Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried to run DDS...freezing up after several minutes


  • Please log in to reply
66 replies to this topic

#1 pandamom

pandamom

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 25 June 2012 - 05:27 PM

I have a virus on my computer (tr/atraps.gen)and so I went through the Preparation Guide and when I got to the point of running DDS to create log files, my computer freezes up. What should I do now?

// edited 4:55pm:

I saw another post that suggested running RSIT so here are the logs:

RSIT INFO:

info.txt logfile of random's system information tool 1.09 2012-06-25 16:51:30

======Uninstall list======

Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}
Adobe Digital Editions-->"C:\Program Files\Adobe\Adobe Digital Editions\uninstall.exe"
Adobe Flash Player 11 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -maintain activex
Adobe Reader X (10.1.3)-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AA1000000001}
Apple Application Support-->MsiExec.exe /I{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}
Apple Mobile Device Support-->MsiExec.exe /I{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}
Apple Software Update-->MsiExec.exe /I{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}
Avira Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bing Bar-->MsiExec.exe /X{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}
Bing Rewards Client Installer-->MsiExec.exe /X{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}
Bonjour-->MsiExec.exe /X{79155F2B-9895-49D7-8612-D92580E0DE5B}
Broadcom Gigabit NetLink Controller-->MsiExec.exe /X{A325B368-A9EC-40EF-A95C-9DEAD3683AE3}
Broadcom Management Programs-->MsiExec.exe /X{5DB87A63-9420-48CC-9F9A-B8801D38D6B5}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
D3DX10-->MsiExec.exe /X{E09C4DB7-630C-4F06-A631-8EA7239923AF}
Dell Backup and Recovery Manager-->MsiExec.exe /I{4688EB75-28E2-4731-9BCB-55E624F7CD45}
Dell Edoc Viewer-->MsiExec.exe /I{3138EAD3-700B-4A10-B617-B3F8096EE30D}
Dell Support Center-->C:\PROGRA~1\DELLSU~1\uninst.exe
Dell Support Center-->MsiExec.exe /X{0090A87C-3E0E-43D4-AA71-A71B06563A4A}
Do Not Track Plus Add-on 1.0.5403.0217-->"C:\Program Files\DoNotTrackPlus\unins000.exe"
Exterminate It!-->C:\Program Files\Exterminate It!\ExterminateIt_Uninst.exe
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_F91D44FAA5479127.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
GoToAssist Corporate-->C:\Program Files\Citrix\GoToAssist\615\G2AUninstaller.exe /uninstall
GoToAssist Customer 1.5.0.274-->"C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_uninstaller_customer.exe" /uninstall "/ResourceDll g2ax_customer_resource_win32_x86_en_US_274.dll"
HP Officejet 6500 E710n-z Basic Device Software-->MsiExec.exe /I{600AB648-F79B-41EC-B426-A49A7DB121EA}
HP Officejet 6500 E710n-z Help-->MsiExec.exe /I{130E5108-547F-4482-91EE-F45C784E08C7}
HP Officejet 6500 E710n-z Product Improvement Study-->MsiExec.exe /I{FAABDC10-41B3-4A4C-A76E-C02CB9BE2A5E}
HP Update-->MsiExec.exe /X{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}
I.R.I.S. OCR-->MsiExec.exe /I{CA6BCA2F-EDEB-408F-850B-31404BE16A61}
Intel® Graphics Media Accelerator Driver-->C:\Program Files\Intel\Intel® Graphics Media Accelerator Driver\Uninstall\setup.exe -uninstall
iTunes-->MsiExec.exe /I{23B8A91D-680B-462B-87AD-3D70F7341731}
Java™ 6 Update 26-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216023FF}
Junk Mail filter update-->MsiExec.exe /I{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}
Marketsplash Shortcuts-->MsiExec.exe /X{16FCDD97-AE09-476B-88CD-261D852BD34C}
Memeo AutoSync-->C:\Program Files\Memeo\AutoSync\uninstall.exe
Memeo Instant Backup-->C:\Program Files\Memeo\AutoBackup\uninstall.exe
Mesh Runtime-->MsiExec.exe /I{8C6D6116-B724-4810-8F2D-D047E6B7D68E}
Messenger Companion-->MsiExec.exe /I{50816F92-1652-4A7C-B9BC-48F682742C4B}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Corporation-->MsiExec.exe /I{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}
Microsoft LifeCam-->MsiExec.exe /X{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}
Microsoft Office 2010-->MsiExec.exe /X{95140000-0070-0000-0000-0000000FF1CE}
Microsoft Office Click-to-Run 2010-->"C:\PROGRA~1\COMMON~1\MICROS~1\VIRTUA~1\CVHBS.EXE" /removeall
Microsoft Office Click-to-Run 2010-->MsiExec.exe /I{90140000-006D-0409-0000-0000000FF1CE}
Microsoft Office Starter 2010 - English-->C:\Program Files\Common Files\microsoft shared\virtualization handler\cvhbs.exe /uninstall {90140011-0066-0409-0000-0000000FF1CE}
Microsoft PowerPoint Viewer-->MsiExec.exe /X{95140000-00AF-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219-->MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
MSVCRT-->MsiExec.exe /I{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
QuickTime-->MsiExec.exe /I{7BE15435-2D3E-4B58-867F-9C75BED0208C}
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE 10.3-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE 10.3-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Seagate Dashboard-->C:\Program Files\Seagate\Seagate Dashboard\uninstall.exe
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {3E0806DB-3085-378A-840A-F0D3AE3609D1} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {728D9A6A-2206-31E8-9F65-C3EABEFCF53E} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {2CE2EB39-45C8-32D4-8A99-5529C38F1B99} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {7E97AB83-C1FE-38DE-B848-877E0A4BD81E} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {DB31DEDD-BF95-31E7-A9B7-5480561CEFF3} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {67A5F99B-5EBA-3812-8D2E-BC251490DD3F} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {8DDEFC7E-0C61-3D11-AFC6-5414F2DAFD01} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {4952F442-5C1A-38EB-8C23-B18EFE77E20C} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {9EC88EA8-4ABE-393C-87BD-90EABB1C4C9B} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {86BB5A25-8CC3-33CE-A393-CF28901682B2} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {16EEC04A-B924-37E0-97CF-422DCEFC1B63} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {C4D978AA-2668-3404-96DE-96E2AFC62FD7} /parameterfolder Client
Skype Toolbars-->MsiExec.exe /I{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Skype™ 5.1-->MsiExec.exe /X{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}
SpeedType 10.01-->"c:\st10\unins000.exe"
Start Stop Universal Transcription System-->"C:\Windows\Start Stop Universal Transcription System\uninstall.exe" "/U:C:\Program Files\HTH Engineering, Inc\Start Stop Universal Transcription System\irunin.xml"
SUPERAntiSpyware-->"C:\Program Files\SUPERAntiSpyware\Uninstall.exe"
Trend Micro Client/Server Security Agent-->msiexec /x {BED0B8A2-2986-49F8-90D6-FA008D37A3D2}
TSP_CODEC-->C:\Program Files\Bytescribe\TSP_CODEC\Uninst.exe /pid:{A90C03D6-08E1-4C59-B93B-6919A6C0AC19} /asd
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {5E9CF3A4-ADB3-3080-A8BF-976A28340758} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {81EBB9D7-173C-32E3-B477-149C8DE075E4} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {5D9961AC-7C99-36A2-9EF0-34678AED5384} /parameterfolder Client
Windows Live Communications Platform-->MsiExec.exe /I{D45240D3-B6B3-4FF9-B243-54ECE3E10066}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}
Windows Live ID Sign-in Assistant-->MsiExec.exe /I{61AD15B2-50DB-4686-A739-14FE180D4429}
Windows Live Installer-->MsiExec.exe /I{0B0F231F-CE6A-483D-AA23-77B364F75917}
Windows Live Mail-->MsiExec.exe /I{9D56775A-93F3-44A3-8092-840E3826DE30}
Windows Live Mail-->MsiExec.exe /I{C66824E4-CBB3-4851-BB3F-E8CFD6350923}
Windows Live Mesh ActiveX Control for Remote Connections-->MsiExec.exe /I{2902F983-B4C1-44BA-B85D-5C6D52E2C441}
Windows Live Mesh-->MsiExec.exe /I{A0C91188-C88F-4E86-93E6-CD7C9A266649}
Windows Live Mesh-->MsiExec.exe /I{DECDCB7C-58CC-4865-91AF-627F9798FE48}
Windows Live Messenger Companion Core-->MsiExec.exe /I{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}
Windows Live Messenger-->MsiExec.exe /X{80956555-A512-4190-9CAD-B000C36D6B6B}
Windows Live Messenger-->MsiExec.exe /X{EB4DF488-AAEF-406F-A341-CB2AAA315B90}
Windows Live MIME IFilter-->MsiExec.exe /I{AF844339-2F8A-4593-81B3-9F4C54038C4E}
Windows Live Movie Maker-->MsiExec.exe /X{19BA08F7-C728-469C-8A35-BFBD3633BE08}
Windows Live Movie Maker-->MsiExec.exe /X{92EA4134-10D1-418A-91E1-5A0453131A38}
Windows Live Photo Common-->MsiExec.exe /X{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}
Windows Live Photo Common-->MsiExec.exe /X{D436F577-1695-4D2F-8B44-AC76C99E0002}
Windows Live Photo Gallery-->MsiExec.exe /X{3336F667-9049-4D46-98B6-4C743EEBC5B1}
Windows Live Photo Gallery-->MsiExec.exe /X{34F4D9A4-42C2-4348-BEF4-E553C84549E7}
Windows Live PIMT Platform-->MsiExec.exe /I{83C292B7-38A5-440B-A731-07070E81A64F}
Windows Live Remote Client Resources-->MsiExec.exe /I{464B3406-A4D0-4914-910F-7CA4380DCC13}
Windows Live Remote Client-->MsiExec.exe /I{19A4A990-5343-4FF7-B3B5-6F046C091EDF}
Windows Live Remote Service Resources-->MsiExec.exe /I{17504ED4-DB08-40A8-81C2-27D8C01581DA}
Windows Live Remote Service-->MsiExec.exe /I{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}
Windows Live SOXE Definitions-->MsiExec.exe /I{200FEC62-3C34-4D60-9CE8-EC372E01C08F}
Windows Live SOXE-->MsiExec.exe /I{682B3E4F-696A-42DE-A41C-4C07EA1678B4}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}
Windows Live UX Platform-->MsiExec.exe /I{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}
Windows Live Writer Resources-->MsiExec.exe /X{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}
Windows Live Writer-->MsiExec.exe /X{A726AE06-AAA3-43D1-87E3-70F510314F04}
Windows Live Writer-->MsiExec.exe /X{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}
Windows Live Writer-->MsiExec.exe /X{AAF454FC-82CA-4F29-AB31-6A109485E76E}
WinZip 15.5-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240C3}

======System event log======

Computer Name: ThePandaPC
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
Record Number: 6936926
Source Name: Disk
Time Written: 20120621195312.810788-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
Record Number: 6936925
Source Name: Disk
Time Written: 20120621195312.809788-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
Record Number: 6936924
Source Name: Disk
Time Written: 20120621195312.808788-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
Record Number: 6936923
Source Name: Disk
Time Written: 20120621195312.807788-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
Record Number: 6936922
Source Name: Disk
Time Written: 20120621195311.714726-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: ThePandaPC
Event Code: 508
Message: Windows (1744) Windows: A request to write to the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" at offset 0 (0x0000000000000000) for 32768 (0x00008000) bytes succeeded, but took an abnormally long time (2316 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
Record Number: 4838
Source Name: ESENT
Time Written: 20110607030531.000000-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 12348
Message: Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{758fca6a-57cc-11e0-afd3-f04da2ec9fef}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.

