ([apps.openwork] https in Trusted sites)
O15 - HKCU\..Trusted Domains: uk.com ([prodexternaldpos.openwork] https in Trusted sites)
O15 - HKCU\..Trusted Domains: uk.com ([prodexternaltandc.openwork] https in Trusted sites)
O15 - HKCU\..Trusted Domains: uk.com ([www.openwork] https in Trusted sites)
O15 - HKCU\..Trusted Domains: unipass.co.uk ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: unipass.co.uk ([www] https in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LFS.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{83CC34E2-6410-4E26-A9DD-CF65FA965E5E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5c964bb2-4607-11df-be68-0016415d0ef9}\Shell - "" = AutoRun
O33 - MountPoints2\{5c964bb2-4607-11df-be68-0016415d0ef9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5c964bb2-4607-11df-be68-0016415d0ef9}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{d8abde70-09bf-11df-bdbf-0016415d0ef9}\Shell - "" = AutoRun
O33 - MountPoints2\{d8abde70-09bf-11df-bdbf-0016415d0ef9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d8abde70-09bf-11df-bdbf-0016415d0ef9}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{d8abde72-09bf-11df-bdbf-0016415d0ef9}\Shell - "" = AutoRun
O33 - MountPoints2\{d8abde72-09bf-11df-bdbf-0016415d0ef9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d8abde72-09bf-11df-bdbf-0016415d0ef9}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/16 11:02:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Application Data\DriverCure
[2012/06/16 11:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Application Data\SpeedMaxPc
[2012/06/16 11:01:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SpeedMaxPc
[2012/06/16 10:07:55 | 000,000,000 | ---D | C] -- C:\WMI Diagnostics
[2012/06/16 09:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2012/06/14 15:42:07 | 000,116,224 | ---- | C] (Xerox) -- C:\WINDOWS\System32\dllcache\xrxwiadr.dll
[2012/06/14 15:42:03 | 000,023,040 | ---- | C] (Xerox Corporation) -- C:\WINDOWS\System32\dllcache\xrxwbtmp.dll
[2012/06/14 15:39:11 | 000,099,865 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\xlog.exe
[2012/06/14 15:39:07 | 000,016,970 | ---- | C] (US Robotics MCD (Megahertz)) -- C:\WINDOWS\System32\dllcache\xem336n5.sys
[2012/06/14 15:38:01 | 000,154,624 | ---- | C] (Lucent Technologies) -- C:\WINDOWS\System32\dllcache\wlluc48.sys
[2012/06/14 15:37:57 | 000,034,890 | ---- | C] (Raytheon Corp.) -- C:\WINDOWS\System32\dllcache\wlandrv2.sys
[2012/06/14 15:37:43 | 000,771,581 | ---- | C] (Rockwell) -- C:\WINDOWS\System32\dllcache\winacisa.sys
[2012/06/14 15:37:17 | 000,035,871 | ---- | C] (Winbond Electronics Corp.) -- C:\WINDOWS\System32\dllcache\wbfirdma.sys
[2012/06/14 15:36:58 | 000,016,925 | ---- | C] (Winbond Electronics Corporation) -- C:\WINDOWS\System32\dllcache\w940nd.sys
[2012/06/14 15:36:54 | 000,019,016 | ---- | C] (Winbond Electronics Corporation) -- C:\WINDOWS\System32\dllcache\w926nd.sys
[2012/06/14 15:36:50 | 000,019,528 | ---- | C] (Winbond Electronics Corporation) -- C:\WINDOWS\System32\dllcache\w840nd.sys
[2012/06/14 15:36:43 | 000,064,605 | ---- | C] (PCtel, Inc.) -- C:\WINDOWS\System32\dllcache\vvoice.sys
[2012/06/14 15:36:38 | 000,397,502 | ---- | C] (PCtel, Inc.) -- C:\WINDOWS\System32\dllcache\vpctcom.sys
[2012/06/14 15:36:33 | 000,604,253 | ---- | C] (PCTEL, INC.) -- C:\WINDOWS\System32\dllcache\vmodem.sys
[2012/06/14 15:36:29 | 000,249,402 | ---- | C] (Xircom) -- C:\WINDOWS\System32\dllcache\vinwm.sys
[2012/06/14 15:36:07 | 000,765,884 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINDOWS\System32\dllcache\usrti.sys
[2012/06/14 15:35:46 | 000,794,399 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINDOWS\System32\dllcache\usr1806v.sys
[2012/06/14 15:35:42 | 000,793,598 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINDOWS\System32\dllcache\usr1806.sys
[2012/06/14 15:35:38 | 000,794,654 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINDOWS\System32\dllcache\usr1801.sys
[2012/06/14 15:35:21 | 000,032,384 | ---- | C] (KLSI USA, Inc.) -- C:\WINDOWS\System32\dllcache\usb101et.sys
[2012/06/14 15:34:51 | 000,050,688 | ---- | C] (UMAX DATA SYSTEMS INC.) -- C:\WINDOWS\System32\dllcache\umaxscan.dll
[2012/06/14 15:34:37 | 000,211,968 | ---- | C] (UMAX Data Systems Inc.) -- C:\WINDOWS\System32\dllcache\um54scan.dll
[2012/06/14 15:34:33 | 000,216,064 | ---- | C] (UMAX Data Systems Inc.) -- C:\WINDOWS\System32\dllcache\um34scan.dll
[2012/06/14 15:34:15 | 000,166,784 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tridxpm.sys
[2012/06/14 15:34:11 | 000,525,568 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tridxp.dll
[2012/06/14 15:34:07 | 000,159,232 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tridkbm.sys
[2012/06/14 15:34:04 | 000,440,576 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tridkb.dll
[2012/06/14 15:34:00 | 000,222,336 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\trid3dm.sys
[2012/06/14 15:33:57 | 000,315,520 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\trid3d.dll
[2012/06/14 15:33:18 | 000,123,995 | ---- | C] (Tiger Jet Network) -- C:\WINDOWS\System32\dllcache\tjisdn.sys
[2012/06/14 15:33:08 | 000,138,528 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tgiulnt5.sys
[2012/06/14 15:33:05 | 000,081,408 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\tgiul50.dll
[2012/06/14 15:32:58 | 000,149,376 | ---- | C] (M-Systems) -- C:\WINDOWS\System32\dllcache\tffsport.sys
[2012/06/14 15:32:52 | 000,017,129 | ---- | C] (TDK Corporation) -- C:\WINDOWS\System32\dllcache\tdkcd31.sys
[2012/06/14 15:32:48 | 000,037,961 | ---- | C] (TDK Corporation) -- C:\WINDOWS\System32\dllcache\tdk100b.sys
[2012/06/14 15:32:30 | 000,036,640 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\t2r4mini.sys
[2012/06/14 15:32:27 | 000,172,768 | ---- | C] (Number Nine Visual Technology) -- C:\WINDOWS\System32\dllcache\t2r4disp.dll
[2012/06/14 15:31:18 | 000,155,648 | ---- | C] (Stallion Technologies) -- C:\WINDOWS\System32\dllcache\stlnprop.dll
[2012/06/14 15:31:15 | 000,053,248 | ---- | C] (Stallion Technologies) -- C:\WINDOWS\System32\dllcache\stlncoin.dll
[2012/06/14 15:31:12 | 000,285,760 | ---- | C] (Stallion Technologies) -- C:\WINDOWS\System32\dllcache\stlnata.sys
[2012/06/14 15:31:00 | 000,016,896 | ---- | C] (SCM Microsystems, Inc.) -- C:\WINDOWS\System32\dllcache\stcusb.sys
[2012/06/14 15:30:47 | 000,048,736 | ---- | C] (3Com) -- C:\WINDOWS\System32\dllcache\srwlnd5.sys
[2012/06/14 15:29:04 | 000,058,368 | ---- | C] (Silicon Motion Inc.) -- C:\WINDOWS\System32\dllcache\smiminib.sys
[2012/06/14 15:29:00 | 000,147,200 | ---- | C] (Silicon Motion Inc.) -- C:\WINDOWS\System32\dllcache\smidispb.dll
[2012/06/14 15:28:50 | 000,025,034 | ---- | C] (SMC Networks, Inc.) -- C:\WINDOWS\System32\dllcache\smcpwr2n.sys
[2012/06/14 15:28:41 | 000,035,913 | ---- | C] (SMC) -- C:\WINDOWS\System32\dllcache\smcirda.sys
[2012/06/14 15:28:32 | 000,024,576 | ---- | C] (SMC Networks, Inc.) -- C:\WINDOWS\System32\dllcache\smc8000n.sys
[2012/06/14 15:27:58 | 000,063,547 | ---- | C] (Symbol Technologies) -- C:\WINDOWS\System32\dllcache\sla30nd5.sys
[2012/06/14 15:27:49 | 000,091,294 | ---- | C] (SysKonnect, a business unit of Schneider & Koch & Co. Datensysteme GmbH.) -- C:\WINDOWS\System32\dllcache\skfpwin.sys
[2012/06/14 15:27:40 | 000,094,698 | ---- | C] (SysKonnect GmbH.) -- C:\WINDOWS\System32\dllcache\sk98xwin.sys
[2012/06/14 15:27:23 | 000,032,768 | ---- | C] (SiS Corporation) -- C:\WINDOWS\System32\dllcache\sisnic.sys
[2012/06/14 15:26:23 | 000,161,568 | ---- | C] (Micro Systemation) -- C:\WINDOWS\System32\dllcache\sgsmusb.sys
[2012/06/14 15:26:14 | 000,018,400 | ---- | C] (Micro Systemation) -- C:\WINDOWS\System32\dllcache\sgsmld.sys
[2012/06/14 15:26:05 | 000,098,080 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\sgiulnt5.sys
[2012/06/14 15:26:02 | 000,386,560 | ---- | C] (Trident Microsystems Inc.) -- C:\WINDOWS\System32\dllcache\sgiul50.dll
[2012/06/14 15:25:02 | 000,017,280 | ---- | C] (SCM Microsystems) -- C:\WINDOWS\System32\dllcache\scr111.sys
[2012/06/14 15:24:42 | 000,023,936 | ---- | C] (OMNIKEY AG) -- C:\WINDOWS\System32\dllcache\sccmusbm.sys
[2012/06/14 15:24:34 | 000,023,936 | ---- | C] (OMNIKEY AG) -- C:\WINDOWS\System32\dllcache\sccmn50m.sys
[2012/06/14 15:24:04 | 000,077,824 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3sav4m.sys
[2012/06/14 15:24:01 | 000,198,400 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3sav4.dll
[2012/06/14 15:23:52 | 000,061,504 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3sav3dm.sys
[2012/06/14 15:23:49 | 000,179,264 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3sav3d.dll
[2012/06/14 15:23:46 | 000,210,496 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3mvirge.dll
[2012/06/14 15:23:43 | 000,062,496 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3mtrio.dll
[2012/06/14 15:23:33 | 000,041,216 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3mt3d.sys
[2012/06/14 15:23:30 | 000,182,272 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3mt3d.dll
[2012/06/14 15:23:21 | 000,166,720 | ---- | C] (S3 Incorporated) -- C:\WINDOWS\System32\dllcache\s3m.sys
[2012/06/14 15:23:06 | 000,082,432 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia450.dll
[2012/06/14 15:23:03 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia430.dll
[2012/06/14 15:23:03 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2012/06/14 15:23:03 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2012/06/14 15:23:02 | 000,029,696 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw450ext.dll
[2012/06/14 15:23:01 | 000,027,648 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw430ext.dll
[2012/06/14 15:22:42 | 000,009,216 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\rsmgrstr.dll
[2012/06/14 15:22:30 | 000,079,104 | ---- | C] (Comtrol Corporation) -- C:\WINDOWS\System32\dllcache\rocket.sys
[2012/06/14 15:22:24 | 000,037,563 | ---- | C] (RadioLAN) -- C:\WINDOWS\System32\dllcache\rlnet5.sys
[2012/06/14 15:22:14 | 000,086,097 | ---- | C] (Xircom) -- C:\WINDOWS\System32\dllcache\reslog32.dll
[2012/06/14 15:21:46 | 000,714,762 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\r2mdmkxx.sys
[2012/06/14 15:21:43 | 000,899,146 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\r2mdkxga.sys
[2012/06/14 15:21:21 | 000,130,942 | ---- | C] (PCTEL, INC.) -- C:\WINDOWS\System32\dllcache\ptserlv.sys
[2012/06/14 15:21:18 | 000,112,574 | ---- | C] (PCTEL, INC.) -- C:\WINDOWS\System32\dllcache\ptserlp.sys
[2012/06/14 15:21:15 | 000,128,286 | ---- | C] (PCTEL, INC.) -- C:\WINDOWS\System32\dllcache\ptserli.sys
[2012/06/14 15:21:01 | 000,016,128 | ---- | C] (SCM Microsystems, Inc.) -- C:\WINDOWS\System32\dllcache\pscr.sys
[2012/06/14 15:20:04 | 000,086,016 | ---- | C] (PCtel, Inc.) -- C:\WINDOWS\System32\dllcache\pctspk.exe
[2012/06/14 15:19:52 | 000,026,153 | ---- | C] (Linksys) -- C:\WINDOWS\System32\dllcache\pcmlm56.sys
[2012/06/14 15:19:50 | 000,029,502 | ---- | C] (Marconi Communications, Inc.) -- C:\WINDOWS\System32\dllcache\pca200e.sys
[2012/06/14 15:19:47 | 000,030,495 | ---- | C] (Linksys) -- C:\WINDOWS\System32\dllcache\pc100nds.sys
[2012/06/14 15:19:07 | 000,054,186 | ---- | C] (Ositech Communications, Inc.) -- C:\WINDOWS\System32\dllcache\otcsercb.sys
[2012/06/14 15:19:04 | 000,043,689 | ---- | C] (Ositech Communications, Inc.) -- C:\WINDOWS\System32\dllcache\otceth5.sys
[2012/06/14 15:19:01 | 000,027,209 | ---- | C] (Ositech Communications, Inc.) -- C:\WINDOWS\System32\dllcache\otc06x5.sys
[2012/06/14 15:18:57 | 000,054,528 | ---- | C] (Yamaha Corp.) -- C:\WINDOWS\System32\dllcache\opl3sax.sys
[2012/06/14 15:18:30 | 000,051,552 | ---- | C] (Kensington Technology Group) -- C:\WINDOWS\System32\dllcache\ntgrip.sys
[2012/06/14 15:18:16 | 000,087,040 | ---- | C] (NeoMagic Corporation) -- C:\WINDOWS\System32\dllcache\nm6wdm.sys
[2012/06/14 15:18:13 | 000,126,080 | ---- | C] (NeoMagic Corporation) -- C:\WINDOWS\System32\dllcache\nm5a2wdm.sys
[2012/06/14 15:18:07 | 000,132,695 | ---- | C] (802.11b) -- C:\WINDOWS\System32\dllcache\netwlan5.sys
[2012/06/14 15:17:56 | 000,039,264 | ---- | C] (NeoMagic Corporation) -- C:\WINDOWS\System32\dllcache\neo20xx.sys
[2012/06/14 15:17:53 | 000,060,480 | ---- | C] (NeoMagic Corporation) -- C:\WINDOWS\System32\dllcache\neo20xx.dll
[2012/06/14 15:17:43 | 000,091,488 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i3disp.dll
[2012/06/14 15:17:40 | 000,027,936 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i3d.sys
[2012/06/14 15:17:37 | 000,033,088 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i128v2.sys
[2012/06/14 15:17:35 | 000,059,104 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i128v2.dll
[2012/06/14 15:17:32 | 000,013,664 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i128.sys
[2012/06/14 15:17:29 | 000,035,392 | ---- | C] (Number Nine Visual Technology Corp.) -- C:\WINDOWS\System32\dllcache\n9i128.dll
[2012/06/14 15:17:20 | 000,075,520 | ---- | C] (Moxa Technologies Co., Ltd.) -- C:\WINDOWS\System32\dllcache\mxport.sys
[2012/06/14 15:17:17 | 000,007,168 | ---- | C] (Moxa Technologies Co., Ltd) -- C:\WINDOWS\System32\dllcache\mxport.dll
[2012/06/14 15:17:14 | 000,019,968 | ---- | C] (Macronix International Co., Ltd. ) -- C:\WINDOWS\System32\dllcache\mxnic.sys
[2012/06/14 15:17:12 | 000,019,968 | ---- | C] (Moxa Technologies Co., Ltd) -- C:\WINDOWS\System32\dllcache\mxicfg.dll
[2012/06/14 15:17:09 | 000,021,888 | ---- | C] (Moxa Technologies Co., Ltd.) -- C:\WINDOWS\System32\dllcache\mxcard.sys
[2012/06/14 15:15:26 | 000,164,586 | ---- | C] (Madge Networks Ltd) -- C:\WINDOWS\System32\dllcache\mdgndis5.sys
[2012/06/14 15:14:53 | 000,797,500 | ---- | C] (LT) -- C:\WINDOWS\System32\dllcache\ltsmt.sys
[2012/06/14 15:14:51 | 000,802,683 | ---- | C] (Lucent Technologies) -- C:\WINDOWS\System32\dllcache\ltsm.sys
[2012/06/14 15:14:49 | 000,420,992 | ---- | C] (LT) -- C:\WINDOWS\System32\dllcache\ltmdmntt.sys
[2012/06/14 15:14:47 | 000,576,746 | ---- | C] (LT) -- C:\WINDOWS\System32\dllcache\ltmdmntl.sys
[2012/06/14 15:14:46 | 000,606,684 | ---- | C] (LT) -- C:\WINDOWS\System32\dllcache\ltmdmnt.sys
[2012/06/14 15:14:43 | 000,727,786 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\ltck000c.sys
[2012/06/14 15:14:31 | 000,070,730 | ---- | C] (Linksys Group, Inc.) -- C:\WINDOWS\System32\dllcache\lne100tx.sys
[2012/06/14 15:14:28 | 000,020,573 | ---- | C] (The Linksts Group ) -- C:\WINDOWS\System32\dllcache\lne100.sys
[2012/06/14 15:14:23 | 000,025,065 | ---- | C] (D-Link) -- C:\WINDOWS\System32\dllcache\lmndis3.sys