Operation:
Removing auto-release shadow copies
Loading provider

Context:
Execution Context: System Provider
Record Number: 4835
Source Name: VSS
Time Written: 20110607001234.000000-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 12348
Message: Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{758fca6a-57cc-11e0-afd3-f04da2ec9fef}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.

Operation:
Removing auto-release shadow copies
Loading provider

Context:
Execution Context: System Provider
Record Number: 4833
Source Name: VSS
Time Written: 20110607000331.000000-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 12348
Message: Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{758fca6a-57cc-11e0-afd3-f04da2ec9fef}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.

Operation:
Removing auto-release shadow copies
Loading provider

Context:
Execution Context: System Provider
Record Number: 4826
Source Name: VSS
Time Written: 20110606173507.000000-000
Event Type: Warning
User:

Computer Name: ThePandaPC
Event Code: 12348
Message: Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{758fca6a-57cc-11e0-afd3-f04da2ec9fef}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.

Operation:
Removing auto-release shadow copies
Loading provider

Context:
Execution Context: System Provider
Record Number: 4824
Source Name: VSS
Time Written: 20110606170045.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: ThePandaPC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 4723
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110605161323.984951-000
Event Type: Audit Success
User:

Computer Name: ThePandaPC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: THEPANDAPC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x1e4
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 4722
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110605161323.984951-000
Event Type: Audit Success
User:

Computer Name: ThePandaPC
Event Code: 4616
Message: The system time was changed.

Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Process Information:
Process ID: 0x440
Name: C:\Windows\System32\svchost.exe

Previous Time: ‎2011‎-‎06‎-‎05T15:24:32.423601700Z
New Time: ‎2011‎-‎06‎-‎05T15:24:32.423000000Z

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Record Number: 4721
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110605152432.423000-000
Event Type: Audit Success
User:

Computer Name: ThePandaPC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 4720
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110605152029.915972-000
Event Type: Audit Success
User:

Computer Name: ThePandaPC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: THEPANDAPC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x1e4
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 4719
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110605152029.915972-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Microsoft Shared\Windows Live;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared;C:\Program Files\Windows Live\Shared;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=2
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------


RSIT Log:
Logfile of random's system information tool 1.09 (written by random/random)
Run by Diane at 2012-06-25 16:51:29
Microsoft Windows 7 Professional Service Pack 1
System drive C: has 125 GB (56%) free of 224 GB
Total RAM: 3037 MB (65% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000UA.job
C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\tasks\SystemToolsDailyTest.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-03 63912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}]
TmIEPlugInBHO Class - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll [2010-03-09 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}]
Do Not Track Plus - C:\Program Files\DoNotTrackPlus\ScriptHost.dll [2012-02-17 579800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 439168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289}]
Windows Live Messenger Companion Helper - C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10 393600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2012-03-15 192112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Plug-In - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-11-22 1242504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll [2012-01-13 1003576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
Bing Bar Helper - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-02-28 1089288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-08-03 42272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8dcb7100-df86-4384-8842-8fa844297b3f} - Bing Bar - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-02-28 1089288]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2012-03-15 192112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"=c:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [2010-06-25 1099088]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2010-08-25 136216]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2010-08-25 171032]
"Persistence"=C:\Windows\system32\igfxpers.exe [2010-08-25 170520]
"VX1000"=C:\Windows\vVX1000.exe [2010-05-20 762736]
""= []
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2012-05-08 348624]
"Memeo Instant Backup"=C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe [2011-05-04 136416]
"Memeo AutoSync"=C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe [2011-05-04 144608]
"Seagate Dashboard"=C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe [2011-06-01 79112]
"imtcol"=C:\Users\Diane\AppData\Roaming\imtcol.dll [2012-06-24 120832]
"setsil"=C:\Users\Diane\AppData\Roaming\setsil.dll [2012-06-24 352768]
"LifeCam"=C:\Program Files\Microsoft LifeCam\LifeExp.exe [2010-05-20 119152]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2012-01-03 843712]
"APSDaemon"=C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [2012-02-20 59240]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2012-03-27 421736]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2010-11-20 1174016]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2012-06-11 3905408]
"Google Update"=C:\Users\Diane\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2011-05-04 551296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll [2011-03-26 13672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_winlogon.dll [2011-04-13 147832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2010-08-25 228864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2011-07-18 113024]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist Express Customer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"vidc.cvid"=iccvid.dll
"msacm.siren"=sirenacm.dll
"MSVideo8"=VfWWDM32.dll
"wave1"=wdmaud.drv
"mixer1"=wdmaud.drv
"msacm.trspch"=tssoft32.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave2"=wdmaud.drv
"mixer2"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2012-06-25 16:51:29 ----D---- C:\rsit
2012-06-25 13:14:44 ----A---- C:\Windows\ntbtlog.txt
2012-06-25 07:45:35 ----SD---- C:\ComboFix
2012-06-24 23:58:38 ----A---- C:\Windows\zip.exe
2012-06-24 23:58:38 ----A---- C:\Windows\SWSC.exe
2012-06-24 23:58:38 ----A---- C:\Windows\SWREG.exe
2012-06-24 23:58:38 ----A---- C:\Windows\sed.exe
2012-06-24 23:58:38 ----A---- C:\Windows\PEV.exe
2012-06-24 23:58:38 ----A---- C:\Windows\NIRCMD.exe
2012-06-24 23:58:38 ----A---- C:\Windows\MBR.exe
2012-06-24 23:58:38 ----A---- C:\Windows\grep.exe
2012-06-24 23:53:05 ----A---- C:\Windows\system32\FNTCACHE.DAT
2012-06-24 23:44:10 ----D---- C:\Qoobox
2012-06-24 23:42:52 ----D---- C:\Windows\erdnt
2012-06-24 23:05:05 ----D---- C:\Program Files\Exterminate It!
2012-06-24 16:26:18 ----D---- C:\Windows\scoped_dir_32204
2012-06-24 16:26:10 ----A---- C:\Users\Diane\AppData\Roaming\setsil.dll
2012-06-24 16:25:11 ----A---- C:\Users\Diane\AppData\Roaming\imtcol.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wups2.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wucltux.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wuaueng.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wuauclt.exe
2012-06-21 06:57:09 ----A---- C:\Windows\system32\wuwebv.dll
2012-06-21 06:57:09 ----A---- C:\Windows\system32\wuapp.exe
2012-06-20 15:25:26 ----D---- C:\Program Files\SUPERAntiSpyware
2012-06-14 06:03:56 ----A---- C:\Windows\system32\drivers\rdpwd.sys
2012-06-14 06:03:51 ----A---- C:\Windows\system32\ieframe.dll
2012-06-14 06:03:48 ----A---- C:\Windows\system32\mshtml.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\urlmon.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\msfeeds.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\iertutil.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\wininet.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\mshtmled.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\ieui.dll
2012-06-14 06:03:45 ----A---- C:\Windows\system32\url.dll
2012-06-14 06:03:45 ----A---- C:\Windows\system32\jsproxy.dll
2012-06-14 06:03:34 ----A---- C:\Windows\system32\jscript.dll
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdrmemptylst.exe
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdpwsx.dll
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdpcorekmts.dll
2012-06-14 06:03:32 ----A---- C:\Windows\system32\win32k.sys
2012-06-14 06:03:31 ----A---- C:\Windows\system32\msi.dll
2012-06-14 06:03:29 ----A---- C:\Windows\system32\profsvc.dll
2012-06-14 06:03:19 ----A---- C:\Windows\system32\crypt32.dll
2012-06-14 06:03:18 ----A---- C:\Windows\system32\cryptsvc.dll
2012-06-14 06:03:18 ----A---- C:\Windows\system32\cryptnet.dll

======List of files/folders modified in the last 1 month======

2012-06-25 16:51:29 ----HD---- C:\Windows\Temp
2012-06-25 16:12:10 ----HD---- C:\Windows\Prefetch
2012-06-25 15:18:12 ----A---- C:\tmuninst.ini
2012-06-25 13:18:42 ----D---- C:\Windows\system32\drivers
2012-06-25 13:14:44 ----D---- C:\Windows
2012-06-25 12:21:51 ----D---- C:\Windows\System32
2012-06-25 12:21:51 ----D---- C:\Windows\inf
2012-06-25 12:21:51 ----A---- C:\Windows\system32\PerfStringBackup.INI
2012-06-24 23:56:56 ----HD---- C:\Windows\system32\config
2012-06-24 23:49:11 ----D---- C:\Users\Diane\AppData\Roaming\SoftGrid Client
2012-06-24 23:05:05 ----RD---- C:\Program Files
2012-06-24 20:19:19 ----D---- C:\Windows\system32\catroot
2012-06-24 20:19:17 ----D---- C:\Windows\system32\DriverStore
2012-06-24 19:59:15 ----SHD---- C:\System Volume Information
2012-06-24 19:26:30 ----HD---- C:\Windows\SoftwareDistribution
2012-06-24 19:16:01 ----HD---- C:\Windows\debug
2012-06-24 16:25:15 ----SHD---- C:\Windows\Installer
2012-06-24 15:33:06 ----RSD---- C:\Windows\Fonts
2012-06-24 15:33:06 ----D---- C:\Windows\Tasks
2012-06-24 15:33:04 ----D---- C:\Program Files\Microsoft LifeCam
2012-06-24 15:33:04 ----D---- C:\Program Files\Microsoft Application Virtualization Client
2012-06-24 15:33:04 ----D---- C:\Program Files\Bonjour
2012-06-24 15:33:02 ----D---- C:\Windows\system32\wbem
2012-06-24 15:31:20 ----D---- C:\Windows\system32\drivers\etc
2012-06-24 15:31:20 ----D---- C:\Windows\system32\catroot2
2012-06-24 15:31:19 ----D---- C:\Windows\winsxs
2012-06-24 15:31:19 ----D---- C:\Windows\TAPI
2012-06-24 15:31:19 ----D---- C:\Windows\system32\wfp
2012-06-24 15:31:19 ----D---- C:\Windows\system32\Msdtc
2012-06-24 15:31:19 ----D---- C:\Windows\system32\en-US
2012-06-24 15:31:19 ----D---- C:\Program Files\Windows Sidebar
2012-06-24 15:31:18 ----D---- C:\Windows\twain_32
2012-06-24 15:31:18 ----D---- C:\Windows\system32\Tasks
2012-06-24 15:31:17 ----D---- C:\Windows\system32\sysprep
2012-06-24 15:31:17 ----D---- C:\Windows\system32\SPReview
2012-06-24 15:31:17 ----D---- C:\Windows\system32\spool
2012-06-24 15:31:16 ----D---- C:\Windows\system32\oobe
2012-06-24 15:31:16 ----D---- C:\Windows\system32\oem
2012-06-24 15:31:16 ----D---- C:\Windows\system32\NDF
2012-06-24 15:31:15 ----D---- C:\Windows\system32\EventProviders
2012-06-24 15:31:15 ----D---- C:\Windows\system32\DRVSTORE
2012-06-24 15:31:14 ----D---- C:\Windows\system32\CodeIntegrity
2012-06-24 15:31:12 ----D---- C:\Windows\Start Stop Universal Transcription System
2012-06-24 15:31:12 ----D---- C:\Windows\Setup
2012-06-24 15:31:12 ----D---- C:\Windows\security
2012-06-24 15:31:12 ----D---- C:\Windows\Microsoft.NET
2012-06-24 15:30:56 ----RSD---- C:\Windows\assembly
2012-06-24 15:30:56 ----D---- C:\Windows\en
2012-06-24 15:30:56 ----D---- C:\Windows\ehome
2012-06-24 15:30:56 ----D---- C:\Windows\Downloaded Program Files
2012-06-24 15:30:56 ----D---- C:\Windows\Downloaded Installations
2012-06-24 15:30:51 ----D---- C:\Windows\AppCompat
2012-06-24 15:30:50 ----D---- C:\Users\Diane\AppData\Roaming\Skype
2012-06-24 15:30:49 ----SD---- C:\Users\Diane\AppData\Roaming\Microsoft
2012-06-24 15:30:41 ----D---- C:\st10
2012-06-24 15:30:41 ----D---- C:\ProgramData\Skype
2012-06-24 15:30:38 ----HD---- C:\ProgramData
2012-06-24 15:30:38 ----D---- C:\ProgramData\Microsoft Help
2012-06-24 15:30:38 ----D---- C:\ProgramData\InstallShield
2012-06-24 15:30:38 ----D---- C:\ProgramData\Apple Computer
2012-06-24 15:30:38 ----D---- C:\ProgramData\Apple
2012-06-24 15:30:38 ----D---- C:\Program Files\WinZip
2012-06-24 15:30:37 ----D---- C:\Program Files\Windows Live
2012-06-24 15:30:35 ----RD---- C:\Program Files\Skype
2012-06-24 15:30:35 ----D---- C:\Program Files\SSU PriorConfigs
2012-06-24 15:30:34 ----D---- C:\Program Files\Seagate
2012-06-24 15:30:34 ----D---- C:\Program Files\Roxio
2012-06-24 15:30:34 ----D---- C:\Program Files\QuickTime
2012-06-24 15:30:33 ----D---- C:\Program Files\NCT
2012-06-24 15:30:21 ----D---- C:\Program Files\Microsoft Silverlight
2012-06-24 15:30:17 ----D---- C:\Program Files\iTunes
2012-06-24 15:30:17 ----D---- C:\Program Files\Internet Explorer
2012-06-24 15:30:16 ----D---- C:\Program Files\HP
2012-06-24 15:30:15 ----D---- C:\Program Files\Google
2012-06-24 15:30:15 ----D---- C:\Program Files\DoNotTrackPlus
2012-06-24 15:30:14 ----D---- C:\Program Files\Dell Support Center
2012-06-24 15:30:14 ----D---- C:\Program Files\Dell Inc
2012-06-24 15:30:14 ----D---- C:\Program Files\Coupons
2012-06-24 15:30:13 ----D---- C:\Program Files\Common Files\SureThing Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Sonic Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Skype
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Roxio Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\PX Storage Engine
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\microsoft shared
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\Memeo
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\DESIGNER
2012-06-24 15:30:05 ----D---- C:\Program Files\CCleaner
2012-06-24 15:30:05 ----D---- C:\Program Files\Broadcom
2012-06-24 15:30:04 ----D---- C:\Program Files\Apple Software Update
2012-06-24 15:30:03 ----D---- C:\Program Files\Adobe
2012-06-24 15:30:03 ----D---- C:\Intel
2012-06-24 15:30:03 ----D---- C:\EOrganizer
2012-06-24 15:30:03 ----D---- C:\Drivers
2012-06-24 15:30:02 ----D---- C:\dell
2012-06-24 15:29:58 ----D---- C:\Apps
2012-06-24 15:28:37 ----D---- C:\Windows\registration
2012-06-24 15:28:33 ----D---- C:\Windows\Web
2012-06-24 15:28:33 ----D---- C:\Windows\Vss
2012-06-24 15:28:31 ----D---- C:\Windows\system32\winrm
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WindowsPowerShell
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WinBioPlugIns
2012-06-24 15:28:31 ----D---- C:\Windows\system32\wdi
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WCN
2012-06-24 15:28:18 ----D---- C:\Windows\system32\spp
2012-06-24 15:28:10 ----D---- C:\Windows\system32\Speech
2012-06-24 15:28:10 ----D---- C:\Windows\system32\SMI
2012-06-24 15:28:09 ----D---- C:\Windows\system32\slmgr
2012-06-24 15:28:08 ----D---- C:\Windows\system32\Printing_Admin_Scripts
2012-06-24 15:28:06 ----D---- C:\Windows\system32\NetworkList
2012-06-24 15:28:05 ----D---- C:\Windows\system32\MUI
2012-06-24 15:28:02 ----D---- C:\Windows\system32\migwiz
2012-06-24 15:28:02 ----D---- C:\Windows\system32\migration
2012-06-24 15:28:00 ----D---- C:\Windows\system32\Macromed
2012-06-24 15:27:59 ----D---- C:\Windows\system32\IME
2012-06-24 15:27:50 ----D---- C:\Windows\system32\drivers\UMDF
2012-06-24 15:27:43 ----D---- C:\Windows\system32\Dism
2012-06-24 15:27:40 ----D---- C:\Windows\system32\com
2012-06-24 15:27:04 ----D---- C:\Windows\Speech
2012-06-24 15:27:02 ----D---- C:\Windows\ServiceProfiles
2012-06-24 15:27:01 ----D---- C:\Windows\schemas
2012-06-24 15:27:01 ----D---- C:\Windows\Resources
2012-06-24 15:27:00 ----D---- C:\Windows\PolicyDefinitions
2012-06-24 15:27:00 ----D---- C:\Windows\PLA
2012-06-24 15:27:00 ----D---- C:\Windows\Performance
2012-06-24 15:23:59 ----D---- C:\Windows\IME
2012-06-24 15:23:59 ----D---- C:\Windows\Help
2012-06-24 15:23:58 ----D---- C:\Windows\Globalization
2012-06-24 15:23:45 ----D---- C:\Windows\Branding
2012-06-24 15:23:06 ----D---- C:\Windows\AppPatch
2012-06-24 15:23:04 ----RD---- C:\Users
2012-06-24 15:22:49 ----D---- C:\Users\Diane\AppData\Roaming\SUPERAntiSpyware.com
2012-06-24 15:22:45 ----D---- C:\Users\Diane\AppData\Roaming\PCDr
2012-06-24 15:22:40 ----D---- C:\Users\Diane\AppData\Roaming\Memeo
2012-06-24 15:22:39 ----D---- C:\Users\Diane\AppData\Roaming\Macromedia
2012-06-24 15:22:39 ----D---- C:\Users\Diane\AppData\Roaming\Adobe
2012-06-24 15:21:39 ----D---- C:\ProgramData\WinZip
2012-06-24 15:21:39 ----D---- C:\ProgramData\Uninstall
2012-06-24 15:21:39 ----D---- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-06-24 15:21:38 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2012-06-24 15:21:31 ----D---- C:\ProgramData\PCDr
2012-06-24 15:21:10 ----D---- C:\ProgramData\HP
2012-06-24 15:21:09 ----D---- C:\ProgramData\Google
2012-06-24 15:21:09 ----D---- C:\ProgramData\Avira
2012-06-24 15:21:04 ----D---- C:\ProgramData\Adobe
2012-06-24 15:20:59 ----D---- C:\Program Files\Windows XP Mode
2012-06-24 15:20:59 ----D---- C:\Program Files\Windows Virtual PC
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Photo Viewer
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows NT
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Media Player
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Mail
2012-06-24 15:20:37 ----D---- C:\Program Files\Windows Journal
2012-06-24 15:20:37 ----D---- C:\Program Files\Windows Defender
2012-06-24 15:20:16 ----D---- C:\Program Files\Trend Micro
2012-06-24 15:20:15 ----D---- C:\Program Files\SpeedType
2012-06-24 15:20:06 ----D---- C:\Program Files\Reference Assemblies
2012-06-24 15:19:54 ----D---- C:\Program Files\MSECache
2012-06-24 15:19:53 ----D---- C:\Program Files\MSBuild
2012-06-24 15:19:17 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2012-06-24 15:19:17 ----D---- C:\Program Files\Microsoft
2012-06-24 15:19:04 ----D---- C:\Program Files\Microsoft Office
2012-06-24 15:18:48 ----D---- C:\Program Files\Memeo
2012-06-24 15:18:37 ----D---- C:\Program Files\Java
2012-06-24 15:18:28 ----D---- C:\Program Files\iPod
2012-06-24 15:18:26 ----D---- C:\Program Files\Intel
2012-06-24 15:18:23 ----D---- C:\Program Files\HTH Engineering, Inc
2012-06-24 15:18:13 ----D---- C:\Program Files\Hewlett-Packard
2012-06-24 15:18:06 ----D---- C:\Program Files\DVD Maker
2012-06-24 15:17:59 ----D---- C:\Program Files\Dell
2012-06-24 15:17:38 ----D---- C:\Program Files\Common Files\Windows Live
2012-06-24 15:17:37 ----D---- C:\Program Files\Common Files\System
2012-06-24 15:17:37 ----D---- C:\Program Files\Common Files\SpeechEngines
2012-06-24 15:17:23 ----D---- C:\Program Files\Common Files\Java
2012-06-24 15:17:23 ----D---- C:\Program Files\Common Files\InstallShield
2012-06-24 15:17:16 ----D---- C:\Program Files\Common Files\Apple
2012-06-24 15:17:08 ----D---- C:\Program Files\Common Files\Adobe
2012-06-24 15:17:07 ----D---- C:\Program Files\Common Files\Adobe AIR
2012-06-24 15:17:06 ----D---- C:\Program Files\Citrix
2012-06-24 15:17:05 ----D---- C:\Program Files\Bytescribe
2012-06-24 15:16:54 ----D---- C:\Program Files\Avira
2012-06-24 15:16:47 ----RHD---- C:\MSOCache
2012-06-15 15:40:54 ----D---- C:\Windows\rescache
2012-06-15 06:40:49 ----A---- C:\Windows\system32\FlashPlayerApp.exe
2012-06-15 03:10:50 ----A---- C:\Windows\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-07-13 12368]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2009-07-09 45200]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys [2010-11-20 175360]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2012-05-08 137928]
R1 avkmgr;avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [2011-09-16 36000]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2010-11-20 388096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2010-06-17 28520]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver; C:\Windows\system32\DRIVERS\tmlwf.sys [2009-07-15 146448]
R1 tmtdi;Trend Micro TDI Driver; C:\Windows\system32\DRIVERS\tmtdi.sys [2009-07-15 89872]
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys [2010-11-20 48128]
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys [2010-11-20 296064]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2012-05-08 83392]
R2 TmFilter;Trend Micro Filter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2010-05-10 230928]
R2 TmPreFilter;Trend Micro PreFilter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2010-05-10 36368]
R2 tmwfp;Trend Micro WFP Callout Driver; C:\Windows\system32\DRIVERS\tmwfp.sys [2009-07-15 283152]
R2 VSApiNt;Trend Micro VSAPI NT; \??\c:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [2010-05-10 1322808]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2010-08-25 9024512]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\dell support center\pcdsrvc.pkms [2012-03-22 21744]
R3 Sftfs;Sftfs; C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
R3 Sftplay;Sftplay; C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
R3 Sftredir;Sftredir; C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
R3 Sftvol;Sftvol; C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
R3 vpcbus;Virtual PC Host Bus Service; C:\Windows\system32\DRIVERS\vpchbus.sys [2010-11-20 172416]
R3 vpcusb;USB Virtualization Connector Service; C:\Windows\system32\DRIVERS\vpcusb.sys [2010-11-20 78336]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S2 tmcomm;tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [2009-07-06 158224]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\drivers\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 BridgeMP;@%SystemRoot%\system32\bridgeres.dll,-1; C:\Windows\system32\DRIVERS\bridge.sys [2009-07-13 78336]
S3 catchme;catchme; \??\C:\Users\Diane\AppData\Local\Temp\catchme.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys []
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2010-11-20 133632]
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\drivers\sisagp.sys [2009-07-13 52304]
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2010-11-20 28032]
S3 TsUsbFlt;@%SystemRoot%\system32\drivers\tsusbflt.sys,-1; C:\Windows\System32\drivers\tsusbflt.sys [2010-11-20 52224]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2012-02-15 43520]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\drivers\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]
S3 vpcuxd;USB Virtualization Stub Service; C:\Windows\system32\drivers\vpcuxd.sys [2010-11-20 12800]
S3 VX1000;VX-1000; C:\Windows\system32\DRIVERS\VX1000.sys [2010-05-20 1961072]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2010-11-20 35968]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 !SASCORE;SAS Core Service; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R2 AntiVirSchedulerService;Avira Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
R2 AntiVirService;Avira Realtime Protection; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2012-05-08 110032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2012-02-27 55144]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2011-08-31 390504]
R2 BPowMon;Broadcom Power monitoring service; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 cvhsvc;Client Virtualization Handler; C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
R2 MemeoBackgroundService;MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-05-04 25824]
R2 MSCamSvc;MSCamSvc; C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2010-05-20 139632]
R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan; c:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [2010-06-22 1323912]
R2 SeagateDashboardService;Seagate Dashboard Service; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-01 14088]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\BingBar\SeaPort.EXE [2011-02-25 249648]
R2 sftlist;Application Virtualization Client; C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
R2 svcGenericHost;Trend Micro Client/Server Security Agent; c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2010-07-05 45056]
R2 tmlisten;Trend Micro Client/Server Security Agent Listener; c:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2010-06-22 1358160]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 1710464]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2012-03-27 821608]
R3 sftvsa;Application Virtualization Service Agent; C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall; c:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-07-15 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service; c:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-07-15 689416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-08 136176]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 BBSvc;Bing Bar Update Service; C:\Program Files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 GoToAssist Express Customer;GoToAssist Express Customer; C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_service.exe [2011-04-13 161144]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe [2011-03-26 13160]
S3 gupdatem;Google Update Service (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-08 136176]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-08 182768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 149352]
S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2009-01-16 74392]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2011-03-26 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service; C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