[2012/06/14 15:14:20 | 000,015,744 | ---- | C] (Litronic Industries) -- C:\WINDOWS\System32\dllcache\lit220p.sys
[2012/06/14 15:14:14 | 000,026,442 | ---- | C] (SMSC) -- C:\WINDOWS\System32\dllcache\lanepic5.sys
[2012/06/14 15:14:11 | 000,019,016 | ---- | C] (Kingston Technology Company ) -- C:\WINDOWS\System32\dllcache\ktc111.sys
[2012/06/14 15:13:16 | 000,023,552 | ---- | C] (MKNet Corporation) -- C:\WINDOWS\System32\dllcache\irmk7.sys
[2012/06/14 15:12:23 | 000,372,824 | ---- | C] (Xircom) -- C:\WINDOWS\System32\dllcache\iconf32.dll
[2012/06/14 15:10:27 | 000,068,608 | ---- | C] (Avisioin) -- C:\WINDOWS\System32\dllcache\hpgt53tk.dll
[2012/06/14 15:10:17 | 000,126,976 | ---- | C] (Hewlett Packard) -- C:\WINDOWS\System32\dllcache\hpgt34tk.dll
[2012/06/14 15:09:33 | 000,028,288 | ---- | C] (Gemplus) -- C:\WINDOWS\System32\dllcache\grserial.sys
[2012/06/14 15:09:23 | 000,082,304 | ---- | C] (Gemplus) -- C:\WINDOWS\System32\dllcache\grclass.sys
[2012/06/14 15:09:20 | 000,017,408 | ---- | C] (Gemplus) -- C:\WINDOWS\System32\dllcache\gpr400.sys
[2012/06/14 15:08:55 | 000,454,912 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fxusbase.sys
[2012/06/14 15:08:34 | 000,455,296 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fusbbase.sys
[2012/06/14 15:08:32 | 000,455,680 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fus2base.sys
[2012/06/14 15:08:22 | 000,442,240 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fpnpbase.sys
[2012/06/14 15:08:20 | 000,441,728 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fpcmbase.sys
[2012/06/14 15:08:17 | 000,444,416 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fpcibase.sys
[2012/06/14 15:08:11 | 000,034,173 | ---- | C] (Marconi Communications, Inc.) -- C:\WINDOWS\System32\dllcache\forehe.sys
[2012/06/14 15:07:47 | 000,024,618 | ---- | C] (NETGEAR) -- C:\WINDOWS\System32\dllcache\fa410nd5.sys
[2012/06/14 15:07:42 | 000,011,850 | ---- | C] (FUJITSU LIMITED) -- C:\WINDOWS\System32\dllcache\f3ab18xj.sys
[2012/06/14 15:07:39 | 000,012,362 | ---- | C] (FUJITSU LIMITED) -- C:\WINDOWS\System32\dllcache\f3ab18xi.sys
[2012/06/14 15:03:50 | 000,334,208 | ---- | C] (Yamaha Corp.) -- C:\WINDOWS\System32\dllcache\ds1wdm.sys
[2012/06/14 15:03:34 | 000,028,062 | ---- | C] (National Semiconductor Coproration) -- C:\WINDOWS\System32\dllcache\dp83820.sys
[2012/06/14 15:03:16 | 000,029,696 | ---- | C] (CNet Technology, Inc. ) -- C:\WINDOWS\System32\dllcache\dm9pci5.sys
[2012/06/14 15:03:14 | 000,026,698 | ---- | C] (D-Link Corporation) -- C:\WINDOWS\System32\dllcache\dlh5xnd5.sys
[2012/06/14 15:03:13 | 000,952,007 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\diwan.sys
[2012/06/14 15:03:08 | 000,236,060 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\ditrace.exe
[2012/06/14 15:03:07 | 000,038,985 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\disrvsu.dll
[2012/06/14 15:03:05 | 000,031,305 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\disrvpp.dll
[2012/06/14 15:03:04 | 000,006,729 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\disrvci.dll
[2012/06/14 15:03:00 | 000,091,305 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\dimaint.sys
[2012/06/14 15:02:34 | 000,024,649 | ---- | C] (D-Link) -- C:\WINDOWS\System32\dllcache\dfe650d.sys
[2012/06/14 15:02:33 | 000,024,648 | ---- | C] (D-Link) -- C:\WINDOWS\System32\dllcache\dfe650.sys
[2012/06/14 15:02:28 | 000,020,928 | ---- | C] (Digital Networks, LLC) -- C:\WINDOWS\System32\dllcache\defpa.sys
[2012/06/14 15:01:57 | 000,048,640 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwrwdm.sys
[2012/06/14 15:01:56 | 000,093,952 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwcwdm.sys
[2012/06/14 15:01:55 | 000,111,872 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwcspud.sys
[2012/06/14 15:01:53 | 000,003,584 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwcosnt5.sys
[2012/06/14 15:01:52 | 000,072,832 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwbwdm.sys
[2012/06/14 15:01:51 | 000,003,072 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwbmidi.sys
[2012/06/14 15:01:50 | 000,003,072 | ---- | C] (Crystal Semiconductor Corp.) -- C:\WINDOWS\System32\dllcache\cwbase.sys
[2012/06/14 15:01:48 | 000,249,856 | ---- | C] (Comtrol® Corporation) -- C:\WINDOWS\System32\dllcache\ctmasetp.dll
[2012/06/14 15:01:37 | 000,216,064 | ---- | C] (COMPAQ Inc.) -- C:\WINDOWS\System32\dllcache\cpscan.dll
[2012/06/14 15:01:15 | 000,020,736 | ---- | C] (OMNIKEY AG) -- C:\WINDOWS\System32\dllcache\cmbp0wdm.sys
[2012/06/14 15:01:02 | 000,980,034 | ---- | C] (Xircom) -- C:\WINDOWS\System32\dllcache\cicap.sys
[2012/06/14 15:00:49 | 000,049,182 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\cem56n5.sys
[2012/06/14 15:00:48 | 000,022,044 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\cem33n5.sys
[2012/06/14 15:00:47 | 000,022,044 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\cem28n5.sys
[2012/06/14 15:00:46 | 000,027,164 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\ce3n5.sys
[2012/06/14 15:00:46 | 000,021,530 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\ce2n5.sys
[2012/06/14 15:00:40 | 000,714,698 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\cbmdmkxx.sys
[2012/06/14 15:00:39 | 000,046,108 | ---- | C] (Xircom, Inc.) -- C:\WINDOWS\System32\dllcache\cben5.sys
[2012/06/14 15:00:38 | 000,039,680 | ---- | C] (Silicom Ltd.) -- C:\WINDOWS\System32\dllcache\cb325.sys
[2012/06/14 15:00:37 | 000,037,916 | ---- | C] (Fast Ethernet Controller Provider) -- C:\WINDOWS\System32\dllcache\cb102.sys
[2012/06/14 15:00:34 | 000,032,256 | ---- | C] (Eicon Technology Corporation) -- C:\WINDOWS\System32\dllcache\diapi2NT.dll
[2012/06/14 15:00:33 | 000,164,923 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\diapi2.sys
[2012/06/14 15:00:32 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2012/06/14 14:59:51 | 000,031,529 | ---- | C] (BreezeCOM) -- C:\WINDOWS\System32\dllcache\brzwlan.sys
[2012/06/14 14:59:50 | 000,011,008 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbmdm.sys
[2012/06/14 14:59:50 | 000,010,368 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brusbscn.sys
[2012/06/14 14:59:49 | 000,060,416 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brserwdm.sys
[2012/06/14 14:59:48 | 000,009,728 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brserif.dll
[2012/06/14 14:59:48 | 000,005,120 | ---- | C] (Brother Industries,Ltd.) -- C:\WINDOWS\System32\dllcache\brscnrsm.dll
[2012/06/14 14:59:46 | 000,039,552 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparwdm.sys
[2012/06/14 14:59:46 | 000,003,168 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brparimg.sys
[2012/06/14 14:59:43 | 000,041,472 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfusb.dll
[2012/06/14 14:59:43 | 000,032,256 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfrsmg.exe
[2012/06/14 14:59:42 | 000,029,696 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmflpt.dll
[2012/06/14 14:59:41 | 000,015,360 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brmfbidi.dll
[2012/06/14 14:59:40 | 000,003,968 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltup.sys
[2012/06/14 14:59:39 | 000,012,160 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brfiltlo.sys
[2012/06/14 14:59:38 | 000,002,944 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brfilt.sys
[2012/06/14 14:59:37 | 000,012,800 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brevif.dll
[2012/06/14 14:59:37 | 000,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\WINDOWS\System32\dllcache\brcoinst.dll
[2012/06/14 14:59:36 | 000,019,456 | ---- | C] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\dllcache\brbidiif.dll
[2012/06/14 14:59:26 | 000,871,388 | ---- | C] (BCM) -- C:\WINDOWS\System32\dllcache\bcmdm.sys
[2012/06/14 14:59:20 | 000,036,128 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.sys
[2012/06/14 14:59:18 | 000,342,336 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\banshee.dll
[2012/06/14 14:59:16 | 000,089,952 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\b1cbase.sys
[2012/06/14 14:59:16 | 000,036,992 | ---- | C] (Aztech Systems Ltd) -- C:\WINDOWS\System32\dllcache\aztw2320.sys
[2012/06/14 14:59:14 | 000,037,568 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmwan.sys
[2012/06/14 14:59:13 | 000,144,384 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmenum.dll
[2012/06/14 14:59:12 | 000,087,552 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmcoxp.dll
[2012/06/14 14:58:26 | 000,097,354 | ---- | C] (Bay Networks, Inc.) -- C:\WINDOWS\System32\dllcache\aspndis3.sys
[2012/06/14 14:58:15 | 000,016,969 | ---- | C] (AmbiCom, Inc.) -- C:\WINDOWS\System32\dllcache\amb8002.sys
[2012/06/14 14:57:53 | 000,046,112 | ---- | C] (Adaptec, Inc ) -- C:\WINDOWS\System32\dllcache\adptsf50.sys
[2012/06/14 14:57:51 | 000,747,392 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8830.sys
[2012/06/14 14:57:51 | 000,010,880 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\admjoy.sys
[2012/06/14 14:57:50 | 000,553,984 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8820.sys
[2012/06/14 14:57:49 | 000,584,448 | ---- | C] (Aureal, Inc.) -- C:\WINDOWS\System32\dllcache\adm8810.sys
[2012/06/14 14:57:45 | 000,061,440 | ---- | C] (Color Flatbed Scanner) -- C:\WINDOWS\System32\dllcache\acerscad.dll
[2012/06/14 14:57:41 | 000,462,848 | ---- | C] (Aureal Inc.) -- C:\WINDOWS\System32\dllcache\a3dapi.dll
[2012/06/14 14:57:41 | 000,098,304 | ---- | C] (Aureal Semiconductor) -- C:\WINDOWS\System32\dllcache\a3d.dll
[2012/06/14 14:57:39 | 000,762,780 | ---- | C] (3Com, Inc.) -- C:\WINDOWS\System32\dllcache\3cwmcru.sys
[2012/06/14 14:57:39 | 000,689,216 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvs.dll
[2012/06/14 14:57:39 | 000,148,352 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINDOWS\System32\dllcache\3dfxvsm.sys
[2012/06/14 13:15:47 | 000,014,664 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/06/14 13:14:06 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2012/06/13 10:07:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
[2012/06/13 10:02:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Local Settings\Application Data\PackageAware
[2012/06/12 23:44:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Phone Browser
[2012/06/12 18:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Local Settings\Application Data\FixItCenter
[2012/06/12 18:49:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\MATS
[2012/06/12 18:49:41 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Fix it Center
[2012/06/12 09:50:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Desktop\PDF Edit
[2012/06/11 10:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Desktop\Focus Business solutions downloads
[2012/06/11 08:43:07 | 000,009,608 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2012/06/11 08:42:55 | 000,340,920 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2012/06/11 08:42:55 | 000,089,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2012/06/11 08:42:55 | 000,087,656 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2012/06/11 08:42:55 | 000,083,856 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2012/06/11 08:42:55 | 000,059,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2012/06/11 08:42:54 | 000,180,848 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2012/06/11 08:42:54 | 000,057,600 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2012/06/11 08:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2012/06/11 08:42:40 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2012/06/11 08:33:17 | 000,159,608 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2012/06/04 23:26:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Local Settings\Application Data\Citrix
[2012/06/04 11:42:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Application Data\Macromedia
[2012/05/22 16:46:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\richards\Desktop\BACH
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2012/06/16 11:54:01 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/16 11:08:44 | 000,001,691 | ---- | M] () -- C:\Documents and Settings\richards\Desktop\Pensions work.lnk
[2012/06/16 10:10:01 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/06/16 09:29:52 | 000,047,334 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2012/06/16 09:29:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/16 09:27:34 | 000,047,334 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2012/06/16 09:27:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2012/06/15 15:02:01 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/06/15 14:00:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/06/14 17:37:30 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\richards\ntuser.pol
[2012/06/14 13:15:47 | 000,014,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/06/14 13:14:30 | 000,475,704 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2012/06/14 13:14:30 | 000,159,608 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2012/06/14 13:14:30 | 000,087,656 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2012/06/14 08:47:17 | 000,249,496 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/14 08:37:29 | 000,763,116 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/14 08:37:29 | 000,186,226 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/14 08:04:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/13 05:54:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cb6bc3a10a49e1.job
[2012/06/12 18:49:45 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Fix it Center.lnk
[2012/06/11 16:06:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/11 09:25:01 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/06/08 16:09:22 | 000,061,353 | ---- | M] () -- C:\Documents and Settings\richards\Desktop\Sterling ISA SIA full and Partial Surrender Form.pdf
[2012/06/08 09:05:32 | 000,000,548 | ---- | M] () -- C:\WINDOWS\psm.ini
[2012/06/05 20:40:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/06/04 23:37:59 | 000,000,771 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/04 23:26:51 | 000,103,784 | ---- | M] () -- C:\Documents and Settings\richards\GoToAssistDownloadHelper.exe
[2012/06/04 18:10:23 | 000,016,419 | ---- | M] () -- C:\Documents and Settings\richards\Desktop\MVTHealthCheck_Deviation.html
[2012/05/20 15:43:24 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BankTree Personal Finance 2.0.lnk
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

File not found -- C:\WINDOWS\System32\
[2012/06/14 15:42:02 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\dllcache\xrxscnui.dll
[2012/06/14 15:41:58 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\dllcache\xrxftplt.exe
[2012/06/14 15:21:08 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisrndr.ax
[2012/06/14 15:21:04 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisdecd.dll
[2012/06/14 15:16:17 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdvbnp.ax
[2012/06/14 15:10:24 | 000,165,888 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hpgt53.dll
[2012/06/14 15:10:20 | 000,093,696 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hpgt42.dll
[2012/06/14 15:10:15 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hpgt34.dll
[2012/06/14 15:10:10 | 000,089,088 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hpgt33.dll
[2012/06/14 15:10:05 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hpgt21.dll
[2012/06/14 15:03:11 | 000,029,768 | ---- | C] () -- C:\WINDOWS\System32\dllcache\divasu.dll
[2012/06/14 15:03:10 | 000,037,962 | ---- | C] () -- C:\WINDOWS\System32\dllcache\divaprop.dll
[2012/06/14 15:03:09 | 000,006,216 | ---- | C] () -- C:\WINDOWS\System32\dllcache\divaci.dll
[2012/06/14 14:58:56 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atixbar.sys
[2012/06/14 14:58:55 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativxbar.sys
[2012/06/14 14:58:53 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativttxx.sys
[2012/06/14 14:58:52 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ativmdcd.sys
[2012/06/14 14:58:51 | 000,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitvsnd.sys
[2012/06/14 14:58:50 | 000,017,152 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atitunep.sys
[2012/06/14 14:58:49 | 000,049,920 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtcap.sys
[2012/06/14 14:58:49 | 000,026,880 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atirtsnd.sys
[2012/06/14 14:58:47 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atipcxxx.sys
[2012/06/14 14:58:40 | 000,046,464 | ---- | C] () -- C:\WINDOWS\System32\dllcache\atibt829.sys
[2012/06/12 18:49:45 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Fix it Center.lnk
[2012/06/12 18:49:45 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Fix it Center.lnk
[2012/06/08 16:09:22 | 000,061,353 | ---- | C] () -- C:\Documents and Settings\richards\Desktop\Sterling ISA SIA full and Partial Surrender Form.pdf
[2012/06/04 18:10:23 | 000,016,419 | ---- | C] () -- C:\Documents and Settings\richards\Desktop\MVTHealthCheck_Deviation.html
[2012/06/04 18:03:02 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2012/06/02 07:56:44 | 000,141,392 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/04 17:58:31 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\richards\Application Data\mbam.context.scan
[2012/03/02 00:13:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/16 08:28:29 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/08/08 11:56:42 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2010/08/08 11:56:42 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2010/08/02 16:09:41 | 000,002,688 | ---- | C] () -- C:\Program Files\00000000-0000-0000-0000-000000000000.dtsll
[2010/08/02 16:07:19 | 000,607,744 | ---- | C] () -- C:\Program Files\MBLOBPSetup.msi
[2010/07/06 16:49:33 | 000,000,098 | ---- | C] () -- C:\WINDOWS\setup.ini