-----------------EOF-----------------
Logfile of random's system information tool 1.09 (written by random/random)
Run by Diane at 2012-06-25 16:51:29
Microsoft Windows 7 Professional Service Pack 1
System drive C: has 125 GB (56%) free of 224 GB
Total RAM: 3037 MB (65% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000UA.job
C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\tasks\SystemToolsDailyTest.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-03 63912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}]
TmIEPlugInBHO Class - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll [2010-03-09 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}]
Do Not Track Plus - C:\Program Files\DoNotTrackPlus\ScriptHost.dll [2012-02-17 579800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 439168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289}]
Windows Live Messenger Companion Helper - C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10 393600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2012-03-15 192112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Plug-In - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-11-22 1242504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll [2012-01-13 1003576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
Bing Bar Helper - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-02-28 1089288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-08-03 42272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8dcb7100-df86-4384-8842-8fa844297b3f} - Bing Bar - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-02-28 1089288]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2012-03-15 192112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"=c:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [2010-06-25 1099088]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2010-08-25 136216]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2010-08-25 171032]
"Persistence"=C:\Windows\system32\igfxpers.exe [2010-08-25 170520]
"VX1000"=C:\Windows\vVX1000.exe [2010-05-20 762736]
""= []
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2012-05-08 348624]
"Memeo Instant Backup"=C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe [2011-05-04 136416]
"Memeo AutoSync"=C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe [2011-05-04 144608]
"Seagate Dashboard"=C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe [2011-06-01 79112]
"imtcol"=C:\Users\Diane\AppData\Roaming\imtcol.dll [2012-06-24 120832]
"setsil"=C:\Users\Diane\AppData\Roaming\setsil.dll [2012-06-24 352768]
"LifeCam"=C:\Program Files\Microsoft LifeCam\LifeExp.exe [2010-05-20 119152]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2012-01-03 843712]
"APSDaemon"=C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [2012-02-20 59240]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2012-03-27 421736]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2010-11-20 1174016]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2012-06-11 3905408]
"Google Update"=C:\Users\Diane\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2011-05-04 551296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll [2011-03-26 13672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_winlogon.dll [2011-04-13 147832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2010-08-25 228864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2011-07-18 113024]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist Express Customer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"vidc.cvid"=iccvid.dll
"msacm.siren"=sirenacm.dll
"MSVideo8"=VfWWDM32.dll
"wave1"=wdmaud.drv
"mixer1"=wdmaud.drv
"msacm.trspch"=tssoft32.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave2"=wdmaud.drv
"mixer2"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2012-06-25 16:51:29 ----D---- C:\rsit
2012-06-25 13:14:44 ----A---- C:\Windows\ntbtlog.txt
2012-06-25 07:45:35 ----SD---- C:\ComboFix
2012-06-24 23:58:38 ----A---- C:\Windows\zip.exe
2012-06-24 23:58:38 ----A---- C:\Windows\SWSC.exe
2012-06-24 23:58:38 ----A---- C:\Windows\SWREG.exe
2012-06-24 23:58:38 ----A---- C:\Windows\sed.exe
2012-06-24 23:58:38 ----A---- C:\Windows\PEV.exe
2012-06-24 23:58:38 ----A---- C:\Windows\NIRCMD.exe
2012-06-24 23:58:38 ----A---- C:\Windows\MBR.exe
2012-06-24 23:58:38 ----A---- C:\Windows\grep.exe
2012-06-24 23:53:05 ----A---- C:\Windows\system32\FNTCACHE.DAT
2012-06-24 23:44:10 ----D---- C:\Qoobox
2012-06-24 23:42:52 ----D---- C:\Windows\erdnt
2012-06-24 23:05:05 ----D---- C:\Program Files\Exterminate It!
2012-06-24 16:26:18 ----D---- C:\Windows\scoped_dir_32204
2012-06-24 16:26:10 ----A---- C:\Users\Diane\AppData\Roaming\setsil.dll
2012-06-24 16:25:11 ----A---- C:\Users\Diane\AppData\Roaming\imtcol.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wups2.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wucltux.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wuaueng.dll
2012-06-21 06:57:27 ----A---- C:\Windows\system32\wuauclt.exe
2012-06-21 06:57:09 ----A---- C:\Windows\system32\wuwebv.dll
2012-06-21 06:57:09 ----A---- C:\Windows\system32\wuapp.exe
2012-06-20 15:25:26 ----D---- C:\Program Files\SUPERAntiSpyware
2012-06-14 06:03:56 ----A---- C:\Windows\system32\drivers\rdpwd.sys
2012-06-14 06:03:51 ----A---- C:\Windows\system32\ieframe.dll
2012-06-14 06:03:48 ----A---- C:\Windows\system32\mshtml.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\urlmon.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\msfeeds.dll
2012-06-14 06:03:47 ----A---- C:\Windows\system32\iertutil.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\wininet.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\mshtmled.dll
2012-06-14 06:03:46 ----A---- C:\Windows\system32\ieui.dll
2012-06-14 06:03:45 ----A---- C:\Windows\system32\url.dll
2012-06-14 06:03:45 ----A---- C:\Windows\system32\jsproxy.dll
2012-06-14 06:03:34 ----A---- C:\Windows\system32\jscript.dll
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdrmemptylst.exe
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdpwsx.dll
2012-06-14 06:03:33 ----A---- C:\Windows\system32\rdpcorekmts.dll
2012-06-14 06:03:32 ----A---- C:\Windows\system32\win32k.sys
2012-06-14 06:03:31 ----A---- C:\Windows\system32\msi.dll
2012-06-14 06:03:29 ----A---- C:\Windows\system32\profsvc.dll
2012-06-14 06:03:19 ----A---- C:\Windows\system32\crypt32.dll
2012-06-14 06:03:18 ----A---- C:\Windows\system32\cryptsvc.dll
2012-06-14 06:03:18 ----A---- C:\Windows\system32\cryptnet.dll

======List of files/folders modified in the last 1 month======

2012-06-25 16:51:29 ----HD---- C:\Windows\Temp
2012-06-25 16:12:10 ----HD---- C:\Windows\Prefetch
2012-06-25 15:18:12 ----A---- C:\tmuninst.ini
2012-06-25 13:18:42 ----D---- C:\Windows\system32\drivers
2012-06-25 13:14:44 ----D---- C:\Windows
2012-06-25 12:21:51 ----D---- C:\Windows\System32
2012-06-25 12:21:51 ----D---- C:\Windows\inf
2012-06-25 12:21:51 ----A---- C:\Windows\system32\PerfStringBackup.INI
2012-06-24 23:56:56 ----HD---- C:\Windows\system32\config
2012-06-24 23:49:11 ----D---- C:\Users\Diane\AppData\Roaming\SoftGrid Client
2012-06-24 23:05:05 ----RD---- C:\Program Files
2012-06-24 20:19:19 ----D---- C:\Windows\system32\catroot
2012-06-24 20:19:17 ----D---- C:\Windows\system32\DriverStore
2012-06-24 19:59:15 ----SHD---- C:\System Volume Information
2012-06-24 19:26:30 ----HD---- C:\Windows\SoftwareDistribution
2012-06-24 19:16:01 ----HD---- C:\Windows\debug
2012-06-24 16:25:15 ----SHD---- C:\Windows\Installer
2012-06-24 15:33:06 ----RSD---- C:\Windows\Fonts
2012-06-24 15:33:06 ----D---- C:\Windows\Tasks
2012-06-24 15:33:04 ----D---- C:\Program Files\Microsoft LifeCam
2012-06-24 15:33:04 ----D---- C:\Program Files\Microsoft Application Virtualization Client
2012-06-24 15:33:04 ----D---- C:\Program Files\Bonjour
2012-06-24 15:33:02 ----D---- C:\Windows\system32\wbem
2012-06-24 15:31:20 ----D---- C:\Windows\system32\drivers\etc
2012-06-24 15:31:20 ----D---- C:\Windows\system32\catroot2
2012-06-24 15:31:19 ----D---- C:\Windows\winsxs
2012-06-24 15:31:19 ----D---- C:\Windows\TAPI
2012-06-24 15:31:19 ----D---- C:\Windows\system32\wfp
2012-06-24 15:31:19 ----D---- C:\Windows\system32\Msdtc
2012-06-24 15:31:19 ----D---- C:\Windows\system32\en-US
2012-06-24 15:31:19 ----D---- C:\Program Files\Windows Sidebar
2012-06-24 15:31:18 ----D---- C:\Windows\twain_32
2012-06-24 15:31:18 ----D---- C:\Windows\system32\Tasks
2012-06-24 15:31:17 ----D---- C:\Windows\system32\sysprep
2012-06-24 15:31:17 ----D---- C:\Windows\system32\SPReview
2012-06-24 15:31:17 ----D---- C:\Windows\system32\spool
2012-06-24 15:31:16 ----D---- C:\Windows\system32\oobe
2012-06-24 15:31:16 ----D---- C:\Windows\system32\oem
2012-06-24 15:31:16 ----D---- C:\Windows\system32\NDF
2012-06-24 15:31:15 ----D---- C:\Windows\system32\EventProviders
2012-06-24 15:31:15 ----D---- C:\Windows\system32\DRVSTORE
2012-06-24 15:31:14 ----D---- C:\Windows\system32\CodeIntegrity
2012-06-24 15:31:12 ----D---- C:\Windows\Start Stop Universal Transcription System
2012-06-24 15:31:12 ----D---- C:\Windows\Setup
2012-06-24 15:31:12 ----D---- C:\Windows\security
2012-06-24 15:31:12 ----D---- C:\Windows\Microsoft.NET
2012-06-24 15:30:56 ----RSD---- C:\Windows\assembly
2012-06-24 15:30:56 ----D---- C:\Windows\en
2012-06-24 15:30:56 ----D---- C:\Windows\ehome
2012-06-24 15:30:56 ----D---- C:\Windows\Downloaded Program Files
2012-06-24 15:30:56 ----D---- C:\Windows\Downloaded Installations
2012-06-24 15:30:51 ----D---- C:\Windows\AppCompat
2012-06-24 15:30:50 ----D---- C:\Users\Diane\AppData\Roaming\Skype
2012-06-24 15:30:49 ----SD---- C:\Users\Diane\AppData\Roaming\Microsoft
2012-06-24 15:30:41 ----D---- C:\st10
2012-06-24 15:30:41 ----D---- C:\ProgramData\Skype
2012-06-24 15:30:38 ----HD---- C:\ProgramData
2012-06-24 15:30:38 ----D---- C:\ProgramData\Microsoft Help
2012-06-24 15:30:38 ----D---- C:\ProgramData\InstallShield
2012-06-24 15:30:38 ----D---- C:\ProgramData\Apple Computer
2012-06-24 15:30:38 ----D---- C:\ProgramData\Apple
2012-06-24 15:30:38 ----D---- C:\Program Files\WinZip
2012-06-24 15:30:37 ----D---- C:\Program Files\Windows Live
2012-06-24 15:30:35 ----RD---- C:\Program Files\Skype
2012-06-24 15:30:35 ----D---- C:\Program Files\SSU PriorConfigs
2012-06-24 15:30:34 ----D---- C:\Program Files\Seagate
2012-06-24 15:30:34 ----D---- C:\Program Files\Roxio
2012-06-24 15:30:34 ----D---- C:\Program Files\QuickTime
2012-06-24 15:30:33 ----D---- C:\Program Files\NCT
2012-06-24 15:30:21 ----D---- C:\Program Files\Microsoft Silverlight
2012-06-24 15:30:17 ----D---- C:\Program Files\iTunes
2012-06-24 15:30:17 ----D---- C:\Program Files\Internet Explorer
2012-06-24 15:30:16 ----D---- C:\Program Files\HP
2012-06-24 15:30:15 ----D---- C:\Program Files\Google
2012-06-24 15:30:15 ----D---- C:\Program Files\DoNotTrackPlus
2012-06-24 15:30:14 ----D---- C:\Program Files\Dell Support Center
2012-06-24 15:30:14 ----D---- C:\Program Files\Dell Inc
2012-06-24 15:30:14 ----D---- C:\Program Files\Coupons
2012-06-24 15:30:13 ----D---- C:\Program Files\Common Files\SureThing Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Sonic Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Skype
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files\Roxio Shared
2012-06-24 15:30:09 ----D---- C:\Program Files\Common Files
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\PX Storage Engine
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\microsoft shared
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\Memeo
2012-06-24 15:30:08 ----D---- C:\Program Files\Common Files\DESIGNER
2012-06-24 15:30:05 ----D---- C:\Program Files\CCleaner
2012-06-24 15:30:05 ----D---- C:\Program Files\Broadcom
2012-06-24 15:30:04 ----D---- C:\Program Files\Apple Software Update
2012-06-24 15:30:03 ----D---- C:\Program Files\Adobe
2012-06-24 15:30:03 ----D---- C:\Intel
2012-06-24 15:30:03 ----D---- C:\EOrganizer
2012-06-24 15:30:03 ----D---- C:\Drivers
2012-06-24 15:30:02 ----D---- C:\dell
2012-06-24 15:29:58 ----D---- C:\Apps
2012-06-24 15:28:37 ----D---- C:\Windows\registration
2012-06-24 15:28:33 ----D---- C:\Windows\Web
2012-06-24 15:28:33 ----D---- C:\Windows\Vss
2012-06-24 15:28:31 ----D---- C:\Windows\system32\winrm
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WindowsPowerShell
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WinBioPlugIns
2012-06-24 15:28:31 ----D---- C:\Windows\system32\wdi
2012-06-24 15:28:31 ----D---- C:\Windows\system32\WCN
2012-06-24 15:28:18 ----D---- C:\Windows\system32\spp
2012-06-24 15:28:10 ----D---- C:\Windows\system32\Speech
2012-06-24 15:28:10 ----D---- C:\Windows\system32\SMI
2012-06-24 15:28:09 ----D---- C:\Windows\system32\slmgr
2012-06-24 15:28:08 ----D---- C:\Windows\system32\Printing_Admin_Scripts
2012-06-24 15:28:06 ----D---- C:\Windows\system32\NetworkList
2012-06-24 15:28:05 ----D---- C:\Windows\system32\MUI
2012-06-24 15:28:02 ----D---- C:\Windows\system32\migwiz
2012-06-24 15:28:02 ----D---- C:\Windows\system32\migration
2012-06-24 15:28:00 ----D---- C:\Windows\system32\Macromed
2012-06-24 15:27:59 ----D---- C:\Windows\system32\IME
2012-06-24 15:27:50 ----D---- C:\Windows\system32\drivers\UMDF
2012-06-24 15:27:43 ----D---- C:\Windows\system32\Dism
2012-06-24 15:27:40 ----D---- C:\Windows\system32\com
2012-06-24 15:27:04 ----D---- C:\Windows\Speech
2012-06-24 15:27:02 ----D---- C:\Windows\ServiceProfiles
2012-06-24 15:27:01 ----D---- C:\Windows\schemas
2012-06-24 15:27:01 ----D---- C:\Windows\Resources
2012-06-24 15:27:00 ----D---- C:\Windows\PolicyDefinitions
2012-06-24 15:27:00 ----D---- C:\Windows\PLA
2012-06-24 15:27:00 ----D---- C:\Windows\Performance
2012-06-24 15:23:59 ----D---- C:\Windows\IME
2012-06-24 15:23:59 ----D---- C:\Windows\Help
2012-06-24 15:23:58 ----D---- C:\Windows\Globalization
2012-06-24 15:23:45 ----D---- C:\Windows\Branding
2012-06-24 15:23:06 ----D---- C:\Windows\AppPatch
2012-06-24 15:23:04 ----RD---- C:\Users
2012-06-24 15:22:49 ----D---- C:\Users\Diane\AppData\Roaming\SUPERAntiSpyware.com
2012-06-24 15:22:45 ----D---- C:\Users\Diane\AppData\Roaming\PCDr
2012-06-24 15:22:40 ----D---- C:\Users\Diane\AppData\Roaming\Memeo
2012-06-24 15:22:39 ----D---- C:\Users\Diane\AppData\Roaming\Macromedia
2012-06-24 15:22:39 ----D---- C:\Users\Diane\AppData\Roaming\Adobe
2012-06-24 15:21:39 ----D---- C:\ProgramData\WinZip
2012-06-24 15:21:39 ----D---- C:\ProgramData\Uninstall
2012-06-24 15:21:39 ----D---- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-06-24 15:21:38 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2012-06-24 15:21:31 ----D---- C:\ProgramData\PCDr
2012-06-24 15:21:10 ----D---- C:\ProgramData\HP
2012-06-24 15:21:09 ----D---- C:\ProgramData\Google
2012-06-24 15:21:09 ----D---- C:\ProgramData\Avira
2012-06-24 15:21:04 ----D---- C:\ProgramData\Adobe
2012-06-24 15:20:59 ----D---- C:\Program Files\Windows XP Mode
2012-06-24 15:20:59 ----D---- C:\Program Files\Windows Virtual PC
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Photo Viewer
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows NT
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Media Player
2012-06-24 15:20:56 ----D---- C:\Program Files\Windows Mail
2012-06-24 15:20:37 ----D---- C:\Program Files\Windows Journal
2012-06-24 15:20:37 ----D---- C:\Program Files\Windows Defender
2012-06-24 15:20:16 ----D---- C:\Program Files\Trend Micro
2012-06-24 15:20:15 ----D---- C:\Program Files\SpeedType
2012-06-24 15:20:06 ----D---- C:\Program Files\Reference Assemblies
2012-06-24 15:19:54 ----D---- C:\Program Files\MSECache
2012-06-24 15:19:53 ----D---- C:\Program Files\MSBuild
2012-06-24 15:19:17 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2012-06-24 15:19:17 ----D---- C:\Program Files\Microsoft
2012-06-24 15:19:04 ----D---- C:\Program Files\Microsoft Office
2012-06-24 15:18:48 ----D---- C:\Program Files\Memeo
2012-06-24 15:18:37 ----D---- C:\Program Files\Java
2012-06-24 15:18:28 ----D---- C:\Program Files\iPod
2012-06-24 15:18:26 ----D---- C:\Program Files\Intel
2012-06-24 15:18:23 ----D---- C:\Program Files\HTH Engineering, Inc
2012-06-24 15:18:13 ----D---- C:\Program Files\Hewlett-Packard
2012-06-24 15:18:06 ----D---- C:\Program Files\DVD Maker
2012-06-24 15:17:59 ----D---- C:\Program Files\Dell
2012-06-24 15:17:38 ----D---- C:\Program Files\Common Files\Windows Live
2012-06-24 15:17:37 ----D---- C:\Program Files\Common Files\System
2012-06-24 15:17:37 ----D---- C:\Program Files\Common Files\SpeechEngines
2012-06-24 15:17:23 ----D---- C:\Program Files\Common Files\Java
2012-06-24 15:17:23 ----D---- C:\Program Files\Common Files\InstallShield
2012-06-24 15:17:16 ----D---- C:\Program Files\Common Files\Apple
2012-06-24 15:17:08 ----D---- C:\Program Files\Common Files\Adobe
2012-06-24 15:17:07 ----D---- C:\Program Files\Common Files\Adobe AIR
2012-06-24 15:17:06 ----D---- C:\Program Files\Citrix
2012-06-24 15:17:05 ----D---- C:\Program Files\Bytescribe
2012-06-24 15:16:54 ----D---- C:\Program Files\Avira
2012-06-24 15:16:47 ----RHD---- C:\MSOCache
2012-06-15 15:40:54 ----D---- C:\Windows\rescache
2012-06-15 06:40:49 ----A---- C:\Windows\system32\FlashPlayerApp.exe
2012-06-15 03:10:50 ----A---- C:\Windows\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-07-13 12368]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2009-07-09 45200]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys [2010-11-20 175360]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2012-05-08 137928]
R1 avkmgr;avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [2011-09-16 36000]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2010-11-20 388096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2010-06-17 28520]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver; C:\Windows\system32\DRIVERS\tmlwf.sys [2009-07-15 146448]
R1 tmtdi;Trend Micro TDI Driver; C:\Windows\system32\DRIVERS\tmtdi.sys [2009-07-15 89872]
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys [2010-11-20 48128]
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys [2010-11-20 296064]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2012-05-08 83392]
R2 TmFilter;Trend Micro Filter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2010-05-10 230928]
R2 TmPreFilter;Trend Micro PreFilter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2010-05-10 36368]
R2 tmwfp;Trend Micro WFP Callout Driver; C:\Windows\system32\DRIVERS\tmwfp.sys [2009-07-15 283152]
R2 VSApiNt;Trend Micro VSAPI NT; \??\c:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [2010-05-10 1322808]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2010-08-25 9024512]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\dell support center\pcdsrvc.pkms [2012-03-22 21744]
R3 Sftfs;Sftfs; C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
R3 Sftplay;Sftplay; C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
R3 Sftredir;Sftredir; C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
R3 Sftvol;Sftvol; C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
R3 vpcbus;Virtual PC Host Bus Service; C:\Windows\system32\DRIVERS\vpchbus.sys [2010-11-20 172416]
R3 vpcusb;USB Virtualization Connector Service; C:\Windows\system32\DRIVERS\vpcusb.sys [2010-11-20 78336]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S2 tmcomm;tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [2009-07-06 158224]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\drivers\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 BridgeMP;@%SystemRoot%\system32\bridgeres.dll,-1; C:\Windows\system32\DRIVERS\bridge.sys [2009-07-13 78336]
S3 catchme;catchme; \??\C:\Users\Diane\AppData\Local\Temp\catchme.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys []
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2010-11-20 133632]
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\drivers\sisagp.sys [2009-07-13 52304]
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2010-11-20 28032]
S3 TsUsbFlt;@%SystemRoot%\system32\drivers\tsusbflt.sys,-1; C:\Windows\System32\drivers\tsusbflt.sys [2010-11-20 52224]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2012-02-15 43520]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\drivers\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]
S3 vpcuxd;USB Virtualization Stub Service; C:\Windows\system32\drivers\vpcuxd.sys [2010-11-20 12800]
S3 VX1000;VX-1000; C:\Windows\system32\DRIVERS\VX1000.sys [2010-05-20 1961072]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2010-11-20 35968]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 !SASCORE;SAS Core Service; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R2 AntiVirSchedulerService;Avira Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
R2 AntiVirService;Avira Realtime Protection; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2012-05-08 110032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2012-02-27 55144]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2011-08-31 390504]
R2 BPowMon;Broadcom Power monitoring service; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 cvhsvc;Client Virtualization Handler; C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
R2 MemeoBackgroundService;MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-05-04 25824]
R2 MSCamSvc;MSCamSvc; C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2010-05-20 139632]
R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan; c:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [2010-06-22 1323912]
R2 SeagateDashboardService;Seagate Dashboard Service; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-01 14088]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\BingBar\SeaPort.EXE [2011-02-25 249648]
R2 sftlist;Application Virtualization Client; C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
R2 svcGenericHost;Trend Micro Client/Server Security Agent; c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2010-07-05 45056]
R2 tmlisten;Trend Micro Client/Server Security Agent Listener; c:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2010-06-22 1358160]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 1710464]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2012-03-27 821608]
R3 sftvsa;Application Virtualization Service Agent; C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall; c:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-07-15 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service; c:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-07-15 689416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-08 136176]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 BBSvc;Bing Bar Update Service; C:\Program Files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 GoToAssist Express Customer;GoToAssist Express Customer; C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_service.exe [2011-04-13 161144]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe [2011-03-26 13160]
S3 gupdatem;Google Update Service (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-08 136176]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-08 182768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 149352]
S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2009-01-16 74392]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2011-03-26 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service; C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