========== LOP Check ==========

[2010/04/04 01:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2011/10/18 14:02:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canon
[2008/12/27 23:15:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/06/02 11:39:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2008/12/27 23:50:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX
[2008/12/27 23:48:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2010/09/11 21:22:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2010/04/26 13:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/12/31 01:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2009/05/22 12:46:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HBOS
[2011/06/27 13:45:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HMRC
[2007/11/15 19:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/06/17 11:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Logic Software
[2007/10/12 18:35:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Northern Rock
[2007/11/15 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2012/06/16 11:37:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedMaxPc
[2009/09/25 10:22:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrueCrypt
[2009/09/21 17:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Utimaco
[2010/04/12 10:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2006/05/21 18:00:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2010/07/12 11:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/06/13 10:07:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
[2010/01/26 21:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2007/07/15 19:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Canon
[2010/02/17 23:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\CD-LabelPrint
[2006/09/07 11:09:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\DataLayer
[2012/06/16 11:02:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\DriverCure
[2012/03/05 18:28:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\ElevatedDiagnostics
[2007/07/30 13:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\FileMaker
[2007/12/31 01:48:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Grisoft
[2011/04/06 22:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\HMRC
[2001/12/21 11:16:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\InterTrust
[2005/10/24 14:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Leadertech
[2012/06/12 18:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\LFSSystem FE
[2005/11/29 17:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\mytemp
[2007/11/15 20:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Nokia
[2009/06/20 16:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Nokia Multimedia Player
[2007/11/15 20:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\PC Suite
[2012/06/16 11:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\SpeedMaxPc
[2012/05/23 19:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\TrueCrypt
[2010/01/25 15:46:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\richards\Application Data\Vodafone
[2012/06/16 10:10:01 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2012/06/05 20:40:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2012/06/15 15:02:01 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2012/06/15 14:00:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2010/07/30 17:34:38 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB25497$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

OTL Extras: --

OTL Extras logfile created on: 16/06/12 11:44:16 - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Documents and Settings\richards\Desktop\TOOLS\Tools Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yy

1021.99 Mb Total Physical Memory | 310.77 Mb Available Physical Memory | 30.41% Memory free
2.07 Gb Paging File | 1.14 Gb Available in Paging File | 54.81% Paging File free
Paging file location(s): C:\pagefile.sys 1200 2400 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.06 Gb Total Space | 35.72 Gb Free Space | 38.38% Space Free | Partition Type: NTFS
Drive H: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS
Drive M: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS
Drive O: | 136.73 Gb Total Space | 35.40 Gb Free Space | 25.89% Space Free | Partition Type: NTFS

Computer Name: CAMELOT | User Name: richards | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Outlook\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Outlook\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{06ACB7BC-B411-4FB5-8E93-0C28FB9E8FD2}" = OTP Application
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{06C32EA0-4A22-4919-979A-8700715865B8}" = Microsoft LifeCam
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{11964613-805F-432D-A12B-169554B793E7}" = Nokia Connectivity Cable Driver
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4600_series" = Canon iP4600 series Printer Driver
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ9601" = CanoScan LiDE 700F Scanner Driver
"{121634B0-2F4A-11D3-ADA3-00C04F52DD53}" = Windows Installer Clean Up
"{182A0989-6628-43D2-B711-BC9989833E2B}" = All New Mortgage Brain
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ETI)
"{2B15516A-9F9A-45E5-83F3-627DF07E37CD}" = IQ4
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer
"{3759CC1E-8259-4B0D-862A-078EABFFD97F}" = HP Officejet Pro 8500 A910 Product Improvement Study
"{3AE5A1B4-D6AE-48D4-A07F-46A806CD53E6}" = HP Officejet Pro 8500 A910 Basic Device Software
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4C711ED2-0A9D-4A16-960A-BA16D8F285E3}" = OTPSpikeUpdater
"{4D719053-5593-11D3-8F25-0060085C1758}" = Microsoft AutoRoute 2001
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{529B3AD1-641B-464F-A145-417AA22D5291}" = Crystal Report Merge Module
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{689404D2-1C94-44B3-9203-BEC5594FDA7A}" = Microsoft SQL Server Desktop Engine (OTP)
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6CDAED1C-5B60-4818-88A7-E4A90CD367AF}" = Wave Support Software
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (MBRAIN)
"{6FB84827-8DA4-4B89-A633-AE0DA486D3A3}" = ETr Patch for Feb 2008
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{7694E0B1-2332-448B-9235-929F84B41E3F}" = Active@ ISO Burner
"{76B538EA-FA84-4F57-9087-715D36B27FE9}" = Patch for January 2008
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7D05C921-B3BF-4540-B4D9-4D1FC33E7320}" = Pensions Profiler
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{871B2A9D-0F12-44B3-88C1-E0CB10A232E4}" = HP Officejet Pro 8500 A910 Help
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8B92D97D-DB3D-4926-A8F7-718FE7C5EE18}" = iTunes
"{8F1A20DC-251D-47B0-91B7-DCA2523EE6C9}" = McAfee Virtual Technician
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96B51C0B-D3BE-4DF3-959C-28B22C10CFBB}" = Vodafone Mobile Connect Lite
"{99A40651-0BC2-4095-8F9A-A40FAB224FEF}" = PC Connectivity Solution
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}" = Nokia PC Suite
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE765884-4770-4A92-82D9-AB3192512B31}" = Preboot Manager
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B0A8D6BF-065D-4956-BCE0-5A90F582A636}" = Intermediary Mortgages Application
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5AB9CB4-4AAE-44CC-A6AF-37388326E85F}" = Wave Infrastructure Installer
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7588D45-AFDC-4C93-9E2E-A100F3554B64}" = Microsoft Fix it Center
"{BBE3E502-F1D6-4FC9-9844-CC0850B7C516}" = Network ScanGear Ver.2.21
"{BC5A46DA-C063-4E02-AC3F-39909E2D1245}" = Patch for November 2007
"{C02AAD8A-17CC-4D49-8358-3D893B8CA727}" = OTP Backup and Restore tool
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C5E521B0-EEE3-4454-84AA-31D27AD4A975}" = PensionsProfilerData
"{C791AE73-1A23-4725-ADC7-89D27141E76E}" = OTP Application Patch 06/12/2007
"{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D085A1B6-90A4-11D3-82B7-00C04FA309DE}" = Microsoft Money 2001
"{D0C30215-95B5-4624-A963-834A6BD778F4}" = BankTree Personal Finance 2.0
"{D1183FA8-AA29-4C82-B998-9593D7AF42FE}" = NTRU Hybrid TSS v2.0.7
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D4611976-B65B-11D4-80FB-00B0D031903B}" = Alliance and Leicester Online Forms
"{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"{DE5BA3CD-C553-4E71-8E3D-216360BB7414}_is1" = BankTree Personal Finance 2.0 Install Manager
"{DE9D2747-A7BC-4F6E-8673-8B14641B68E5}" = goal navigator (offline)
"{DF0102B1-4E96-4953-8625-E73CEBC491E9}" = SmartStamp
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine
"{E1F4FB82-3EA6-46B6-A18A-9B3A62DA393E}" = hp deskjet 6122
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EA1A2ED9-2AE3-4A55-994A-AB7B0C9ED0AF}" = DT Server Local Link
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EC34E1FB-9B92-45CB-B207-E85E0D6A2136}" = OTPm February 2009 Update
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{ED8EF3C2-FA5B-4A1E-950D-5A0227161F97}" = ArcSoft PhotoStudio 6
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1802FA6-54E9-4B24-BD2A-B50866819795}" = EMBASSY Trust Suite by Wave Systems
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCC71C18-1128-11D5-8B89-0090CC00846B}" = Canon Cover Sheet Editor
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFBBA279-DDEB-4FA3-914E-AE60CBABA6D6}" = PensionsProfiler
"0C5EDC3653FED5B121F464339EAC12534D253B25" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"4077F884D1BB007055BDB83B621D87220A73F30F" = Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B726756F5B5A5AA9D798B399386FC6205A45F19E" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"Basic PAYE Tools" = Basic PAYE Tools
"Belarc Advisor" = Belarc Advisor 7.2
"Boots F2CD Picture Suite" = Boots F2CD Picture Suite
"BT Business Broadband Desktop Help" = BT Business Broadband Desktop Help
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon iP4600 series User Registration" = Canon iP4600 series User Registration
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CD8424B9400BFF7D34AA18F816C71322AC4BDAA7" = Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
"CleanUp!" = CleanUp!
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 2.2
"Easy Time Tracking Pro" = Easy Time Tracking Pro 6.0.1
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"EOS Utility" = Canon Utilities EOS Utility
"HijackThis" = HijackThis 1.99.1
"hp deskjet 6122 series_Driver" = hp deskjet 6122 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{529B3AD1-641B-464F-A145-417AA22D5291}" = Crystal Report Merge Module
"InstallShield_{6CDAED1C-5B60-4818-88A7-E4A90CD367AF}" = Wave Support Software
"InstallShield_{B0A8D6BF-065D-4956-BCE0-5A90F582A636}" = Intermediary Mortgages Application
"InstallShield_{BBE3E502-F1D6-4FC9-9844-CC0850B7C516}" = Network ScanGear Ver.2.21
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{DD41AC25-61B2-4FC9-90AA-672F32139AC3}" = ETS Launch Pad
"InstallShield_{DF0102B1-4E96-4953-8625-E73CEBC491E9}" = SmartStamp
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"IomegaNT" = IomegaWare
"McAfee Virtual Technician" = McAfee Virtual Technician
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"mortgage brain" = mortgage brain
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MP Navigator EX 2.1" = Canon MP Navigator EX 2.1
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"Phone System Manager 1.03" = Phone System Manager 1.03
"PhotoStitch" = Canon Utilities PhotoStitch
"PremierBuilder - Test Insurer - Halifax GI - Intermediaries" = Halifax GI - Intermediaries (live) v8.18
"ProInst" = Intel® PROSet/Wireless Software
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"ST6UNST #1" = VT Transaction
"TrueCrypt" = TrueCrypt
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.8.0.723

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 16/06/12 04:27:27 | Computer Name = CAMELOT | Source = MSMQ | ID = 2124
Description = Message Queuing was unable to join the local Windows 2000 or Windows
Whistler domain 'LFS'. (Error: 0x80072726).

Error - 16/06/12 04:27:27 | Computer Name = CAMELOT | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (An invalid argument was supplied. ). Group Policy processing aborted.


Error - 16/06/12 04:29:18 | Computer Name = CAMELOT | Source = Userenv | ID = 1065
Description = Windows cannot perform filter check for Group Policy object CN={DEF653EB-7267-4A78-A1BA-5DE9B97BD928},CN=Policies,CN=System,DC=LFS,DC=local.
Group Policy processing aborted.

Error - 16/06/12 04:29:18 | Computer Name = CAMELOT | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy engine.

Error - 16/06/12 04:30:03 | Computer Name = CAMELOT | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 vmcservice.exe, P2 9.4.4.17702, P3 4ab3b9db,
P4 system.management, P5 2.0.0.0, P6 4889dedd, P7 26c, P8 1b6, P9 system.io.filenotfoundexception,
P10 NIL.

Error - 16/06/12 04:32:09 | Computer Name = CAMELOT | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 16/06/12 06:09:32 | Computer Name = CAMELOT | Source = Userenv | ID = 1065
Description = Windows cannot perform filter check for Group Policy object CN={DEF653EB-7267-4A78-A1BA-5DE9B97BD928},CN=Policies,CN=System,DC=LFS,DC=local.
Group Policy processing aborted.

Error - 16/06/12 06:09:32 | Computer Name = CAMELOT | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy engine.

Error - 16/06/12 06:17:38 | Computer Name = CAMELOT | Source = Userenv | ID = 1065
Description = Windows cannot perform filter check for Group Policy object CN={DEF653EB-7267-4A78-A1BA-5DE9B97BD928},CN=Policies,CN=System,DC=LFS,DC=local.
Group Policy processing aborted.

Error - 16/06/12 06:17:38 | Computer Name = CAMELOT | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy engine.

[ System Events ]
Error - 16/06/12 04:19:44 | Computer Name = CAMELOT | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {58D67256-9A33-4720-ADEF-EE0561E4CC84}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.

Error - 16/06/12 04:22:27 | Computer Name = CAMELOT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 16/06/12 04:24:18 | Computer Name = CAMELOT | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.

Error - 16/06/12 04:26:36 | Computer Name = CAMELOT | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 16/06/12 04:27:27 | Computer Name = CAMELOT | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain LFS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 16/06/12 04:27:27 | Computer Name = CAMELOT | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 16/06/12 04:27:55 | Computer Name = CAMELOT | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 16/06/12 04:27:43 | Computer Name = CAMELOT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 16/06/12 04:29:32 | Computer Name = CAMELOT | Source = DCOM | ID = 10010
Description = The server {E0EC0F2B-773D-4DD7-BE6C-7D85D6AA6269} did not register
with DCOM within the required timeout.

Error - 16/06/12 04:30:15 | Computer Name = CAMELOT | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {58D67256-9A33-4720-ADEF-EE0561E4CC84}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.