-----------------EOF-----------------

Edited by pandamom, 25 June 2012 - 07:01 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 30 June 2012 - 05:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/458329 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 30 June 2012 - 07:15 PM

Thanks for responding.

I tried running DDS again but it again failed (see above). Twice while it was running, my computer opened an internet browser window and took me to http://media.fastclick.net/w/safepop.cgi?Cid=235730&mid (the second instance was a different Cid=415530&mid). While it ran, it added pound signs (#) to the screen but then locked up after 10 minutes. I tried exiting the program but had to force my computer down with the on/off switch because it was locked up and would not respond to my keyboard.

When my computer came back up, I ran GMER and at first encountered a screen that said "LoadDriver("C:\Users\Diane\AppData\Local\Temp\uxlyrfocs.sys") error 0xC000010E: An instance of the service is already running." It had an OK button and I pressed that and then GMER began to run.

Here is the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-30 16:56:10
Windows 6.1.7601 Service Pack 1
Running: rlrx2uk8.exe; Driver: C:\Users\Diane\AppData\Local\Temp\uxlyrfoc.sys


---- Files - GMER 1.0.15 ----

File C:\Users\Diane\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5II2M1O\exchange_advertisers_reporting[1].htm 13979 bytes
File C:\Users\Diane\AppData\Local\Temp\fla8B4D.tmp 2780608 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\E1UF5F32.txt 85 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\LZYCPX31.txt 104 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\O6HWEJUC.txt 891 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\SVU1E1Q5.txt 204 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\T341BD5Y.txt 114 bytes
File C:\Users\Diane\AppData\Roaming\Microsoft\Windows\Cookies\K6WJ9UZK.txt 756 bytes
File C:\Program Files\Trend Micro\Client Server Security Agent\Temp\BFC7F5.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

I've attached my ark.txt log. Also, I run a virtual computer running XP Professional.

Here is my system information:

OS Name: MS Windows 7 Professional
Version: 6.1.7601 Service Pack 1 Build 7601
System name: THEPANDAPC
System mfgr: Dell Inc.
BIOS Version: Dell Inc. 1.4.0, 12/9/2010

Attached Files

  • Attached File  ark.txt   1.56KB   2 downloads


#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 02 July 2012 - 10:22 PM

Welcome to the forum, pandamom!

If you still need help, let's see if we can get a hold of this computer by using a specialized tool. To do so, need to know the following...

Do you have the Repair your computer option in the
Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
If you do not have the option above, do you have a Windows Seven installation CD/DVD available?


Also, do you know if the system is 32-bit, or 64-bit?

Go to Start > Control Panel
Type system in the Search Control Panel box (upper right)
Under System, look for: System type
It states either 64-bit Operating System, or, 32-bit Operating System
Please provide the result.


And last, do you have a USB flash drive available, and do you have access to another computer?

Old duck...


#5 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 03 July 2012 - 10:07 AM

Thanks for replying.

Yes, I do have the Repair Your Computer option
Yes, I do have the Windows 7 Install CD
32-bit machine
Yes, I do have a flash drive
Yes, I do have access to another computer

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 03 July 2012 - 10:35 AM

You have what is needed, so, let's press on...

May want to print these instructions so you can have access to follow them.

Please plug a flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Download Farbar Recovery Scan Tool](32-Bit).
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

>>>Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)
On the System Recovery Options menu you get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Scan your computer's memory for errors.
  • Command Prompt
Select Command Prompt
  • In the Command window, at the bliking cursor type notepad and press: Enter
  • In Notepad, under the File menu select: Open
  • Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
  • Close out of Notepad.
  • Click the Command window
  • Type g:\frst.exe, and press: Enter
    Note: Replace the drive letter g with the drive letter of your flash drive!
  • The tool starts and prepares to run. Follow the prompts.
  • Click Yes to the disclaimer.
  • Press the Scan button.
  • The program saves the FRST.txt, on the flash drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Back at the System Recovery Options, press: ShutDown

Please provide the FRST.txt in your reply.

Edited by Aaflac, 03 July 2012 - 10:36 AM.

Old duck...


#7 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 03 July 2012 - 11:39 AM

I selected the Repair Your Computer menu item as directed and it displays: 'Windows is loading files...' for about 10 minutes now. Should it take this long? It's still trying to load files and I'll just wait if it takes longer. I wasn't sure if my computer had just locked up.

I waited for 20 minutes, it was still at "windows is loading files..." so I forced a shut down, rebooted in Repair my computer mode, and it is sitting at the "Windows is loading files..." screen again. The computer appears to be locked up.

Edited by pandamom, 03 July 2012 - 11:54 AM.


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 03 July 2012 - 06:10 PM

Do you have the same problem if you use the Windows Seven installation CD/DVD?


To enter System Recovery Options using the Windows Seven Installation Disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click: Next
  • Select the Operating System you want to repair, and then click: Next
  • Select your user account and click: Next

On the System Recovery Options menu you get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Scan your computer's memory for errors.
  • Command Prompt
Select Command Prompt...

...then press on with the instructions already provided.

Old duck...


#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 03 July 2012 - 11:11 PM

If the Windows 7 installation CD/DVD gies the same result, then, do the following:

Download an updated version of ComboFix

Save ComboFix.exe to the Desktop!!

Make sure you temporarily disable your AVG AntiVirus, Firewall, and any other AntiSpyware applications. These programs may interfere with the running of CF.

For information on how to disable protective programs, refer to one of these:
Link 1
Link 2

Next, right-click on ComboFix.exe and select 'Run as Administrator'

Follow any prompts.
When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running. This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
4. If ComboFix detects any Rootkit/Bootkit activity, it gives a warning and prompts for a reboot. Please allow it to do so.
5. If ComboFix reboots due to a Rootkit, the screen may stay black for several minutes on reboot. This is normal.
6. If after running ComboFix you receive any type of warning about Registry keys listed for deletion
when trying to open certain items, reboot the system and this will fix the issue. Those items will not be deleted.