< End of report >
  • 0

Advertisements

#2
Render
Posted 20 June 2012 - 03:04 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select Yes.
    Note: If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply
  • 0

#3
RichofCamelot
Posted 20 June 2012 - 05:48 PM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
many thanks I will cary out your request in the morning my time so you should have an answer in about 12 hrs from now.
  • 0

#4
RichofCamelot
Posted 21 June 2012 - 01:53 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Render,
I have followed your instructions and copy the report below.
The program gave a choice of where to scan and I stipulated : which I hope was correct.

The report:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-21 08:31:50
-----------------------------
08:31:50.845 OS Version: Windows 5.1.2600 Service Pack 3
08:31:50.845 Number of processors: 2 586 0xE08
08:31:50.845 ComputerName: CAMELOT UserName:
08:31:51.531 Initialize success
08:33:45.490 AVAST engine defs: 12062100
08:34:59.557 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:34:59.557 Disk 0 Vendor: TOSHIBA_MK1032GSX AS022D Size: 95396MB BusType: 3
08:34:59.588 Disk 0 MBR read successfully
08:34:59.588 Disk 0 MBR scan
08:34:59.666 Disk 0 unknown MBR code
08:34:59.697 Disk 0 Partition 1 00 DE Dell Utility 94 MB offset 63
08:34:59.728 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS W!;^#> 95291 MB offset 192780
08:34:59.791 Disk 0 scanning sectors +195350400
08:34:59.822 Disk 0 malicious Win32:MBRoot code @ sector 195350403 !
08:34:59.822 Disk 0 PE file @ sector 195350425 !
08:34:59.900 Disk 0 scanning C:\WINDOWS\system32\drivers
08:34:59.900 Service scanning
08:36:05.051 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
08:36:19.054 Modules scanning
08:36:19.803 Disk 0 trace - called modules:
08:36:19.834 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spdm.sys >>UNKNOWN [0x88184938]<<
08:36:19.834 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x880e0ab8]
08:36:19.850 3 CLASSPNP.SYS[f76c4fd7] -> nt!IofCallDriver -> \Device\000000b6[0x88134f18]
08:36:19.850 5 ACPI.sys[f7443620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8813cd98]
08:36:20.365 AVAST engine scan C:\
08:36:20.380 Scan finished successfully
08:36:59.780 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\richards\Desktop\MBR.dat"
08:36:59.796 The log file has been saved successfully to "C:\Documents and Settings\richards\Desktop\aswMBR.txt"

I also attache the file as requested.
I will be available over the next 13 hours today on and off, otherwise I will attend to your reply when it arives.

Many thanks for your help
Attached File  MBR.zip   542bytes   106 downloads
I will be available during the next 13 h
  • 0

#5
Render
Posted 21 June 2012 - 02:13 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

The aswMBR log shows that an MBR infection was here but only the backup remains. Have you run anything other than the MBAM and McAfee tools?

Please follow the steps below:

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK button.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
Please copy and paste its contents on your next reply.

Step 2

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
  • 0

#6
RichofCamelot
Posted 21 June 2012 - 02:53 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Render,
Your instructions carried out and reports below.
I have not run any diagnostics not mentioned before except a stinger provided by Mcafee in the last week. Although I do run cleanup.exe (obtained from geeks to go some time in the past) to get rid of unwanted clutter, from time to time.

Reports:

09:22:59.0888 1620 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
09:23:01.0911 1620 ============================================================
09:23:01.0911 1620 Current date / time: 2012/06/21 09:23:01.0911
09:23:01.0911 1620 SystemInfo:
09:23:01.0911 1620
09:23:01.0911 1620 OS Version: 5.1.2600 ServicePack: 3.0
09:23:01.0911 1620 Product type: Workstation
09:23:01.0911 1620 ComputerName: CAMELOT
09:23:01.0911 1620 UserName: richards
09:23:01.0911 1620 Windows directory: C:\WINDOWS
09:23:01.0911 1620 System windows directory: C:\WINDOWS
09:23:01.0911 1620 Processor architecture: Intel x86
09:23:01.0911 1620 Number of processors: 2
09:23:01.0911 1620 Page size: 0x1000
09:23:01.0911 1620 Boot type: Normal boot
09:23:01.0911 1620 ============================================================
09:23:06.0968 1620 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:23:06.0984 1620 ============================================================
09:23:06.0984 1620 \Device\Harddisk0\DR0:
09:23:06.0984 1620 MBR partitions:
09:23:06.0984 1620 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F10C, BlocksNum 0xBA1DE74
09:23:06.0984 1620 ============================================================
09:23:07.0186 1620 Initialize success
09:23:07.0186 1620 ============================================================
09:23:39.0633 5092 ============================================================
09:23:39.0633 5092 Scan started
09:23:39.0633 5092 Mode: Manual; SigCheck; TDLFS;
09:23:39.0633 5092 ============================================================
09:23:39.0648 5092 6to4 - ok
09:23:39.0664 5092 Abiosdsk - ok
09:23:39.0664 5092 abp480n5 - ok
09:23:39.0679 5092 ACDaemon - ok
09:23:39.0679 5092 ACPI - ok
09:23:39.0695 5092 ACPIEC - ok
09:23:39.0695 5092 adpu160m - ok
09:23:39.0695 5092 aec - ok
09:23:39.0726 5092 AegisP - ok
09:23:39.0742 5092 AFD - ok
09:23:39.0742 5092 agp440 - ok
09:23:39.0757 5092 agpCPQ - ok
09:23:39.0757 5092 Aha154x - ok
09:23:39.0773 5092 aic78u2 - ok
09:23:39.0773 5092 aic78xx - ok
09:23:39.0788 5092 Alerter - ok
09:23:39.0788 5092 ALG - ok
09:23:39.0804 5092 AliIde - ok
09:23:39.0804 5092 alim1541 - ok
09:23:39.0819 5092 amdagp - ok
09:23:39.0819 5092 amsint - ok
09:23:39.0835 5092 ApfiltrService - ok
09:23:39.0851 5092 APPDRV - ok
09:23:39.0851 5092 Apple Mobile Device - ok
09:23:39.0851 5092 AppMgmt - ok
09:23:39.0866 5092 Arp1394 - ok
09:23:39.0866 5092 asc - ok
09:23:39.0882 5092 asc3350p - ok
09:23:39.0882 5092 asc3550 - ok
09:23:39.0913 5092 aspnet_state - ok
09:23:39.0913 5092 AsyncMac - ok
09:23:39.0913 5092 atapi - ok
09:23:39.0928 5092 Atdisk - ok
09:23:39.0928 5092 Atmarpc - ok
09:23:39.0944 5092 AudioSrv - ok
09:23:39.0944 5092 audstub - ok
09:23:39.0944 5092 b57w2k - ok
09:23:39.0960 5092 BANTExt - ok
09:23:39.0975 5092 Beep - ok
09:23:39.0975 5092 BITS - ok
09:23:39.0991 5092 Bluetooth Hid Switch Service - ok
09:23:39.0991 5092 Bonjour Service - ok
09:23:39.0991 5092 Browser - ok
09:23:40.0006 5092 Canon Driver Information Assist Service - ok
09:23:40.0006 5092 cbidf - ok
09:23:40.0022 5092 cbidf2k - ok
09:23:40.0022 5092 CCALib8 - ok
09:23:40.0037 5092 CCDECODE - ok
09:23:40.0037 5092 cd20xrnt - ok
09:23:40.0037 5092 Cdaudio - ok
09:23:40.0053 5092 Cdfs - ok
09:23:40.0053 5092 Cdrom - ok
09:23:40.0068 5092 cfwids - ok
09:23:40.0068 5092 Changer - ok
09:23:40.0084 5092 cisvc - ok
09:23:40.0084 5092 ClipSrv - ok
09:23:40.0084 5092 clr_optimization_v2.0.50727_32 - ok
09:23:40.0100 5092 clr_optimization_v4.0.30319_32 - ok
09:23:40.0100 5092 CmBatt - ok
09:23:40.0115 5092 CmdIde - ok
09:23:40.0115 5092 Compbatt - ok
09:23:40.0115 5092 COMSysApp - ok
09:23:40.0131 5092 Cpqarray - ok
09:23:40.0146 5092 CryptSvc - ok
09:23:40.0146 5092 CVirtA - ok
09:23:40.0162 5092 CVPND - ok
09:23:40.0162 5092 CVPNDRVA - ok
09:23:40.0162 5092 dac2w2k - ok
09:23:40.0177 5092 dac960nt - ok
09:23:40.0177 5092 DataSvr2 - ok
09:23:40.0193 5092 DcomLaunch - ok
09:23:40.0193 5092 ddnt - ok
09:23:40.0209 5092 Dhcp - ok
09:23:40.0209 5092 Disk - ok
09:23:40.0209 5092 dmadmin - ok
09:23:40.0224 5092 dmboot - ok
09:23:40.0224 5092 dmio - ok
09:23:40.0240 5092 dmload - ok
09:23:40.0240 5092 dmserver - ok
09:23:40.0255 5092 DMusic - ok
09:23:40.0255 5092 DNE - ok
09:23:40.0255 5092 Dnscache - ok
09:23:40.0271 5092 Dot3svc - ok
09:23:40.0271 5092 dpti2o - ok
09:23:40.0286 5092 drmkaud - ok
09:23:40.0286 5092 E100B - ok
09:23:40.0302 5092 EapHost - ok
09:23:40.0302 5092 ERSvc - ok
09:23:40.0302 5092 Eventlog - ok
09:23:40.0317 5092 EventSystem - ok
09:23:40.0317 5092 EvtEng - ok
09:23:40.0333 5092 ewusbnet - ok
09:23:40.0333 5092 Fastfat - ok
09:23:40.0349 5092 FastUserSwitchingCompatibility - ok
09:23:40.0349 5092 Fax - ok
09:23:40.0349 5092 Fdc - ok
09:23:40.0364 5092 Fips - ok
09:23:40.0364 5092 Flpydisk - ok
09:23:40.0380 5092 FltMgr - ok
09:23:40.0380 5092 FontCache3.0.0.0 - ok
09:23:40.0395 5092 Fs_Rec - ok
09:23:40.0395 5092 Ftdisk - ok
09:23:40.0395 5092 GEARAspiWDM - ok
09:23:40.0411 5092 Gpc - ok
09:23:40.0411 5092 gupdate - ok
09:23:40.0426 5092 gupdatem - ok
09:23:40.0426 5092 HDAudBus - ok
09:23:40.0442 5092 helpsvc - ok
09:23:40.0442 5092 HidServ - ok
09:23:40.0442 5092 HidUsb - ok
09:23:40.0458 5092 hkmsvc - ok
09:23:40.0458 5092 hpn - ok
09:23:40.0473 5092 HSF_DPV - ok
09:23:40.0473 5092 HSXHWAZL - ok
09:23:40.0489 5092 HTTP - ok
09:23:40.0489 5092 HTTPFilter - ok
09:23:40.0489 5092 hwdatacard - ok
09:23:40.0504 5092 hwusbfake - ok
09:23:40.0504 5092 i2omgmt - ok
09:23:40.0520 5092 i2omp - ok
09:23:40.0520 5092 i8042prt - ok
09:23:40.0535 5092 IDriverT - ok
09:23:40.0535 5092 idsvc - ok
09:23:40.0566 5092 IISADMIN - ok
09:23:40.0566 5092 Imapi - ok
09:23:40.0566 5092 ImapiService - ok
09:23:40.0582 5092 ini910u - ok
09:23:40.0598 5092 IntelIde - ok
09:23:40.0598 5092 intelppm - ok
09:23:40.0613 5092 Ip6Fw - ok
09:23:40.0613 5092 IpFilterDriver - ok
09:23:40.0613 5092 IpInIp - ok
09:23:40.0629 5092 IpNat - ok
09:23:40.0629 5092 iPod Service - ok
09:23:40.0644 5092 Iprip - ok
09:23:40.0644 5092 IPSec - ok
09:23:40.0660 5092 IRENUM - ok
09:23:40.0660 5092 isapnp - ok
09:23:40.0675 5092 Kbdclass - ok
09:23:40.0675 5092 kmixer - ok
09:23:40.0691 5092 KSecDD - ok
09:23:40.0691 5092 lanmanserver - ok
09:23:40.0691 5092 lanmanworkstation - ok
09:23:40.0722 5092 lbrtfdc - ok
09:23:40.0722 5092 LmHosts - ok
09:23:40.0722 5092 LPDSVC - ok
09:23:40.0738 5092 MatSvc - ok
09:23:40.0753 5092 MBServiceHost - ok
09:23:40.0753 5092 McAfee SiteAdvisor Service - ok
09:23:40.0753 5092 McciCMService - ok
09:23:40.0769 5092 McMPFSvc - ok
09:23:40.0769 5092 mcmscsvc - ok
09:23:40.0784 5092 McNaiAnn - ok
09:23:40.0784 5092 McNASvc - ok
09:23:40.0784 5092 McODS - ok
09:23:40.0800 5092 McProxy - ok
09:23:40.0800 5092 McShield - ok
09:23:40.0815 5092 mdmxsdk - ok
09:23:40.0815 5092 Messenger - ok
09:23:40.0831 5092 mfeapfk - ok
09:23:40.0831 5092 mfeavfk - ok
09:23:40.0831 5092 mfeavfk01 - ok
09:23:40.0847 5092 mfebopk - ok
09:23:40.0847 5092 mfefire - ok
09:23:40.0862 5092 mfefirek - ok
09:23:40.0862 5092 mfehidk - ok
09:23:40.0862 5092 mfendisk - ok
09:23:40.0878 5092 mfendiskmp - ok
09:23:40.0878 5092 mferkdet - ok
09:23:40.0893 5092 mfetdi2k - ok
09:23:40.0893 5092 mfevtp - ok
09:23:40.0893 5092 mnmdd - ok
09:23:40.0909 5092 mnmsrvc - ok
09:23:40.0909 5092 Modem - ok
09:23:40.0924 5092 Mouclass - ok
09:23:40.0924 5092 mouhid - ok
09:23:40.0940 5092 MountMgr - ok
09:23:40.0940 5092 MQAC - ok
09:23:40.0940 5092 mraid35x - ok
09:23:40.0955 5092 MREMP50 - ok
09:23:40.0955 5092 MREMPR5 - ok
09:23:40.0971 5092 MRENDIS5 - ok
09:23:40.0971 5092 MRESP50 - ok
09:23:40.0987 5092 MRxDAV - ok
09:23:40.0987 5092 MRxSmb - ok
09:23:40.0987 5092 MSCamSvc - ok
09:23:41.0002 5092 MSDTC - ok
09:23:41.0018 5092 Msfs - ok
09:23:41.0018 5092 MSIServer - ok
09:23:41.0033 5092 MSK80Service - ok
09:23:41.0033 5092 MSKSSRV - ok
09:23:41.0033 5092 MSMQ - ok
09:23:41.0049 5092 MSMQTriggers - ok
09:23:41.0049 5092 MSPCLOCK - ok
09:23:41.0064 5092 MSPQM - ok
09:23:41.0064 5092 mssmbios - ok
09:23:41.0080 5092 MSSQL$ETI - ok
09:23:41.0080 5092 MSSQL$MBRAIN - ok
09:23:41.0080 5092 MSSQL$OTP - ok
09:23:41.0096 5092 MSSQLSERVER - ok
09:23:41.0096 5092 MSSQLServerADHelper - ok
09:23:41.0111 5092 MSTEE - ok
09:23:41.0111 5092 Mup - ok
09:23:41.0127 5092 NABTSFEC - ok
09:23:41.0127 5092 napagent - ok
09:23:41.0127 5092 NDIS - ok
09:23:41.0142 5092 NdisIP - ok
09:23:41.0142 5092 NdisTapi - ok
09:23:41.0158 5092 Ndisuio - ok
09:23:41.0158 5092 NdisWan - ok
09:23:41.0173 5092 NDProxy - ok
09:23:41.0173 5092 NetBIOS - ok
09:23:41.0173 5092 NetBT - ok
09:23:41.0189 5092 NetDDE - ok
09:23:41.0189 5092 NetDDEdsdm - ok
09:23:41.0204 5092 Netlogon - ok
09:23:41.0204 5092 Netman - ok
09:23:41.0204 5092 NetTcpPortSharing - ok
09:23:41.0220 5092 NIC1394 - ok
09:23:41.0220 5092 NICCONFIGSVC - ok
09:23:41.0236 5092 Nla - ok
09:23:41.0236 5092 NokiaSuite3 - ok
09:23:41.0251 5092 Npfs - ok
09:23:41.0251 5092 Ntfs - ok
09:23:41.0267 5092 NtLmSsp - ok
09:23:41.0267 5092 NtmsSvc - ok
09:23:41.0282 5092 Null - ok
09:23:41.0282 5092 nv - ok
09:23:41.0298 5092 NVSvc - ok
09:23:41.0298 5092 NwlnkFlt - ok
09:23:41.0298 5092 NwlnkFwd - ok
09:23:41.0313 5092 ohci1394 - ok
09:23:41.0313 5092 ose - ok
09:23:41.0329 5092 p2pgasvc - ok
09:23:41.0329 5092 p2pimsvc - ok
09:23:41.0345 5092 p2psvc - ok
09:23:41.0345 5092 Parport - ok
09:23:41.0360 5092 PartMgr - ok
09:23:41.0360 5092 ParVdm - ok
09:23:41.0376 5092 PBADRV - ok
09:23:41.0376 5092 PCI - ok
09:23:41.0391 5092 PCIDump - ok
09:23:41.0391 5092 PCIIde - ok
09:23:41.0391 5092 Pcmcia - ok
09:23:41.0407 5092 PDCOMP - ok
09:23:41.0407 5092 PDFRAME - ok
09:23:41.0422 5092 PDRELI - ok
09:23:41.0422 5092 PDRFRAME - ok
09:23:41.0438 5092 perc2 - ok
09:23:41.0438 5092 perc2hib - ok
09:23:41.0453 5092 PlugPlay - ok
09:23:41.0469 5092 PNRPSvc - ok
09:23:41.0469 5092 PolicyAgent - ok
09:23:41.0485 5092 PptpMiniport - ok
09:23:41.0485 5092 ProtectedStorage - ok
09:23:41.0500 5092 PSched - ok
09:23:41.0500 5092 Ptilink - ok
09:23:41.0500 5092 ql1080 - ok
09:23:41.0516 5092 Ql10wnt - ok
09:23:41.0516 5092 ql12160 - ok
09:23:41.0531 5092 ql1240 - ok
09:23:41.0531 5092 ql1280 - ok
09:23:41.0547 5092 RasAcd - ok
09:23:41.0547 5092 RasAuto - ok
09:23:41.0547 5092 Rasl2tp - ok
09:23:41.0562 5092 RasMan - ok
09:23:41.0562 5092 RasPppoe - ok
09:23:41.0578 5092 Raspti - ok
09:23:41.0578 5092 Rdbss - ok
09:23:41.0594 5092 RDPCDD - ok
09:23:41.0594 5092 rdpdr - ok
09:23:41.0609 5092 RDPWD - ok
09:23:41.0609 5092 RDSessMgr - ok
09:23:41.0625 5092 redbook - ok
09:23:41.0625 5092 RegSrvc - ok
09:23:41.0640 5092 RemoteAccess - ok
09:23:41.0640 5092 RemoteRegistry - ok
09:23:41.0640 5092 RMCAST - ok
09:23:41.0656 5092 ROOTMODEM - ok
09:23:41.0656 5092 RpcLocator - ok
09:23:41.0671 5092 RpcSs - ok
09:23:41.0671 5092 RSVP - ok
09:23:41.0687 5092 S24EventMonitor - ok
09:23:41.0687 5092 s24trans - ok
09:23:41.0687 5092 SamSs - ok
09:23:41.0702 5092 SCardSvr - ok
09:23:41.0702 5092 Schedule - ok
09:23:41.0718 5092 Secdrv - ok
09:23:41.0718 5092 seclogon - ok
09:23:41.0734 5092 SENS - ok
09:23:41.0734 5092 serenum - ok
09:23:41.0749 5092 Serial - ok
09:23:41.0749 5092 ServiceLayer - ok
09:23:41.0780 5092 Sfloppy - ok
09:23:41.0780 5092 ShellHWDetection - ok
09:23:41.0796 5092 Simbad - ok
09:23:41.0796 5092 SimpTcp - ok
09:23:41.0811 5092 sisagp - ok
09:23:41.0811 5092 SkypeUpdate - ok
09:23:41.0827 5092 SLIP - ok
09:23:41.0827 5092 SMTPSVC - ok
09:23:41.0843 5092 SNMP - ok
09:23:41.0843 5092 SNMPTRAP - ok
09:23:41.0858 5092 Sparrow - ok
09:23:41.0858 5092 splitter - ok
09:23:41.0874 5092 Spooler - ok
09:23:41.0874 5092 sptd - ok
09:23:41.0874 5092 SQLAgent$OTP - ok
09:23:41.0889 5092 SQLBrowser - ok
09:23:41.0889 5092 SQLSERVERAGENT - ok
09:23:41.0905 5092 SQLWriter - ok
09:23:41.0905 5092 sr - ok
09:23:41.0920 5092 srservice - ok
09:23:41.0920 5092 Srv - ok
09:23:41.0920 5092 SSDPSRV - ok
09:23:41.0936 5092 STHDA - ok
09:23:41.0936 5092 StillCam - ok
09:23:41.0951 5092 stisvc - ok
09:23:41.0951 5092 streamip - ok
09:23:41.0967 5092 swenum - ok
09:23:41.0967 5092 swmidi - ok
09:23:41.0967 5092 SwPrv - ok
09:23:41.0983 5092 symc810 - ok
09:23:41.0983 5092 symc8xx - ok
09:23:41.0998 5092 sym_hi - ok
09:23:41.0998 5092 sym_u3 - ok
09:23:42.0014 5092 sysaudio - ok
09:23:42.0014 5092 SysmonLog - ok
09:23:42.0029 5092 TapiSrv - ok
09:23:42.0029 5092 Tcpip - ok
09:23:42.0029 5092 Tcpip6 - ok
09:23:42.0045 5092 tcsd_win32.exe - ok
09:23:42.0045 5092 TDPIPE - ok
09:23:42.0060 5092 TDTCP - ok
09:23:42.0060 5092 TermDD - ok
09:23:42.0076 5092 TermService - ok
09:23:42.0076 5092 tfju17xkb.sys - ok
09:23:42.0076 5092 Themes - ok
09:23:42.0092 5092 TlntSvr - ok
09:23:42.0092 5092 toshidpt - ok
09:23:42.0107 5092 TosIde - ok
09:23:42.0107 5092 tosporte - ok
09:23:42.0123 5092 Tosrfbd - ok
09:23:42.0123 5092 Tosrfbnp - ok
09:23:42.0123 5092 Tosrfcom - ok
09:23:42.0138 5092 Tosrfhid - ok
09:23:42.0138 5092 tosrfnds - ok
09:23:42.0154 5092 TosRfSnd - ok
09:23:42.0154 5092 Tosrfusb - ok
09:23:42.0169 5092 TrkWks - ok
09:23:42.0169 5092 truecrypt - ok
09:23:42.0185 5092 tunmp - ok
09:23:42.0185 5092 Udfs - ok
09:23:42.0185 5092 ultra - ok
09:23:42.0200 5092 Update - ok
09:23:42.0200 5092 upnphost - ok
09:23:42.0216 5092 UPS - ok
09:23:42.0216 5092 USBAAPL - ok
09:23:42.0232 5092 usbaudio - ok
09:23:42.0232 5092 usbccgp - ok
09:23:42.0247 5092 USBCCID - ok
09:23:42.0247 5092 usbehci - ok
09:23:42.0263 5092 usbhub - ok
09:23:42.0263 5092 usbprint - ok
09:23:42.0263 5092 usbscan - ok
09:23:42.0278 5092 USBSTOR - ok
09:23:42.0278 5092 usbuhci - ok
09:23:42.0294 5092 VgaSave - ok
09:23:42.0294 5092 viaagp - ok
09:23:42.0309 5092 ViaIde - ok
09:23:42.0309 5092 VMCService - ok
09:23:42.0309 5092 VolSnap - ok
09:23:42.0325 5092 vsdatant - ok
09:23:42.0325 5092 VSS - ok
09:23:42.0340 5092 VX3000 - ok
09:23:42.0340 5092 w32time - ok
09:23:42.0356 5092 w39n51 - ok
09:23:42.0356 5092 W3SVC - ok
09:23:42.0356 5092 Wanarp - ok
09:23:42.0372 5092 WDICA - ok
09:23:42.0372 5092 wdmaud - ok
09:23:42.0387 5092 WebClient - ok
09:23:42.0387 5092 winachsf - ok
09:23:42.0403 5092 winmgmt - ok
09:23:42.0418 5092 WLANKEEPER - ok
09:23:42.0418 5092 WmdmPmSN - ok
09:23:42.0434 5092 Wmi - ok
09:23:42.0434 5092 WmiAcpi - ok
09:23:42.0449 5092 WmiApSrv - ok
09:23:42.0449 5092 WPFFontCache_v0400 - ok
09:23:42.0465 5092 WS2IFSL - ok
09:23:42.0465 5092 WSTCODEC - ok
09:23:42.0481 5092 wuauserv - ok
09:23:42.0481 5092 WudfPf - ok
09:23:42.0481 5092 WudfRd - ok
09:23:42.0496 5092 WudfSvc - ok
09:23:42.0496 5092 WZCSVC - ok
09:23:42.0512 5092 xmlprov - ok
09:23:42.0512 5092 ZipToA - ok
09:23:42.0574 5092 MBR (0x1B8) (3bc33f33b90167cf197dd464ca863fa0) \Device\Harddisk0\DR0
09:23:42.0605 5092 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
09:23:42.0605 5092 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
09:23:42.0605 5092 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
09:23:42.0605 5092 \Device\Harddisk0\DR0 - detected TDSS File System (1)
09:23:42.0652 5092 Boot (0x1200) (54638a786beb546b8451a53ffae0d3ee) \Device\Harddisk0\DR0\Partition0
09:23:42.0652 5092 \Device\Harddisk0\DR0\Partition0 - ok
09:23:42.0652 5092 ============================================================
09:23:42.0652 5092 Scan finished
09:23:42.0652 5092 ============================================================
09:23:42.0652 5676 Detected object count: 2
09:23:42.0652 5676 Actual detected object count: 2
09:25:19.0213 5676 \Device\Harddisk0\DR0\# - copied to quarantine
09:25:19.0213 5676 \Device\Harddisk0\DR0 - copied to quarantine
09:25:19.0322 5676 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
09:25:19.0462 5676 \Device\Harddisk0\DR0 - ok
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
09:25:49.0077 3072 Deinitialize success