Old duck...


#10 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 04 July 2012 - 11:10 AM

We were able to use the Wdw 7 Install CD to run FARBAR. We saw your post for using Combofix, but have NOT yet executed those instructions because this run of FARBAR worked.

Here is the resulting FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 01-07-2012
Ran by SYSTEM at 04-07-2012 09:01:23
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [OfficeScanNT Monitor] "c:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow [1099088 2010-06-25] (Trend Micro Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [VX1000] C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [] [x]
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [348624 2012-05-08] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui [136416 2011-05-04] (Memeo Inc.)
HKLM\...\Run: [Memeo AutoSync] C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe --silent [144608 2011-05-04] (Memeo Inc.)
HKLM\...\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui [79112 2011-06-01] ()
HKLM\...\Run: [imtcol] rundll32.exe "C:\Users\Diane\AppData\Roaming\imtcol.dll",AddColumn [120832 2012-06-24] (Duplex Secure Ltd.)
HKLM\...\Run: [setsil] "C:\Windows\System32\rundll32.exe" "C:\Users\Diane\AppData\Roaming\setsil.dll",LoadVolumeFromFileInMemory [352768 2012-06-24] ()
HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKU\Diane\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [3905408 2012-06-11] (SUPERAntiSpyware.com)
HKU\Diane\...\Run: [Google Update] "C:\Users\Diane\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-03-26] (Google Inc.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll [X]
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_winlogon.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 66.60.130.158

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-11] (SUPERAntiSpyware.com)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 GoToAssist Express Customer; "C:\Program Files\Citrix\GoToAssist Express Customer\274\g2ax_service.exe" "Start=service" [161144 2011-04-13] (Citrix Online, a division of Citrix Systems, Inc.)
2 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2011-05-04] (Memeo)
3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [4640000 2010-01-09] (Microsoft Corporation)
2 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2011-06-01] (Memeo)
2 ntrtscan; "c:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe" [x]
2 svcGenericHost; "c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe" [x]
2 tmlisten; "c:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe" [x]
3 TmPfw; "c:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe" [x]
3 TmProxy; "c:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe" [x]

========================== Drivers (Whitelisted) =============

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-05-08] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-05-08] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2011-09-16] (Avira GmbH)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [158224 2009-07-06] (Trend Micro Inc.)
2 TmFilter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [230928 2010-05-10] (Trend Micro Inc.)
1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-07-15] (Trend Micro Inc.)
2 TmPreFilter; \??\c:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [36368 2010-05-10] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-07-15] (Trend Micro Inc.)
2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-07-15] (Trend Micro Inc.)
3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
3 vpcuxd; C:\Windows\system32\drivers\vpcuxd.sys [12800 2010-11-20] (Microsoft Corporation)
1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
2 VSApiNt; \??\c:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [1322808 2010-05-10] (Trend Micro Inc.)
3 VX1000; C:\Windows\System32\DRIVERS\VX1000.sys [1961072 2010-05-20] (Microsoft Corporation)
3 catchme; \??\C:\Users\Diane\AppData\Local\Temp\catchme.sys [x]
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHDA.sys [x]
3 PCDSRVC{E9D79540-57D5953E-06020101}_0; \??\c:\program files\dell support center\pcdsrvc.pkms [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-04 09:00 - 2012-07-04 09:01 - 00000000 ____D C:\FRST
2012-07-03 07:04 - 2012-07-03 07:04 - 00057560 ____A C:\Users\Diane\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-03 07:03 - 2012-07-04 07:47 - 00000906 ____A C:\Windows\setupact.log
2012-07-03 07:03 - 2012-07-03 07:03 - 00266896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-03 07:03 - 2012-07-03 07:03 - 00000000 ____A C:\Windows\setuperr.log
2012-06-30 15:56 - 2012-06-30 15:56 - 00001600 ____A C:\Users\Diane\Desktop\ark.txt
2012-06-30 15:21 - 2012-06-30 15:21 - 03485774 ____A C:\Users\Diane\Desktop\PandaPC.nfo
2012-06-30 15:18 - 2012-06-30 15:18 - 00302592 ____A C:\Users\Diane\Desktop\rlrx2uk8.exe
2012-06-30 15:15 - 2012-06-30 15:15 - 00607260 ____R (Swearware) C:\Users\Diane\Desktop\dds.scr
2012-06-25 15:51 - 2012-06-25 15:51 - 00000000 ____D C:\rsit
2012-06-25 13:36 - 2012-06-25 13:36 - 00000000 ____A C:\Users\Diane\defogger_reenable
2012-06-25 11:51 - 2012-06-25 11:51 - 00001304 ____A C:\Users\Diane\Desktop\Notepad.lnk
2012-06-25 11:21 - 2012-06-25 15:54 - 00000000 ____D C:\Users\Diane\Downloads\Cleaning
2012-06-25 06:45 - 2012-06-25 06:51 - 00000000 ___SD C:\ComboFix
2012-06-24 22:58 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-24 22:58 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-24 22:58 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-24 22:58 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-24 22:58 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-24 22:58 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-24 22:58 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-24 22:58 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-24 22:44 - 2012-06-24 22:57 - 00000000 ____D C:\Qoobox
2012-06-24 22:42 - 2012-06-24 22:48 - 00000000 ____D C:\Windows\erdnt
2012-06-24 22:41 - 2012-06-24 22:41 - 04567243 ____R (Swearware) C:\Users\Diane\Downloads\ComboFix.exe
2012-06-24 22:27 - 2012-06-24 22:27 - 02128472 ____A (Kaspersky Lab ZAO) C:\Users\Diane\Desktop\tdsskiller.exe
2012-06-24 22:05 - 2012-06-24 22:19 - 00000000 ____D C:\Program Files\Exterminate It!
2012-06-24 22:05 - 2012-06-24 22:05 - 00001045 ____A C:\Users\Public\Desktop\Exterminate It!.lnk
2012-06-24 21:50 - 2012-06-24 21:50 - 00001248 ____A C:\Users\Diane\Desktop\ProcExplorer.lnk
2012-06-24 18:22 - 2012-07-03 07:08 - 00279337 ____A C:\Windows\WindowsUpdate.log
2012-06-24 15:26 - 2012-06-24 15:26 - 00352768 ____A C:\Users\Diane\AppData\Roaming\setsil.dll
2012-06-24 15:26 - 2012-06-24 15:26 - 00000000 ____D C:\Windows\scoped_dir_32204
2012-06-24 15:26 - 2012-06-24 15:26 - 00000000 ____D C:\Users\Diane\AppData\Local\{FAC50208-BE53-11E1-8270-B8AC6F996F26}
2012-06-24 15:25 - 2012-06-24 15:25 - 00120832 ____A (Duplex Secure Ltd.) C:\Users\Diane\AppData\Roaming\imtcol.dll
2012-06-24 12:45 - 2012-06-24 12:53 - 00000256 ____A C:\Users\All Users\kefotInIfmoOt9
2012-06-24 12:45 - 2012-06-24 12:45 - 00000152 ____A C:\Users\All Users\-kefotInIfmoOt9r
2012-06-24 12:45 - 2012-06-24 12:45 - 00000000 ____A C:\Users\All Users\-kefotInIfmoOt9
2012-06-21 05:57 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 05:57 - 2012-06-02 14:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 05:57 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 05:57 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 05:57 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 05:57 - 2012-06-02 14:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-20 14:25 - 2012-06-24 14:33 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-20 14:25 - 2012-06-20 14:25 - 00001967 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-20 07:47 - 2012-06-20 09:35 - 00000000 ___HD C:\Users\Diane\Documents\RECIPES
2012-06-14 05:03 - 2012-05-14 19:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 05:03 - 2012-05-14 19:00 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 05:03 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-14 05:03 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-14 05:03 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-14 05:03 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-14 05:03 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-14 05:03 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-14 05:03 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-14 05:03 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-14 05:03 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-14 05:03 - 2012-04-19 21:00 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 05:03 - 2012-04-19 21:00 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 05:03 - 2012-04-19 20:57 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 05:03 - 2012-04-19 20:57 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-14 05:03 - 2012-04-19 20:57 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 05:03 - 2012-04-19 20:56 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 05:03 - 2012-04-19 20:56 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 05:03 - 2012-04-19 20:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 05:03 - 2012-04-19 19:16 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 05:03 - 2012-04-16 20:34 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 05:03 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