MBRCHECK:

09:22:59.0888 1620 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
09:23:01.0911 1620 ============================================================
09:23:01.0911 1620 Current date / time: 2012/06/21 09:23:01.0911
09:23:01.0911 1620 SystemInfo:
09:23:01.0911 1620
09:23:01.0911 1620 OS Version: 5.1.2600 ServicePack: 3.0
09:23:01.0911 1620 Product type: Workstation
09:23:01.0911 1620 ComputerName: CAMELOT
09:23:01.0911 1620 UserName: richards
09:23:01.0911 1620 Windows directory: C:\WINDOWS
09:23:01.0911 1620 System windows directory: C:\WINDOWS
09:23:01.0911 1620 Processor architecture: Intel x86
09:23:01.0911 1620 Number of processors: 2
09:23:01.0911 1620 Page size: 0x1000
09:23:01.0911 1620 Boot type: Normal boot
09:23:01.0911 1620 ============================================================
09:23:06.0968 1620 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:23:06.0984 1620 ============================================================
09:23:06.0984 1620 \Device\Harddisk0\DR0:
09:23:06.0984 1620 MBR partitions:
09:23:06.0984 1620 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F10C, BlocksNum 0xBA1DE74
09:23:06.0984 1620 ============================================================
09:23:07.0186 1620 Initialize success
09:23:07.0186 1620 ============================================================
09:23:39.0633 5092 ============================================================
09:23:39.0633 5092 Scan started
09:23:39.0633 5092 Mode: Manual; SigCheck; TDLFS;
09:23:39.0633 5092 ============================================================
09:23:39.0648 5092 6to4 - ok
09:23:39.0664 5092 Abiosdsk - ok
09:23:39.0664 5092 abp480n5 - ok
09:23:39.0679 5092 ACDaemon - ok
09:23:39.0679 5092 ACPI - ok
09:23:39.0695 5092 ACPIEC - ok
09:23:39.0695 5092 adpu160m - ok
09:23:39.0695 5092 aec - ok
09:23:39.0726 5092 AegisP - ok
09:23:39.0742 5092 AFD - ok
09:23:39.0742 5092 agp440 - ok
09:23:39.0757 5092 agpCPQ - ok
09:23:39.0757 5092 Aha154x - ok
09:23:39.0773 5092 aic78u2 - ok
09:23:39.0773 5092 aic78xx - ok
09:23:39.0788 5092 Alerter - ok
09:23:39.0788 5092 ALG - ok
09:23:39.0804 5092 AliIde - ok
09:23:39.0804 5092 alim1541 - ok
09:23:39.0819 5092 amdagp - ok
09:23:39.0819 5092 amsint - ok
09:23:39.0835 5092 ApfiltrService - ok
09:23:39.0851 5092 APPDRV - ok
09:23:39.0851 5092 Apple Mobile Device - ok
09:23:39.0851 5092 AppMgmt - ok
09:23:39.0866 5092 Arp1394 - ok
09:23:39.0866 5092 asc - ok
09:23:39.0882 5092 asc3350p - ok
09:23:39.0882 5092 asc3550 - ok
09:23:39.0913 5092 aspnet_state - ok
09:23:39.0913 5092 AsyncMac - ok
09:23:39.0913 5092 atapi - ok
09:23:39.0928 5092 Atdisk - ok
09:23:39.0928 5092 Atmarpc - ok
09:23:39.0944 5092 AudioSrv - ok
09:23:39.0944 5092 audstub - ok
09:23:39.0944 5092 b57w2k - ok
09:23:39.0960 5092 BANTExt - ok
09:23:39.0975 5092 Beep - ok
09:23:39.0975 5092 BITS - ok
09:23:39.0991 5092 Bluetooth Hid Switch Service - ok
09:23:39.0991 5092 Bonjour Service - ok
09:23:39.0991 5092 Browser - ok
09:23:40.0006 5092 Canon Driver Information Assist Service - ok
09:23:40.0006 5092 cbidf - ok
09:23:40.0022 5092 cbidf2k - ok
09:23:40.0022 5092 CCALib8 - ok
09:23:40.0037 5092 CCDECODE - ok
09:23:40.0037 5092 cd20xrnt - ok
09:23:40.0037 5092 Cdaudio - ok
09:23:40.0053 5092 Cdfs - ok
09:23:40.0053 5092 Cdrom - ok
09:23:40.0068 5092 cfwids - ok
09:23:40.0068 5092 Changer - ok
09:23:40.0084 5092 cisvc - ok
09:23:40.0084 5092 ClipSrv - ok
09:23:40.0084 5092 clr_optimization_v2.0.50727_32 - ok
09:23:40.0100 5092 clr_optimization_v4.0.30319_32 - ok
09:23:40.0100 5092 CmBatt - ok
09:23:40.0115 5092 CmdIde - ok
09:23:40.0115 5092 Compbatt - ok
09:23:40.0115 5092 COMSysApp - ok
09:23:40.0131 5092 Cpqarray - ok
09:23:40.0146 5092 CryptSvc - ok
09:23:40.0146 5092 CVirtA - ok
09:23:40.0162 5092 CVPND - ok
09:23:40.0162 5092 CVPNDRVA - ok
09:23:40.0162 5092 dac2w2k - ok
09:23:40.0177 5092 dac960nt - ok
09:23:40.0177 5092 DataSvr2 - ok
09:23:40.0193 5092 DcomLaunch - ok
09:23:40.0193 5092 ddnt - ok
09:23:40.0209 5092 Dhcp - ok
09:23:40.0209 5092 Disk - ok
09:23:40.0209 5092 dmadmin - ok
09:23:40.0224 5092 dmboot - ok
09:23:40.0224 5092 dmio - ok
09:23:40.0240 5092 dmload - ok
09:23:40.0240 5092 dmserver - ok
09:23:40.0255 5092 DMusic - ok
09:23:40.0255 5092 DNE - ok
09:23:40.0255 5092 Dnscache - ok
09:23:40.0271 5092 Dot3svc - ok
09:23:40.0271 5092 dpti2o - ok
09:23:40.0286 5092 drmkaud - ok
09:23:40.0286 5092 E100B - ok
09:23:40.0302 5092 EapHost - ok
09:23:40.0302 5092 ERSvc - ok
09:23:40.0302 5092 Eventlog - ok
09:23:40.0317 5092 EventSystem - ok
09:23:40.0317 5092 EvtEng - ok
09:23:40.0333 5092 ewusbnet - ok
09:23:40.0333 5092 Fastfat - ok
09:23:40.0349 5092 FastUserSwitchingCompatibility - ok
09:23:40.0349 5092 Fax - ok
09:23:40.0349 5092 Fdc - ok
09:23:40.0364 5092 Fips - ok
09:23:40.0364 5092 Flpydisk - ok
09:23:40.0380 5092 FltMgr - ok
09:23:40.0380 5092 FontCache3.0.0.0 - ok
09:23:40.0395 5092 Fs_Rec - ok
09:23:40.0395 5092 Ftdisk - ok
09:23:40.0395 5092 GEARAspiWDM - ok
09:23:40.0411 5092 Gpc - ok
09:23:40.0411 5092 gupdate - ok
09:23:40.0426 5092 gupdatem - ok
09:23:40.0426 5092 HDAudBus - ok
09:23:40.0442 5092 helpsvc - ok
09:23:40.0442 5092 HidServ - ok
09:23:40.0442 5092 HidUsb - ok
09:23:40.0458 5092 hkmsvc - ok
09:23:40.0458 5092 hpn - ok
09:23:40.0473 5092 HSF_DPV - ok
09:23:40.0473 5092 HSXHWAZL - ok
09:23:40.0489 5092 HTTP - ok
09:23:40.0489 5092 HTTPFilter - ok
09:23:40.0489 5092 hwdatacard - ok
09:23:40.0504 5092 hwusbfake - ok
09:23:40.0504 5092 i2omgmt - ok
09:23:40.0520 5092 i2omp - ok
09:23:40.0520 5092 i8042prt - ok
09:23:40.0535 5092 IDriverT - ok
09:23:40.0535 5092 idsvc - ok
09:23:40.0566 5092 IISADMIN - ok
09:23:40.0566 5092 Imapi - ok
09:23:40.0566 5092 ImapiService - ok
09:23:40.0582 5092 ini910u - ok
09:23:40.0598 5092 IntelIde - ok
09:23:40.0598 5092 intelppm - ok
09:23:40.0613 5092 Ip6Fw - ok
09:23:40.0613 5092 IpFilterDriver - ok
09:23:40.0613 5092 IpInIp - ok
09:23:40.0629 5092 IpNat - ok
09:23:40.0629 5092 iPod Service - ok
09:23:40.0644 5092 Iprip - ok
09:23:40.0644 5092 IPSec - ok
09:23:40.0660 5092 IRENUM - ok
09:23:40.0660 5092 isapnp - ok
09:23:40.0675 5092 Kbdclass - ok
09:23:40.0675 5092 kmixer - ok
09:23:40.0691 5092 KSecDD - ok
09:23:40.0691 5092 lanmanserver - ok
09:23:40.0691 5092 lanmanworkstation - ok
09:23:40.0722 5092 lbrtfdc - ok
09:23:40.0722 5092 LmHosts - ok
09:23:40.0722 5092 LPDSVC - ok
09:23:40.0738 5092 MatSvc - ok
09:23:40.0753 5092 MBServiceHost - ok
09:23:40.0753 5092 McAfee SiteAdvisor Service - ok
09:23:40.0753 5092 McciCMService - ok
09:23:40.0769 5092 McMPFSvc - ok
09:23:40.0769 5092 mcmscsvc - ok
09:23:40.0784 5092 McNaiAnn - ok
09:23:40.0784 5092 McNASvc - ok
09:23:40.0784 5092 McODS - ok
09:23:40.0800 5092 McProxy - ok
09:23:40.0800 5092 McShield - ok
09:23:40.0815 5092 mdmxsdk - ok
09:23:40.0815 5092 Messenger - ok
09:23:40.0831 5092 mfeapfk - ok
09:23:40.0831 5092 mfeavfk - ok
09:23:40.0831 5092 mfeavfk01 - ok
09:23:40.0847 5092 mfebopk - ok
09:23:40.0847 5092 mfefire - ok
09:23:40.0862 5092 mfefirek - ok
09:23:40.0862 5092 mfehidk - ok
09:23:40.0862 5092 mfendisk - ok
09:23:40.0878 5092 mfendiskmp - ok
09:23:40.0878 5092 mferkdet - ok
09:23:40.0893 5092 mfetdi2k - ok
09:23:40.0893 5092 mfevtp - ok
09:23:40.0893 5092 mnmdd - ok
09:23:40.0909 5092 mnmsrvc - ok
09:23:40.0909 5092 Modem - ok
09:23:40.0924 5092 Mouclass - ok
09:23:40.0924 5092 mouhid - ok
09:23:40.0940 5092 MountMgr - ok
09:23:40.0940 5092 MQAC - ok
09:23:40.0940 5092 mraid35x - ok
09:23:40.0955 5092 MREMP50 - ok
09:23:40.0955 5092 MREMPR5 - ok
09:23:40.0971 5092 MRENDIS5 - ok
09:23:40.0971 5092 MRESP50 - ok
09:23:40.0987 5092 MRxDAV - ok
09:23:40.0987 5092 MRxSmb - ok
09:23:40.0987 5092 MSCamSvc - ok
09:23:41.0002 5092 MSDTC - ok
09:23:41.0018 5092 Msfs - ok
09:23:41.0018 5092 MSIServer - ok
09:23:41.0033 5092 MSK80Service - ok
09:23:41.0033 5092 MSKSSRV - ok
09:23:41.0033 5092 MSMQ - ok
09:23:41.0049 5092 MSMQTriggers - ok
09:23:41.0049 5092 MSPCLOCK - ok
09:23:41.0064 5092 MSPQM - ok
09:23:41.0064 5092 mssmbios - ok
09:23:41.0080 5092 MSSQL$ETI - ok
09:23:41.0080 5092 MSSQL$MBRAIN - ok
09:23:41.0080 5092 MSSQL$OTP - ok
09:23:41.0096 5092 MSSQLSERVER - ok
09:23:41.0096 5092 MSSQLServerADHelper - ok
09:23:41.0111 5092 MSTEE - ok
09:23:41.0111 5092 Mup - ok
09:23:41.0127 5092 NABTSFEC - ok
09:23:41.0127 5092 napagent - ok
09:23:41.0127 5092 NDIS - ok
09:23:41.0142 5092 NdisIP - ok
09:23:41.0142 5092 NdisTapi - ok
09:23:41.0158 5092 Ndisuio - ok
09:23:41.0158 5092 NdisWan - ok
09:23:41.0173 5092 NDProxy - ok
09:23:41.0173 5092 NetBIOS - ok
09:23:41.0173 5092 NetBT - ok
09:23:41.0189 5092 NetDDE - ok
09:23:41.0189 5092 NetDDEdsdm - ok
09:23:41.0204 5092 Netlogon - ok
09:23:41.0204 5092 Netman - ok
09:23:41.0204 5092 NetTcpPortSharing - ok
09:23:41.0220 5092 NIC1394 - ok
09:23:41.0220 5092 NICCONFIGSVC - ok
09:23:41.0236 5092 Nla - ok
09:23:41.0236 5092 NokiaSuite3 - ok
09:23:41.0251 5092 Npfs - ok
09:23:41.0251 5092 Ntfs - ok
09:23:41.0267 5092 NtLmSsp - ok
09:23:41.0267 5092 NtmsSvc - ok
09:23:41.0282 5092 Null - ok
09:23:41.0282 5092 nv - ok
09:23:41.0298 5092 NVSvc - ok
09:23:41.0298 5092 NwlnkFlt - ok
09:23:41.0298 5092 NwlnkFwd - ok
09:23:41.0313 5092 ohci1394 - ok
09:23:41.0313 5092 ose - ok
09:23:41.0329 5092 p2pgasvc - ok
09:23:41.0329 5092 p2pimsvc - ok
09:23:41.0345 5092 p2psvc - ok
09:23:41.0345 5092 Parport - ok
09:23:41.0360 5092 PartMgr - ok
09:23:41.0360 5092 ParVdm - ok
09:23:41.0376 5092 PBADRV - ok
09:23:41.0376 5092 PCI - ok
09:23:41.0391 5092 PCIDump - ok
09:23:41.0391 5092 PCIIde - ok
09:23:41.0391 5092 Pcmcia - ok
09:23:41.0407 5092 PDCOMP - ok
09:23:41.0407 5092 PDFRAME - ok
09:23:41.0422 5092 PDRELI - ok
09:23:41.0422 5092 PDRFRAME - ok
09:23:41.0438 5092 perc2 - ok
09:23:41.0438 5092 perc2hib - ok
09:23:41.0453 5092 PlugPlay - ok
09:23:41.0469 5092 PNRPSvc - ok
09:23:41.0469 5092 PolicyAgent - ok
09:23:41.0485 5092 PptpMiniport - ok
09:23:41.0485 5092 ProtectedStorage - ok
09:23:41.0500 5092 PSched - ok
09:23:41.0500 5092 Ptilink - ok
09:23:41.0500 5092 ql1080 - ok
09:23:41.0516 5092 Ql10wnt - ok
09:23:41.0516 5092 ql12160 - ok
09:23:41.0531 5092 ql1240 - ok
09:23:41.0531 5092 ql1280 - ok
09:23:41.0547 5092 RasAcd - ok
09:23:41.0547 5092 RasAuto - ok
09:23:41.0547 5092 Rasl2tp - ok
09:23:41.0562 5092 RasMan - ok
09:23:41.0562 5092 RasPppoe - ok
09:23:41.0578 5092 Raspti - ok
09:23:41.0578 5092 Rdbss - ok
09:23:41.0594 5092 RDPCDD - ok
09:23:41.0594 5092 rdpdr - ok
09:23:41.0609 5092 RDPWD - ok
09:23:41.0609 5092 RDSessMgr - ok
09:23:41.0625 5092 redbook - ok
09:23:41.0625 5092 RegSrvc - ok
09:23:41.0640 5092 RemoteAccess - ok
09:23:41.0640 5092 RemoteRegistry - ok
09:23:41.0640 5092 RMCAST - ok
09:23:41.0656 5092 ROOTMODEM - ok
09:23:41.0656 5092 RpcLocator - ok
09:23:41.0671 5092 RpcSs - ok
09:23:41.0671 5092 RSVP - ok
09:23:41.0687 5092 S24EventMonitor - ok
09:23:41.0687 5092 s24trans - ok
09:23:41.0687 5092 SamSs - ok
09:23:41.0702 5092 SCardSvr - ok
09:23:41.0702 5092 Schedule - ok
09:23:41.0718 5092 Secdrv - ok
09:23:41.0718 5092 seclogon - ok
09:23:41.0734 5092 SENS - ok
09:23:41.0734 5092 serenum - ok
09:23:41.0749 5092 Serial - ok
09:23:41.0749 5092 ServiceLayer - ok
09:23:41.0780 5092 Sfloppy - ok
09:23:41.0780 5092 ShellHWDetection - ok
09:23:41.0796 5092 Simbad - ok
09:23:41.0796 5092 SimpTcp - ok
09:23:41.0811 5092 sisagp - ok
09:23:41.0811 5092 SkypeUpdate - ok
09:23:41.0827 5092 SLIP - ok
09:23:41.0827 5092 SMTPSVC - ok
09:23:41.0843 5092 SNMP - ok
09:23:41.0843 5092 SNMPTRAP - ok
09:23:41.0858 5092 Sparrow - ok
09:23:41.0858 5092 splitter - ok
09:23:41.0874 5092 Spooler - ok
09:23:41.0874 5092 sptd - ok
09:23:41.0874 5092 SQLAgent$OTP - ok
09:23:41.0889 5092 SQLBrowser - ok
09:23:41.0889 5092 SQLSERVERAGENT - ok
09:23:41.0905 5092 SQLWriter - ok
09:23:41.0905 5092 sr - ok
09:23:41.0920 5092 srservice - ok
09:23:41.0920 5092 Srv - ok
09:23:41.0920 5092 SSDPSRV - ok
09:23:41.0936 5092 STHDA - ok
09:23:41.0936 5092 StillCam - ok
09:23:41.0951 5092 stisvc - ok
09:23:41.0951 5092 streamip - ok
09:23:41.0967 5092 swenum - ok
09:23:41.0967 5092 swmidi - ok
09:23:41.0967 5092 SwPrv - ok
09:23:41.0983 5092 symc810 - ok
09:23:41.0983 5092 symc8xx - ok
09:23:41.0998 5092 sym_hi - ok
09:23:41.0998 5092 sym_u3 - ok
09:23:42.0014 5092 sysaudio - ok
09:23:42.0014 5092 SysmonLog - ok
09:23:42.0029 5092 TapiSrv - ok
09:23:42.0029 5092 Tcpip - ok
09:23:42.0029 5092 Tcpip6 - ok
09:23:42.0045 5092 tcsd_win32.exe - ok
09:23:42.0045 5092 TDPIPE - ok
09:23:42.0060 5092 TDTCP - ok
09:23:42.0060 5092 TermDD - ok
09:23:42.0076 5092 TermService - ok
09:23:42.0076 5092 tfju17xkb.sys - ok
09:23:42.0076 5092 Themes - ok
09:23:42.0092 5092 TlntSvr - ok
09:23:42.0092 5092 toshidpt - ok
09:23:42.0107 5092 TosIde - ok
09:23:42.0107 5092 tosporte - ok
09:23:42.0123 5092 Tosrfbd - ok
09:23:42.0123 5092 Tosrfbnp - ok
09:23:42.0123 5092 Tosrfcom - ok
09:23:42.0138 5092 Tosrfhid - ok
09:23:42.0138 5092 tosrfnds - ok
09:23:42.0154 5092 TosRfSnd - ok
09:23:42.0154 5092 Tosrfusb - ok
09:23:42.0169 5092 TrkWks - ok
09:23:42.0169 5092 truecrypt - ok
09:23:42.0185 5092 tunmp - ok
09:23:42.0185 5092 Udfs - ok
09:23:42.0185 5092 ultra - ok
09:23:42.0200 5092 Update - ok
09:23:42.0200 5092 upnphost - ok
09:23:42.0216 5092 UPS - ok
09:23:42.0216 5092 USBAAPL - ok
09:23:42.0232 5092 usbaudio - ok
09:23:42.0232 5092 usbccgp - ok
09:23:42.0247 5092 USBCCID - ok
09:23:42.0247 5092 usbehci - ok
09:23:42.0263 5092 usbhub - ok
09:23:42.0263 5092 usbprint - ok
09:23:42.0263 5092 usbscan - ok
09:23:42.0278 5092 USBSTOR - ok
09:23:42.0278 5092 usbuhci - ok
09:23:42.0294 5092 VgaSave - ok
09:23:42.0294 5092 viaagp - ok
09:23:42.0309 5092 ViaIde - ok
09:23:42.0309 5092 VMCService - ok
09:23:42.0309 5092 VolSnap - ok
09:23:42.0325 5092 vsdatant - ok
09:23:42.0325 5092 VSS - ok
09:23:42.0340 5092 VX3000 - ok
09:23:42.0340 5092 w32time - ok
09:23:42.0356 5092 w39n51 - ok
09:23:42.0356 5092 W3SVC - ok
09:23:42.0356 5092 Wanarp - ok
09:23:42.0372 5092 WDICA - ok
09:23:42.0372 5092 wdmaud - ok
09:23:42.0387 5092 WebClient - ok
09:23:42.0387 5092 winachsf - ok
09:23:42.0403 5092 winmgmt - ok
09:23:42.0418 5092 WLANKEEPER - ok
09:23:42.0418 5092 WmdmPmSN - ok
09:23:42.0434 5092 Wmi - ok
09:23:42.0434 5092 WmiAcpi - ok
09:23:42.0449 5092 WmiApSrv - ok
09:23:42.0449 5092 WPFFontCache_v0400 - ok
09:23:42.0465 5092 WS2IFSL - ok
09:23:42.0465 5092 WSTCODEC - ok
09:23:42.0481 5092 wuauserv - ok
09:23:42.0481 5092 WudfPf - ok
09:23:42.0481 5092 WudfRd - ok
09:23:42.0496 5092 WudfSvc - ok
09:23:42.0496 5092 WZCSVC - ok
09:23:42.0512 5092 xmlprov - ok
09:23:42.0512 5092 ZipToA - ok
09:23:42.0574 5092 MBR (0x1B8) (3bc33f33b90167cf197dd464ca863fa0) \Device\Harddisk0\DR0
09:23:42.0605 5092 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
09:23:42.0605 5092 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
09:23:42.0605 5092 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
09:23:42.0605 5092 \Device\Harddisk0\DR0 - detected TDSS File System (1)
09:23:42.0652 5092 Boot (0x1200) (54638a786beb546b8451a53ffae0d3ee) \Device\Harddisk0\DR0\Partition0
09:23:42.0652 5092 \Device\Harddisk0\DR0\Partition0 - ok
09:23:42.0652 5092 ============================================================
09:23:42.0652 5092 Scan finished
09:23:42.0652 5092 ============================================================
09:23:42.0652 5676 Detected object count: 2
09:23:42.0652 5676 Actual detected object count: 2
09:25:19.0213 5676 \Device\Harddisk0\DR0\# - copied to quarantine
09:25:19.0213 5676 \Device\Harddisk0\DR0 - copied to quarantine
09:25:19.0322 5676 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
09:25:19.0462 5676 \Device\Harddisk0\DR0 - ok
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:25:19.0462 5676 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
09:25:49.0077 3072 Deinitialize success


I trust this is doing the job and many thanks for your rapid response.
  • 0

#7
Render
Posted 21 June 2012 - 03:03 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please post correct MBRCheck log. You posted TDSSKIller log twice.:)

WARNING!

One or more of the identified infections is known to use a backdoor.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
  • 0

#8
RichofCamelot
Posted 21 June 2012 - 03:49 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Render, sorry here it is

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000508c

Kernel Drivers (total 151):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7B84000 \WINDOWS\system32\KDCOM.DLL
0xF7A94000 \WINDOWS\system32\BOOTVID.dll
0xF7483000 sprl.sys
0xF7B86000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF746B000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF743D000 ACPI.sys
0xF742C000 pci.sys
0xF7684000 isapnp.sys
0xF7A98000 compbatt.sys
0xF7A9C000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C4C000 pciide.sys
0xF7904000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF740E000 pcmcia.sys
0xF7694000 MountMgr.sys
0xF73EF000 ftdisk.sys
0xF73C9000 dmio.sys
0xF790C000 PartMgr.sys
0xF76A4000 VolSnap.sys
0xF73B1000 atapi.sys
0xF76B4000 disk.sys
0xF76C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7391000 fltmgr.sys
0xF737F000 sr.sys
0xF730D000 mfehidk.sys
0xF72D9000 truecrypt.sys
0xF72C2000 KSecDD.sys
0xF72AF000 WudfPf.sys
0xF7222000 Ntfs.sys
0xF71F5000 NDIS.sys
0xF7914000 pbadrv.sys
0xF76D4000 ohci1394.sys
0xF76E4000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF71DB000 Mup.sys
0xF7704000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF67A7000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF67A3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF679F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6429000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6415000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF63ED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6290000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF626D000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF7964000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6249000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF796C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77E4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF622E000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xF7974000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF797C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77F4000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7B64000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7804000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7814000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7824000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF620B000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7984000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7834000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xF61F0000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF7CB9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF61DD000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF7BC4000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF798C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7844000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B78000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61C6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7854000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7864000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7994000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF618D000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7874000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF6162000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF5F04000 \SystemRoot\system32\drivers\mfefirek.sys
0xF799C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79A4000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5EAC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6884000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BC6000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7BC8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5D13000 \SystemRoot\system32\DRIVERS\update.sys
0xF716A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6854000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xF6804000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF36F6000 \SystemRoot\system32\drivers\sthda.sys
0xF36D2000 \SystemRoot\system32\drivers\portcls.sys
0xF7884000 \SystemRoot\system32\drivers\drmk.sys
0xF35F8000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xF3501000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xF3431000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF7754000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BFE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF61AA000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C02000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DA7000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C04000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A44000 \SystemRoot\System32\drivers\vga.sys
0xF7C06000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C0A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A54000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A5C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF61A2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF2A0F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF285D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF2848000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xF27F8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7784000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF27C0000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xF5EE8000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF279E000 \SystemRoot\System32\drivers\afd.sys
0xF7794000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF77A4000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF2773000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF2703000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77B4000 \SystemRoot\System32\Drivers\Fips.SYS
0xF36A2000 \SystemRoot\system32\DRIVERS\usbccid.sys
0xF58AB000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xF7DB5000 \SystemRoot\System32\Drivers\BANTExt.sys
0xF2F8E000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF7714000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7BEE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF2F92000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A24000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF184F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3D6000 \SystemRoot\System32\ATMFD.DLL
0xF7924000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF283C000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xBA594000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA303000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA148000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xBA028000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA12C000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB9EF9000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0xB9D0F000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0xB955F000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB9E31000 \SystemRoot\system32\drivers\mfebopk.sys
0xB999B000 \SystemRoot\system32\drivers\cfwids.sys
0xB9406000 \SystemRoot\System32\Drivers\HTTP.sys
0xB92B1000 \SystemRoot\system32\drivers\wdmaud.sys
0xB94FF000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7BA0000 \SystemRoot\system32\drivers\splitter.sys
0xB928E000 \SystemRoot\system32\drivers\aec.sys
0xB947F000 \SystemRoot\system32\drivers\swmidi.sys
0xB96B3000 \SystemRoot\system32\drivers\DMusic.sys
0xB91C3000 \SystemRoot\system32\drivers\kmixer.sys
0xF7CDB000 \SystemRoot\system32\drivers\drmkaud.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
416 C:\WINDOWS\system32\smss.exe
472 csrss.exe
496 C:\WINDOWS\system32\winlogon.exe
540 C:\WINDOWS\system32\services.exe
552 C:\WINDOWS\system32\lsass.exe
748 C:\WINDOWS\system32\svchost.exe
844 svchost.exe
1108 C:\WINDOWS\system32\svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1216 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1276 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1320 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
1388 svchost.exe
1672 svchost.exe
192 C:\WINDOWS\system32\spoolsv.exe
316 scardsvr.exe
1460 svchost.exe
1720 msdtc.exe
1800 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1812 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1832 C:\Program Files\Bonjour\mDNSResponder.exe
1872 C:\WINDOWS\system32\cisvc.exe
1060 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1072 C:\Program Files\Wave Systems Corp\common\DataServer.exe
1236 C:\WINDOWS\system32\inetsrv\inetinfo.exe
1636 C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe
636 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
784 C:\Program Files\Common Files\Motive\McciCMService.exe
924 C:\WINDOWS\system32\mfevtps.exe
976 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
1004 C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
1028 C:\Program Files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe
1044 C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
2072 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
2116 C:\WINDOWS\system32\nvsvc32.exe
2156 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2388 C:\WINDOWS\system32\tcpsvcs.exe
2700 C:\WINDOWS\system32\snmp.exe
2724 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
2812 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2840 C:\WINDOWS\system32\svchost.exe
2912 C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
2980 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3272 C:\WINDOWS\system32\svchost.exe
3656 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
3780 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
3816 C:\WINDOWS\system32\mqsvc.exe
344 C:\WINDOWS\system32\mqtgsvc.exe
884 C:\WINDOWS\system32\svchost.exe
2560 C:\WINDOWS\explorer.exe
3372 C:\WINDOWS\system32\rundll32.exe
2740 C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe
2144 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
3616 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
964 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
2036 C:\Program Files\McAfee.com\Agent\mcagent.exe
3540 C:\Program Files\TrueCrypt\truecrypt.exe
3096 C:\WINDOWS\system32\cidaemon.exe
5684 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
6116 C:\Documents and Settings\richards\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`05e21800 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS022D

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 03C2A001BA85356C3420F9D4205290A5DCF7F6D7


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
  • 0

#9
Render
Posted 21 June 2012 - 03:54 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. Lets run another tool for second opinion as follows:

Posted Image Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  • CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.
Please carefully follow all steps below:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofix. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

#10
RichofCamelot
Posted 21 June 2012 - 06:36 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Render,

Well combofix has taken 2hours 10 minutes and a couple of reboots to get the job done so far.

My desktop seems restored to normal and WMI is working. so it seems that all is well.

I look forward to your response and thank you once again as I suspect you have resolved the problems

Combofix found rootkit.zeroaccess about which it was not happy but I expect you will find that in the report which is below.

Many thanks I hope that is it but if we need to do more then bring it on!

ComboFix 12-06-21.01 - richards 21/06/12 11:37:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.298 [GMT 1:00]
Running from: c:\documents and settings\richards\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\assembly\tmp
c:\documents and settings\NetworkService\Local Settings\Application Data\assembly\tmp
c:\documents and settings\richards\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\richards\g2mdlhlpx.exe
c:\documents and settings\richards\GoToAssistDownloadHelper.exe
c:\documents and settings\richards\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\richards\WINDOWS
C:\Install.exe
C:\Microsoft
c:\microsoft\Small Business Accounting\AnalysisToolsReportRegistrations.xml
c:\program files\LP
c:\program files\LP\50B2\DB.tmp
c:\program files\LP\50B2\EF.tmp
c:\program files\LP\50B7\52.tmp
c:\program files\LP\50B7\8B.tmp
c:\windows\$NtUninstallKB25497$
c:\windows\$NtUninstallKB25497$\108197291
c:\windows\$NtUninstallKB25497$\3828906078\@
c:\windows\$NtUninstallKB25497$\3828906078\L\iahonoel
c:\windows\$NtUninstallKB25497$\3828906078\loader.tlb
c:\windows\$NtUninstallKB25497$\3828906078\U\@00000001
c:\windows\$NtUninstallKB25497$\3828906078\U\@000000c0
c:\windows\$NtUninstallKB25497$\3828906078\U\@000000cb
c:\windows\$NtUninstallKB25497$\3828906078\U\@000000cf
c:\windows\$NtUninstallKB25497$\3828906078\U\@80000000
c:\windows\$NtUninstallKB25497$\3828906078\U\@800000c0
c:\windows\$NtUninstallKB25497$\3828906078\U\@800000cb
c:\windows\$NtUninstallKB25497$\3828906078\U\@800000cf
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\setup.dll
c:\windows\EventSystem.log
c:\windows\Not slrundll exe.txt
c:\windows\setupapi.log
c:\windows\system32\
c:\windows\system32\1815870565.dat
c:\windows\system32\Cache
c:\windows\system32\CddbCdda.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\ekd.txt
c:\windows\system32\install.exe
c:\windows\system32\regobj.dll
c:\windows\system32\rnaph.dll
c:\windows\system32\test
.
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\system32\dllcache\grpconv.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FAD
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 11:35 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2012-06-21 08:25 . 2012-06-21 08:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\DriverCure
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\SpeedMaxPc
2012-06-16 10:01 . 2012-06-16 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-06-16 09:07 . 2012-06-16 09:08 -------- d-----w- C:\WMI Diagnostics
2012-06-16 07:04 . 2012-06-16 07:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FixItCenter
2012-06-14 14:01 . 2001-08-17 12:50 14848 ----a-w- c:\windows\system32\dllcache\cyclom-y.sys
2012-06-14 14:00 . 2004-08-04 04:00 780885 ----a-w- c:\windows\system32\dllcache\chkrres.dll
2012-06-14 13:59 . 2001-08-17 12:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-06-14 13:58 . 2001-08-17 11:49 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2012-06-14 13:57 . 2001-08-17 11:11 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2012-06-14 13:39 . 2012-06-14 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-14 12:15 . 2012-06-14 12:15 14664 ----a-w- c:\windows\stinger.sys
2012-06-14 12:14 . 2012-06-14 12:52 -------- d-----w- c:\program files\stinger
2012-06-13 09:07 . 2012-06-13 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
2012-06-13 09:02 . 2012-06-13 09:02 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\PackageAware
2012-06-12 22:44 . 2012-06-12 22:44 -------- d-----w- c:\documents and settings\richards\Phone Browser
2012-06-12 17:57 . 2012-06-12 17:57 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\FixItCenter
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\windows\MATS
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-06-12 08:57 . 2012-06-12 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-06-11 07:43 . 2012-03-20 12:06 29272 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2012-06-11 07:43 . 2012-02-22 12:29 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-11 07:42 . 2012-06-14 12:14 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-11 07:42 . 2012-02-22 12:29 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-06-11 07:42 . 2012-02-22 12:29 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-06-11 07:42 . 2012-02-22 12:29 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-11 07:42 . 2012-02-22 12:29 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-11 07:42 . 2012-02-22 12:29 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-11 07:42 . 2012-02-22 12:29 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-11 07:42 . 2012-06-12 08:50 -------- d-----w- c:\program files\Common Files\Mcafee
2012-06-11 07:42 . 2012-06-12 08:49 -------- d-----w- c:\program files\McAfee.com
2012-06-11 07:33 . 2012-06-14 12:14 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-06-04 22:26 . 2012-06-04 22:26 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 12:14 . 2012-02-22 12:29 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-02 14:19 . 2007-06-22 06:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2004-08-11 16:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2004-08-11 16:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2004-08-11 16:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2005-05-26 03:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2004-08-11 16:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2004-08-11 16:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2004-08-11 16:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2007-06-22 06:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2004-08-11 16:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2004-08-11 16:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-31 09:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-31 09:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-11 16:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-18 06:27 . 2012-05-18 06:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-18 06:27 . 2011-06-05 07:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-11 16:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-11 16:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-11 16:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 21:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-11 16:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-02 15:07 . 2010-08-02 15:07 607744 ----a-w- c:\program files\MBLOBPSetup.msi
2011-04-14 13:01 . 2010-08-09 17:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2009-09-25 1369792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"btbb_McciTrayApp"="c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Halifax GI - Intermediaries"="c:\program files\Halifax GI - Intermediaries\Halifax GI - Intermediaries.exe" [2012-06-16 3667456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1318816]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk.disabled
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^TomTom HOME.lnk.disabled]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\TomTom HOME.lnk.disabled
backup=c:\windows\pss\TomTom HOME.lnk.disabledStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 19:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2009-09-18 17:48 2412032 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-06-18 15:10 271360 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\launchapplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 07:55 17148552 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Canon Driver Information Assist Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell QuickSet"=c:\program files\dell\quickset\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/06/12 08:42 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/06/12 08:42 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/06/12 08:42 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [13/12/06 08:44 8544]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [25/01/10 15:45 112640]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [25/01/10 15:47 100480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/06/12 08:42 87656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-21 c:\windows\Tasks\At25.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2012-06-05 c:\windows\Tasks\At26.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2012-06-20 c:\windows\Tasks\At27.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2012-06-20 c:\windows\Tasks\At28.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6bc3a10a49e1.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2007-09-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-13 01:48]
.
2008-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2007-09-28 23:38]
.
2010-07-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aegonse.co.uk\www
Trusted Zone: logmeinrescue.com\secure
Trusted Zone: uk.com\apps.openwork
Trusted Zone: uk.com\prodexternaldpos.openwork
Trusted Zone: uk.com\prodexternaltandc.openwork
Trusted Zone: uk.com\www.openwork
Trusted Zone: unipass.co.uk\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\richards\Application Data\Mozilla\Firefox\Profiles\bd1egsa0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.btbroadbandoffice.com/homepage
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58727
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\McAfee\SiteAdvisor
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-CanonMyPrinter - c:\program files\Canon\MyPrinter\BJMyPrt.exe
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
AddRemove-PremierBuilder - Test Insurer - Halifax GI - Intermediaries - c:\program files\Halifax GI - Intermediaries\Halifax GI - Intermediaries
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-21 12:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3533930121-66260186-3188412238-1135\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¸*¬ 0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(548)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
- - - - - - - > 'explorer.exe'(1292)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\mbl\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\mqsvc.exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
.
**************************************************************************
.
Completion time: 2012-06-21 13:08:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-21 12:07
.
Pre-Run: 41,186,598,912 bytes free
Post-Run: 41,308,200,960 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A5F3167A65268ABCD7CB96E95695E549
  • 0

Advertisements

#11
Render
Posted 21 June 2012 - 10:28 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
CF log looks promising. ZA rootkit was removed. Do the following now:

You are running a proxy in Firefox:
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58727
FF - prefs.js: network.proxy.type - 1

Is this something you installed? If not:

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

NEXT...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

AtJob::

File::
c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#12
RichofCamelot
Posted 22 June 2012 - 01:48 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Goodday Render,

Sorry I had to attend to other things and a little sleep!