============ 3 Months Modified Files ========================

2012-07-04 07:47 - 2012-07-03 07:03 - 00000906 ____A C:\Windows\setupact.log
2012-07-04 07:46 - 2011-10-08 20:09 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-04 07:46 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-03 07:08 - 2012-06-24 18:22 - 00279337 ____A C:\Windows\WindowsUpdate.log
2012-07-03 07:08 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-03 07:08 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-03 07:07 - 2011-04-18 11:05 - 00000031 ____A C:\tmuninst.ini
2012-07-03 07:04 - 2012-07-03 07:04 - 00057560 ____A C:\Users\Diane\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-03 07:03 - 2012-07-03 07:03 - 00266896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-03 07:03 - 2012-07-03 07:03 - 00000000 ____A C:\Windows\setuperr.log
2012-06-30 16:12 - 2011-03-26 17:03 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000UA.job
2012-06-30 15:56 - 2012-06-30 15:56 - 00001600 ____A C:\Users\Diane\Desktop\ark.txt
2012-06-30 15:21 - 2012-06-30 15:21 - 03485774 ____A C:\Users\Diane\Desktop\PandaPC.nfo
2012-06-30 15:18 - 2012-06-30 15:18 - 00302592 ____A C:\Users\Diane\Desktop\rlrx2uk8.exe
2012-06-30 15:15 - 2012-06-30 15:15 - 00607260 ____R (Swearware) C:\Users\Diane\Desktop\dds.scr
2012-06-30 15:10 - 2012-04-05 14:05 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-06-30 13:34 - 2011-10-08 20:09 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-30 13:12 - 2011-03-26 17:03 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1138447411-1991068916-1511503196-1000Core.job
2012-06-25 13:36 - 2012-06-25 13:36 - 00000000 ____A C:\Users\Diane\defogger_reenable
2012-06-25 11:51 - 2012-06-25 11:51 - 00001304 ____A C:\Users\Diane\Desktop\Notepad.lnk
2012-06-25 11:21 - 2011-03-11 16:56 - 00742066 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-24 22:41 - 2012-06-24 22:41 - 04567243 ____R (Swearware) C:\Users\Diane\Downloads\ComboFix.exe
2012-06-24 22:27 - 2012-06-24 22:27 - 02128472 ____A (Kaspersky Lab ZAO) C:\Users\Diane\Desktop\tdsskiller.exe
2012-06-24 22:05 - 2012-06-24 22:05 - 00001045 ____A C:\Users\Public\Desktop\Exterminate It!.lnk
2012-06-24 21:50 - 2012-06-24 21:50 - 00001248 ____A C:\Users\Diane\Desktop\ProcExplorer.lnk
2012-06-24 19:19 - 2011-03-11 17:02 - 00111152 ____A C:\Windows\System32\TmInstall.log
2012-06-24 15:26 - 2012-06-24 15:26 - 00352768 ____A C:\Users\Diane\AppData\Roaming\setsil.dll
2012-06-24 15:25 - 2012-06-24 15:25 - 00120832 ____A (Duplex Secure Ltd.) C:\Users\Diane\AppData\Roaming\imtcol.dll
2012-06-24 12:53 - 2012-06-24 12:45 - 00000256 ____A C:\Users\All Users\kefotInIfmoOt9
2012-06-24 12:45 - 2012-06-24 12:45 - 00000152 ____A C:\Users\All Users\-kefotInIfmoOt9r
2012-06-24 12:45 - 2012-06-24 12:45 - 00000000 ____A C:\Users\All Users\-kefotInIfmoOt9
2012-06-21 11:34 - 2011-04-17 14:39 - 00005120 ____A C:\Users\Diane\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-20 14:25 - 2012-06-20 14:25 - 00001967 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-19 10:12 - 2012-04-05 14:05 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-06-15 05:40 - 2012-04-09 13:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-15 05:40 - 2011-09-07 05:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-15 02:10 - 2011-03-29 18:55 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-11 21:13 - 2011-03-26 17:04 - 00002407 ____A C:\Users\Diane\Desktop\Google Chrome.lnk
2012-06-02 14:19 - 2012-06-21 05:57 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 05:57 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-21 05:57 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 05:57 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:12 - 2012-06-21 05:57 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 05:57 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-29 06:00 - 2011-06-14 14:38 - 00148992 __ASH C:\Users\Diane\Documents\Thumbs.db
2012-05-14 19:03 - 2012-06-14 05:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:00 - 2012-06-14 05:03 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 17:05 - 2012-06-14 05:03 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-08 05:24 - 2012-02-16 07:22 - 00137928 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-05-08 05:24 - 2012-02-16 07:22 - 00083392 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-04-30 20:44 - 2012-06-14 05:03 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-14 05:03 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:45 - 2012-06-14 05:03 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-14 05:03 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-14 05:03 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-14 05:03 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-14 05:03 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-14 05:03 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-19 21:00 - 2012-06-14 05:03 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-19 21:00 - 2012-06-14 05:03 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-19 20:57 - 2012-06-14 05:03 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-19 20:57 - 2012-06-14 05:03 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-04-19 20:57 - 2012-06-14 05:03 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-19 20:56 - 2012-06-14 05:03 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-19 20:56 - 2012-06-14 05:03 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-19 20:56 - 2012-06-14 05:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-19 19:16 - 2012-06-14 05:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-16 20:34 - 2012-06-14 05:03 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-09 13:24 - 2012-04-09 13:24 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-08 07:41 - 2012-04-08 07:41 - 00738926 ___AH C:\Users\Diane\Documents\AllKids2.rtf
2012-04-08 07:39 - 2012-04-08 07:39 - 00734682 ___AH C:\Users\Diane\Documents\AllKids1.rtf
2012-04-08 07:34 - 2012-04-08 07:34 - 00717938 ___AH C:\Users\Diane\Documents\KikiAlishaPics2.rtf
2012-04-08 07:29 - 2012-04-08 07:29 - 00691423 ___AH C:\Users\Diane\Documents\KikiAlishaPics1.rtf
2012-04-08 06:49 - 2012-04-08 06:49 - 00262262 ___AH C:\Users\Diane\Documents\KikiAlishaBatman2.rtf
2012-04-07 03:26 - 2012-06-14 05:03 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll


ZeroAccess:
C:\Windows\Installer\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}
C:\Windows\Installer\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}\L
C:\Windows\Installer\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}\U

ZeroAccess:
C:\Users\Diane\AppData\Local\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}
C:\Users\Diane\AppData\Local\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}\L
C:\Users\Diane\AppData\Local\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 4060.8 MB
Available physical RAM: 3367.3 MB
Total Pagefile: 4059.08 MB
Available Pagefile: 3388.61 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.63 GB) (Free:134.46 GB) NTFS
2 Drive e: (WIN_7_PROFESSIONAL) (CDROM) (Total:4.78 GB) (Free:0 GB) UDF
3 Drive f: (USB20FD) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:14.15 GB) (Free:8.79 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3864 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 218 GB 14 GB
Partition 4 Primary 1609 KB 232 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 218 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3863 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB20FD FAT32 Removable 3863 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-27 23:10

======================= End Of Log ==========================

Attached Files

  • Attached File  FRST.txt   25.54KB   0 downloads


#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 04 July 2012 - 01:52 PM

:thumbup2:

Good decision.

Please hold off on ComboFix, unless it becomes necessary to run it.

Looks like this is a Dell computer. Is that correct?
If not, what brand name is it?

There is a partition on the hard disk that we need to check out. However, it may be a partition created by the manufacturer, and of no concern.


Letís press onÖ

Open Notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below to Notepad.

start
HKLM\...\Run: [] [x]
C:\Windows\Installer\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}
C:\Users\Diane\AppData\Local\{c4d025a9-6177-a39c-16ac-9c884dadcd2a}
end
  • In Notepad, go to File > Save as...
  • Save to: the USB flash drive, or SD Card
  • In File name use: fixlist.txt
  • Click: Save
Have FRST.exe and fixlist.txt as the only items on the flash drive, or, SD Card.

Next, plug the flash drive into the infected computer. Use the same USB port as before.
It shows as: Running from F:\

Now, please enter System Recovery Options like you did previously:
  • >>> Restart the computer, etc. > select: Command Prompt
  • Type f:\frst.exe, and press: Enter
  • In FRST, this time press the Fix button.
  • When done, the program saves a Fixlog.txt, on the flash drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Back at the System Recovery Options, press: Restart
  • Let the computer boot normally.
Please copy/paste the Fixlog.txt (found in the flash drive) in your reply.

Old duck...


#12 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 04 July 2012 - 03:19 PM

Yes it is a Dell.

Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 01-07-2012
Ran by SYSTEM at 2012-07-04 13:12:36 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{c4d025a9-6177-a39c-16ac-9c884dadcd2a} moved successfully.
C:\Users\Diane\AppData\Local\{c4d025a9-6177-a39c-16ac-9c884dadcd2a} moved successfully.

==== End of Fixlog ====

Attached Files



#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 04 July 2012 - 05:09 PM

:thumbup2:

BTW, you do not need to attach files. Posting them is best...easier to read. Thanks!


There is a partition in your hard drive created by malware. It is a hidden partition from which malware 'operates'.

So, let's 'cut to the chase'!

Please download ListParts
Save to the Desktop

Now, plug the flash drive you are using into the infected computer.

Open Notepad (Press 'Start' orb 'R', and in the Open area, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=2 active
bcdedit
Disk=0 Partition=4 type=07

In Notepad, go to File > Save as...
Save to: the USB flash drive
In File name use: fix.txt
Click: Save


Now, save ListParts.exe (which should be on the Desktop), and the fix.txt file (created in Notepad) on the flash drive.


Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
[*]With the flash drive and Notepad open, click the Command window
[*]Type f:\listparts.exe, and press: Enter
Note: Replace the drive letter f with the drive letter of your flash drive, if different!
[*]ListParts now shows on the screen.
[*]Press the Fix button.
[*]When done, check the List BCD option on the ListParts screen, and click: Scan
[*]If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run", click: OK
[*]The program saves the Result.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Close out of everything else.
[*]Back at the System Recovery Options, press: Restart, and boot normally into Windows.[/list]

Once back in Windows, open the USB flash drive, copy/paste the Result.txt, and provide it in your reply.


Then, run a new Scan with ListParts in normal Windows, and also post the new Result.txt in your reply.

Old duck...


#14 pandamom

pandamom
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:26 AM

Posted 05 July 2012 - 10:55 AM

I ran the listparts and the result files are listed below. After Windows started on my infected computer, I received an Avira security alert which stated: A virus or unwanted program 'BOO/TDss.O' was found in 'Master Boot Sector' of drive E:. Please select action: Remove or Details. I chose Remove.



Here is the result.txt from the flash drive:

ListParts by Farbar Version: 04-07-2012 01
Ran by SYSTEM (administrator) on 05-07-2012 at 08:42:57
Windows 7 (X86)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4060.8 MB
Available physical RAM: 3443.75 MB
Total Pagefile: 4059.08 MB
Available Pagefile: 3447.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.54 MB

======================= Partitions =========================

1 Drive c: (RECOVERY) (Fixed) (Total:14.15 GB) (Free:8.79 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS) (Fixed) (Total:218.63 GB) (Free:134.3 GB) NTFS
3 Drive e: (WIN_7_PROFESSIONAL) (CDROM) (Total:4.78 GB) (Free:0 GB) UDF
4 Drive f: (USB20FD) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3864 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 218 GB 14 GB
Partition 4 Primary 1609 KB 232 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D OS NTFS Partition 218 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G RAW Partition 1609 KB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3863 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F USB20FD FAT32 Removable 3863 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {a2d59819-4c4e-11e0-8cf8-f04da2ec9fef}
resumeobject {a2d59818-4c4e-11e0-8cf8-f04da2ec9fef}
displayorder {a2d59819-4c4e-11e0-8cf8-f04da2ec9fef}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {a2d59819-4c4e-11e0-8cf8-f04da2ec9fef}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {a2d5981a-4c4e-11e0-8cf8-f04da2ec9fef}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {a2d59818-4c4e-11e0-8cf8-f04da2ec9fef}
nx OptIn

Windows Boot Loader
-------------------
identifier {a2d5981a-4c4e-11e0-8cf8-f04da2ec9fef}
device ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{a2d5981b-4c4e-11e0-8cf8-f04da2ec9fef}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{a2d5981b-4c4e-11e0-8cf8-f04da2ec9fef}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {a2d59818-4c4e-11e0-8cf8-f04da2ec9fef}
device partition=D:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=D:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {a2d5981b-4c4e-11e0-8cf8-f04da2ec9fef}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

And here is the result.txt from the desktop run of listparts:

ListParts by Farbar Version: 04-07-2012 01
Ran by Diane (administrator) on 05-07-2012 at 08:50:30
Windows 7 (X86)
Running From: C:\Users\Diane\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 41%
Total physical RAM: 3036.8 MB
Available physical RAM: 1763.09 MB
Total Pagefile: 6071.89 MB
Available Pagefile: 4324.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.36 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.63 GB) (Free:134.29 GB) NTFS
4 Drive f: (USB20FD) (Removable) (Total:3.77 GB) (Free:3.77 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3864 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 218 GB 14 GB
Partition 4 Primary 1609 KB 232 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 218 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RAW Partition 1609 KB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3863 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F USB20FD FAT32 Removable 3863 MB Healthy

======================================================================================================

****** End Of Log ******

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:26 AM

Posted 05 July 2012 - 11:07 AM

ListParts got the bogus partition, so the following should confirm:

Please download the latest version of: TDSSKiller.exe
Save to the Desktop.

Execute the downloaded file:
Windows Seven: Right-click the file and select 'Run as Administrator'

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection.
Please reboot!!


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.02.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users