Thanks foryour continued efforts.

I ran combofix with the script and while running it received a microsoft message "PEV.exe encountered a problem and had to be closed" I sent the ms report.

Combofix took just 30 minutes today!

here is the report :

ComboFix 12-06-21.03 - RichardS 22/06/12 8:07.2.2 - x86
Running from: c:\documents and settings\richards\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\richards\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\assembly\tmp
c:\documents and settings\richards\Local Settings\Temporary Internet Files\mcc97.tmp
c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
.
.
((((((((((((((((((((((((( Files Created from 2012-05-22 to 2012-06-22 )))))))))))))))))))))))))))))))
.
.
2012-06-21 11:35 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2012-06-21 08:25 . 2012-06-21 08:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\DriverCure
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\SpeedMaxPc
2012-06-16 10:01 . 2012-06-16 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-06-16 09:07 . 2012-06-16 09:08 -------- d-----w- C:\WMI Diagnostics
2012-06-16 07:04 . 2012-06-16 07:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FixItCenter
2012-06-14 14:00 . 2004-08-04 04:00 780885 ----a-w- c:\windows\system32\dllcache\chkrres.dll
2012-06-14 13:59 . 2001-08-17 12:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-06-14 13:58 . 2001-08-17 11:49 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2012-06-14 13:57 . 2001-08-17 11:11 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2012-06-14 13:39 . 2012-06-14 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-14 12:15 . 2012-06-14 12:15 14664 ----a-w- c:\windows\stinger.sys
2012-06-14 12:14 . 2012-06-14 12:52 -------- d-----w- c:\program files\stinger
2012-06-13 09:07 . 2012-06-13 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
2012-06-13 09:02 . 2012-06-13 09:02 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\PackageAware
2012-06-12 22:44 . 2012-06-12 22:44 -------- d-----w- c:\documents and settings\richards\Phone Browser
2012-06-12 17:57 . 2012-06-12 17:57 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\FixItCenter
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\windows\MATS
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-06-12 08:57 . 2012-06-12 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-06-11 07:43 . 2012-03-20 12:06 29272 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2012-06-11 07:43 . 2012-02-22 12:29 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-11 07:42 . 2012-06-14 12:14 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-11 07:42 . 2012-02-22 12:29 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-06-11 07:42 . 2012-02-22 12:29 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-06-11 07:42 . 2012-02-22 12:29 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-11 07:42 . 2012-02-22 12:29 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-11 07:42 . 2012-02-22 12:29 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-11 07:42 . 2012-02-22 12:29 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-11 07:42 . 2012-06-12 08:50 -------- d-----w- c:\program files\Common Files\Mcafee
2012-06-11 07:42 . 2012-06-12 08:49 -------- d-----w- c:\program files\McAfee.com
2012-06-11 07:33 . 2012-06-14 12:14 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-06-04 22:26 . 2012-06-04 22:26 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 12:14 . 2012-02-22 12:29 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-02 14:19 . 2007-06-22 06:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2004-08-11 16:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2004-08-11 16:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2004-08-11 16:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2005-05-26 03:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2004-08-11 16:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2004-08-11 16:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2004-08-11 16:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2007-06-22 06:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2004-08-11 16:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2004-08-11 16:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-31 09:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-31 09:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-11 16:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-18 06:27 . 2012-05-18 06:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-18 06:27 . 2011-06-05 07:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-11 16:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-11 16:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-11 16:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 21:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-11 16:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-02 15:07 . 2010-08-02 15:07 607744 ----a-w- c:\program files\MBLOBPSetup.msi
2011-04-14 13:01 . 2010-08-09 17:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
<pre>
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\browserchoice .exe
c:\windows\system32\rundll32 .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2009-09-25 1369792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"btbb_McciTrayApp"="c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Halifax GI - Intermediaries"="c:\program files\Halifax GI - Intermediaries\Halifax GI - Intermediaries.exe" [2012-06-16 3667456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1318816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk.disabled
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^TomTom HOME.lnk.disabled]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\TomTom HOME.lnk.disabled
backup=c:\windows\pss\TomTom HOME.lnk.disabledStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 19:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2009-09-18 17:48 2412032 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-06-18 15:10 271360 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\launchapplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 07:55 17148552 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Canon Driver Information Assist Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell QuickSet"=c:\program files\dell\quickset\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/09/09 10:12 717296]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/06/12 08:42 89792]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [11/08/04 17:00 14336]
R2 MBServiceHost;MB Service Host;c:\mbl\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe [30/11/10 14:16 29184]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [11/06/12 08:43 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/06/12 08:33 159608]
R2 MSSQL$ETI;SQL Server (ETI);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/12/10 19:29 29293408]
R2 MSSQL$MBRAIN;SQL Server (MBRAIN);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/12/10 19:29 29293408]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [18/09/09 19:48 10752]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/06/12 08:42 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/06/12 08:42 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [13/12/06 08:44 8544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/09/10 23:10 136176]
S2 MSSQL$OTP;MSSQL$OTP;c:\program files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe [04/05/05 01:04 9158656]
S2 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [26/05/06 07:39 837696]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/12 08:50 158856]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [25/01/10 15:45 112640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [27/09/10 23:10 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [25/01/10 15:47 100480]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [13/06/11 22:09 267568]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/06/12 08:42 87656]
S3 SQLAgent$OTP;SQLAgent$OTP;c:\program files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlagent.EXE [03/05/05 22:42 323584]
S3 tfju17xkb.sys;tfju17xkb.sys;\??\c:\windows\system32\drivers\tfju17xkb.sys --> c:\windows\system32\drivers\tfju17xkb.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6bc3a10a49e1.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2007-09-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-13 01:48]
.
2008-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2007-09-28 23:38]
.
2010-07-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aegonse.co.uk\www
Trusted Zone: logmeinrescue.com\secure
Trusted Zone: uk.com\apps.openwork
Trusted Zone: uk.com\prodexternaldpos.openwork
Trusted Zone: uk.com\prodexternaltandc.openwork
Trusted Zone: uk.com\www.openwork
Trusted Zone: unipass.co.uk\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\richards\Application Data\Mozilla\Firefox\Profiles\bd1egsa0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.btbroadbandoffice.com/homepage
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\McAfee\SiteAdvisor
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-22 08:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3533930121-66260186-3188412238-1135\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¸*¬ 0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2012-06-22 08:35:53
ComboFix-quarantined-files.txt 2012-06-22 07:35
.
Pre-Run: 41,314,693,120 bytes free
Post-Run: 41,263,259,648 bytes free
.
- - End Of File - - 2AC70D4E235265614657A808151C86BB
  • 0

#13
Render
Posted 23 June 2012 - 12:18 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\browserchoice .exe
c:\windows\system32\rundll32 .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#14
RichofCamelot
Posted 24 June 2012 - 03:20 AM

RichofCamelot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Render,
Sorry you caught me at an openair concert with your lasst message.
I ran conbofix with your script, but combofix asked me to update to a later version and restarted itself so I do not know if the script ran, you will know better I am sure.

Thank you once again, it seems it needs much more than I thought and I am most greatful.

Here is the report:

ComboFix 12-06-23.06 - RichardS 24/06/12 9:37.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.326 [GMT 1:00]
Running from: c:\documents and settings\richards\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\richards\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\assembly\tmp
c:\documents and settings\richards\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\richards\Local Settings\Temporary Internet Files\mcc53.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-21 11:35 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2012-06-21 08:25 . 2012-06-21 08:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\DriverCure
2012-06-16 10:02 . 2012-06-16 10:02 -------- d-----w- c:\documents and settings\richards\Application Data\SpeedMaxPc
2012-06-16 10:01 . 2012-06-16 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-06-16 09:07 . 2012-06-16 09:08 -------- d-----w- C:\WMI Diagnostics
2012-06-16 07:04 . 2012-06-16 07:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FixItCenter
2012-06-14 14:01 . 2001-08-17 12:50 14848 ----a-w- c:\windows\system32\dllcache\cyclom-y.sys
2012-06-14 14:00 . 2004-08-04 04:00 780885 ----a-w- c:\windows\system32\dllcache\chkrres.dll
2012-06-14 13:59 . 2001-08-17 12:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-06-14 13:58 . 2001-08-17 11:49 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2012-06-14 13:57 . 2001-08-17 11:11 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2012-06-14 13:39 . 2012-06-14 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-14 12:15 . 2012-06-14 12:15 14664 ----a-w- c:\windows\stinger.sys
2012-06-14 12:14 . 2012-06-14 12:52 -------- d-----w- c:\program files\stinger
2012-06-13 09:07 . 2012-06-13 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
2012-06-13 09:02 . 2012-06-13 09:02 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\PackageAware
2012-06-12 22:44 . 2012-06-12 22:44 -------- d-----w- c:\documents and settings\richards\Phone Browser
2012-06-12 17:57 . 2012-06-12 17:57 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\FixItCenter
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\windows\MATS
2012-06-12 17:49 . 2012-06-12 17:49 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-06-12 08:57 . 2012-06-12 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-06-11 07:43 . 2012-03-20 12:06 29272 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2012-06-11 07:43 . 2012-02-22 12:29 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-11 07:42 . 2012-06-14 12:14 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-11 07:42 . 2012-02-22 12:29 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-06-11 07:42 . 2012-02-22 12:29 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-06-11 07:42 . 2012-02-22 12:29 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-11 07:42 . 2012-02-22 12:29 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-11 07:42 . 2012-02-22 12:29 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-11 07:42 . 2012-02-22 12:29 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-11 07:42 . 2012-06-12 08:50 -------- d-----w- c:\program files\Common Files\Mcafee
2012-06-11 07:42 . 2012-06-12 08:49 -------- d-----w- c:\program files\McAfee.com
2012-06-11 07:33 . 2012-06-14 12:14 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-06-04 22:26 . 2012-06-04 22:26 -------- d-----w- c:\documents and settings\richards\Local Settings\Application Data\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 12:14 . 2012-02-22 12:29 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-02 14:19 . 2007-06-22 06:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2004-08-11 16:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2004-08-11 16:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2004-08-11 16:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2007-06-22 06:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2005-05-26 03:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2004-08-11 16:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2004-08-11 16:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2004-08-11 16:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2007-06-22 06:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2004-08-11 16:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2004-08-11 16:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-07-31 09:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-07-31 09:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 14:18 . 2009-08-06 18:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-11 16:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-18 06:27 . 2012-05-18 06:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-18 06:27 . 2011-06-05 07:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-11 16:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-11 16:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-11 16:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 21:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-11 16:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-02 15:07 . 2010-08-02 15:07 607744 ----a-w- c:\program files\MBLOBPSetup.msi
2011-04-14 13:01 . 2010-08-09 17:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-22_07.28.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-24 08:16 . 2012-06-24 08:16 16384 c:\windows\Temp\Perflib_Perfdata_ac0.dat
+ 2012-06-24 08:16 . 2012-06-24 08:16 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
+ 2012-06-24 08:16 . 2012-06-24 08:16 16384 c:\windows\Temp\Perflib_Perfdata_40c.dat
+ 2012-06-24 08:16 . 2012-06-24 08:16 16384 c:\windows\Temp\Perflib_Perfdata_3ec.dat
+ 2012-06-24 08:16 . 2012-06-24 08:16 16384 c:\windows\Temp\Perflib_Perfdata_3d0.dat
+ 2012-06-19 15:32 . 2012-06-23 12:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2012-06-19 15:32 . 2012-06-22 06:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2012-06-19 15:32 . 2012-06-22 06:41 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-06-19 15:32 . 2012-06-23 12:47 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2012-06-19 15:32 . 2012-06-22 06:41 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-06-19 15:32 . 2012-06-23 12:47 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-06-22 13:06 . 2012-06-23 12:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 16:00 . 2012-06-24 08:22 764018 c:\windows\system32\perfh009.dat
- 2004-08-11 16:00 . 2012-06-22 06:32 764018 c:\windows\system32\perfh009.dat
- 2004-08-11 16:00 . 2012-06-22 06:32 186770 c:\windows\system32\perfc009.dat
+ 2004-08-11 16:00 . 2012-06-24 08:22 186770 c:\windows\system32\perfc009.dat
+ 2012-06-03 13:45 . 2012-06-24 08:20 224895 c:\windows\system32\inetsrv\MetaBase.bin
- 2010-04-20 10:42 . 2010-02-12 10:03 293376 c:\windows\system32\browserchoice.exe
+ 2010-04-17 11:59 . 2010-02-12 10:03 293376 c:\windows\system32\browserchoice.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2009-09-25 1369792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"btbb_McciTrayApp"="c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Halifax GI - Intermediaries"="c:\program files\Halifax GI - Intermediaries\Halifax GI - Intermediaries.exe" [2012-06-16 3667456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1318816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk.disabled
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^richards.LFS^Start Menu^Programs^Startup^TomTom HOME.lnk.disabled]
path=c:\documents and settings\richards.LFS\Start Menu\Programs\Startup\TomTom HOME.lnk.disabled
backup=c:\windows\pss\TomTom HOME.lnk.disabledStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 19:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2009-09-18 17:48 2412032 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-06-18 15:10 271360 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\launchapplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 07:55 17148552 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Canon Driver Information Assist Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell QuickSet"=c:\program files\dell\quickset\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/09/09 10:12 717296]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/06/12 08:42 89792]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [11/08/04 17:00 14336]
R2 MBServiceHost;MB Service Host;c:\mbl\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe [30/11/10 14:16 29184]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/06/12 08:42 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [11/06/12 08:43 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/06/12 08:33 159608]
R2 MSSQL$ETI;SQL Server (ETI);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/12/10 19:29 29293408]
R2 MSSQL$MBRAIN;SQL Server (MBRAIN);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/12/10 19:29 29293408]
R2 MSSQL$OTP;MSSQL$OTP;c:\program files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe [04/05/05 01:04 9158656]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [18/09/09 19:48 10752]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/06/12 08:42 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/06/12 08:42 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [13/12/06 08:44 8544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/09/10 23:10 136176]
S2 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [26/05/06 07:39 837696]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/12 08:50 158856]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [25/01/10 15:45 112640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [27/09/10 23:10 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [25/01/10 15:47 100480]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [13/06/11 22:09 267568]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/06/12 08:42 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/06/12 08:42 87656]
S3 SQLAgent$OTP;SQLAgent$OTP;c:\program files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlagent.EXE [03/05/05 22:42 323584]
S3 tfju17xkb.sys;tfju17xkb.sys;\??\c:\windows\system32\drivers\tfju17xkb.sys --> c:\windows\system32\drivers\tfju17xkb.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6bc3a10a49e1.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 22:10]
.
2007-09-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-13 01:48]
.
2008-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2007-09-28 23:38]
.
2010-07-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aegonse.co.uk\www
Trusted Zone: logmeinrescue.com\secure
Trusted Zone: uk.com\apps.openwork
Trusted Zone: uk.com\prodexternaldpos.openwork
Trusted Zone: uk.com\prodexternaltandc.openwork
Trusted Zone: uk.com\www.openwork
Trusted Zone: unipass.co.uk\www
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\richards\Application Data\Mozilla\Firefox\Profiles\bd1egsa0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.btbroadbandoffice.com/homepage
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\McAfee\SiteAdvisor
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 09:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3533930121-66260186-3188412238-1135\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¸*¬ 0 ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(556)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2012-06-24 10:04:49
ComboFix-quarantined-files.txt 2012-06-24 09:04
ComboFix2.txt 2012-06-22 07:35
.
Pre-Run: 41,404,706,816 bytes free
Post-Run: 41,354,813,440 bytes free
.
- - End Of File - - 7D3711C78AB27A561D470C72CC4E90E3
  • 0

#15
Render
Posted 24 June 2012 - 08:59 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please run this script once again:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\browserchoice .exe
c:\windows\system32\rundll32 .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP