Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Metropolitan Police Ransomeware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Metropolitan Police Ransomeware

Unread postby ColinL » October 19th, 2012, 4:06 pm

Hi there,

I was randomly surfing about last night when all of a sudden I got this screen up saying the police had locked my machine or some such garbage. The page that was shown was very impressive in so much as it looked almost legit until I took 3 seconds to read it.

Pretty sure it said something along the lines of "these crimes are discretionary and can be removed if you pay £100".

Bullshit, I thought. I couldn't do anything as Windows was locked down. Couldn't open anything, couldn't alt-F4 out of the page, couldn't alt-tab, couldn't even get the process manager up to kill the bloody thing.

I did a hard reset and hit F8 to try and get safe mode with networking. Alas, not!

Tried again just with the cmd prompt and luckily I could get in and after launching explorer.exe I could run a virus scan (Avast) and set it to automagically fix issues.

I can now get back into windows in normal mode but I do not trust for a second that it is fully gone! Internet is slow. Popups are being shown etc.

I do a lot of banking and purchasing through the laptop (not that I will be doing anything like that until I have had an expert opinion.

System Info (not sure if this is required or not but I'll save time and give it to you just now):

Model: Dell M5040
Processor: AMD C-60 (w Radeon Graphics) 1.0 GHz
RAM: 4GB
OS: Windows 7 Home Premium 64-bit (SP1)
AntiVirus: Avast Free

Erm...thats about it. I hope this is enough detail for you but if not; please, give me a shout and I'll get back to you asap.

Thanks for taking the time to help me out, it is hugely appreciated.

Colin.


Logs are attached below:

DDS:

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.9.2
Run by Jacklyn at 20:55:05 on 2012-10-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3692.2096 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
c:\xampp\apache\bin\httpd.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\xampp\mysql\bin\mysqld.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files\DellTPad\Apoint.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\windows\system32\conhost.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\DllHost.exe
C:\windows\system32\taskeng.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: {ba14329e-9550-4989-b3f2-9732e92d17cc} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\Jacklyn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Spotify] "C:\Users\Jacklyn\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Jacklyn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ctfmon.lnk - C:\ProgramData\lsass.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20}\D41627B69647D275966696 : DHCPNameServer = 192.168.191.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\System32\drivers\amd_sata.sys [2012-3-28 79488]
R0 amd_xata;amd_xata;C:\windows\System32\drivers\amd_xata.sys [2012-3-28 40064]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-3-28 55856]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2012-7-25 969200]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2012-7-25 359464]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-3-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-3-28 204288]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-8-6 365568]
R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\httpd.exe [2011-9-10 18432]
R2 aswFsBlk;aswFsBlk;C:\windows\System32\drivers\aswFsBlk.sys [2012-7-25 25232]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2012-7-25 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-8-23 44808]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-3-28 1692480]
R3 amdiox64;AMD IO Driver;C:\windows\System32\drivers\amdiox64.sys [2012-3-28 46136]
R3 amdkmdag;amdkmdag;C:\windows\System32\drivers\atikmdag.sys [2012-3-28 9978880]
R3 amdkmdap;amdkmdap;C:\windows\System32\drivers\atikmpag.sys [2012-3-28 309248]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2012-3-28 231440]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-3-28 176096]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\windows\System32\drivers\usbfilter.sys [2012-3-28 47232]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\System32\drivers\vwifimp.sys [2009-7-14 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-15 250808]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-8-17 25584]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-3-28 250984]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-6-11 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2012-10-19 19:39:47 95208 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-19 18:40:55 388096 ----a-r- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-10-19 18:35:25 -------- d-----w- C:\ProgramData\PC Tools
2012-10-19 18:35:24 -------- d-----w- C:\Users\Jacklyn\AppData\Roaming\TestApp
2012-10-19 18:22:01 -------- d-----w- C:\windows\pss
2012-10-19 17:53:20 9291768 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D5A1F621-6B55-4833-B1BF-4355C8924452}\mpengine.dll
2012-10-19 17:46:32 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27}
2012-10-18 23:59:24 44544 ----a-w- C:\ProgramData\lsass.exe
2012-10-14 18:37:13 -------- d-----w- C:\Users\Jacklyn\AppData\Local\Dell Edoc Viewer
2012-10-13 01:27:59 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744}
2012-10-12 12:47:45 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A}
2012-10-11 16:03:54 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D}
2012-10-10 17:17:53 220160 ----a-w- C:\windows\System32\wintrust.dll
2012-10-10 17:17:53 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-10-10 17:17:35 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2012-10-10 17:17:35 2048 ----a-w- C:\windows\System32\tzres.dll
2012-10-10 17:17:17 715776 ----a-w- C:\windows\System32\kerberos.dll
2012-10-10 17:17:17 542208 ----a-w- C:\windows\SysWow64\kerberos.dll
2012-10-10 17:17:03 1464320 ----a-w- C:\windows\System32\crypt32.dll
2012-10-10 17:17:02 1159680 ----a-w- C:\windows\SysWow64\crypt32.dll
2012-10-10 17:17:01 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2012-10-10 17:17:01 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2012-10-10 17:17:01 140288 ----a-w- C:\windows\System32\cryptnet.dll
2012-10-10 17:17:01 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2012-10-01 16:51:41 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41}
2012-09-30 16:22:47 -------- d-----w- C:\Users\Jacklyn\AppData\Local\Microsoft Games
2012-09-30 11:12:53 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB}
2012-09-28 07:03:00 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{5862D5A3-519F-4D8E-B3FD-834C0E795F71}
2012-09-27 02:00:30 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{40B50D8C-E0E5-4700-87EE-06A75F1C518A}
2012-09-26 18:47:56 245760 ----a-w- C:\windows\System32\OxpsConverter.exe
2012-09-26 09:51:12 -------- d-----w- C:\Program Files\Common Files\Deterministic Networks
2012-09-26 09:51:12 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2012-09-25 23:51:06 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{1AA034B2-E608-4C51-B130-55B365A28467}
2012-09-24 23:49:26 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{5CB659D4-4BF9-4BB7-A104-8B694C4E88A9}
2012-09-22 12:42:23 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{FA0F6A67-6B65-45C8-9ABA-F5EACD1F0D06}
2012-09-21 16:36:49 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{4722EE58-35B5-4742-8D51-D56B475011AB}
2012-09-20 19:21:16 -------- d-----w- C:\Users\Jacklyn\AppData\Local\{9D63138C-61A4-42D4-9521-A2DE671F641C}
.
==================== Find3M ====================
.
2012-10-09 16:51:23 696760 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-10-09 16:51:22 73656 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-17 20:15:51 560184 ----a-w- C:\windows\System32\drivers\sptd.sys
2012-09-15 18:10:50 821736 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
2012-09-15 18:10:50 746984 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-08-24 10:31:32 2312704 ----a-w- C:\windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50 1913200 ----a-w- C:\windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 09:13:13 969200 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2012-08-21 09:13:12 71600 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2012-08-21 09:13:12 54072 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2012-08-21 09:12:33 41224 ----a-w- C:\windows\avastSS.scr
2012-08-20 18:48:44 362496 ----a-w- C:\windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-02 17:58:52 574464 ----a-w- C:\windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\windows\SysWow64\d3d10level9.dll
2010-08-03 10:11:16 819200 --sha-w- C:\windows\SysWOW64\xvidcore.dll
2010-08-03 10:11:16 180224 --sha-w- C:\windows\SysWOW64\xvidvfw.dll
.
============= FINISH: 20:56:07.85 ===============


Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/06/2012 22:55:42
System Uptime: 19/10/2012 20:44:47 (0 hours ago)
.
Motherboard: Dell Inc. | | 05X5JT
Processor: AMD C-60 APU with Radeon(tm) HD Graphics | CPU 1 | 1000/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 336.347 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SBRE
Device ID: ROOT\LEGACY_SBRE\0000
Manufacturer:
Name: SBRE
PNP Device ID: ROOT\LEGACY_SBRE\0000
Service: SBRE
.
==== System Restore Points ===================
.
RP62: 02/10/2012 18:01:35 - Windows Update
RP63: 06/10/2012 12:54:10 - Windows Update
RP64: 09/10/2012 17:01:12 - Windows Update
RP65: 11/10/2012 17:00:40 - Windows Update
RP66: 12/10/2012 00:20:56 - Windows Update
RP67: 16/10/2012 17:49:37 - Windows Update
RP68: 19/10/2012 18:52:36 - Windows Update
RP69: 19/10/2012 19:16:31 - Removed Zinio Reader 4
RP70: 19/10/2012 19:39:05 - Installed HiJackThis
RP71: 19/10/2012 19:40:30 - Installed HiJackThis
RP72: 19/10/2012 20:38:28 - Installed Java 7 Update 9
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4) MUI
Advanced Audio FX Engine
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
ATI AVIVO64 Codecs
avast! Free Antivirus
Blio
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco Systems VPN Client 5.0.07.0440
D3DX10
Defcon v1.6
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Edoc Viewer
Dell Getting Started Guide
Dell MusicStage
Dell PhotoStage
Dell Product Registration
Dell Stage
Dell Stage Remote
Dell Support Center
Dell Touchpad
Dell VideoStage
Dell Webcam Central
Dell Wireless Driver Installation
DirectX 9 Runtime
DivX Codec
EA SPORTS Game Face Browser Plugin 1.5.3.0
Google Chrome
HiJackThis
IDT Audio
Java 7 Update 9
Java Auto Updater
Java(TM) 7 Update 1 (64-bit)
JavaFX 2.1.1
Junk Mail filter update
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Paint.NET v3.5.10
PhotoShowExpress
PlayReady PC Runtime x86
Quickset64
RBVirtualFolder64Inst
RCT3 Soaked
Realtek Ethernet Controller Driver
Realtek USB 2.0 Card Reader
RollerCoaster Tycoon® 3
Roxio Activation Module
Roxio BackOnTrack
Roxio Burn
Roxio Creator Starter
Roxio Express Labeler 3
Roxio File Backup
S.T.A.L.K.E.R. - Clear Sky [v1.0003]
S.W.A.T. 4
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype™ 5.10
Sonic CinePlayer Decoder Pack
SPORE™
Spotify
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 2.0.0
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 beta 3 (64-bit)
XAMPP 1.7.7
.
==== Event Viewer Messages From Past Week ========
.
19/10/2012 20:46:25, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
19/10/2012 20:46:01, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
19/10/2012 20:44:22, Error: Service Control Manager [7024] - The Apache2.2 service terminated with service-specific error Incorrect function..
19/10/2012 18:53:54, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.139.124.0).
19/10/2012 18:46:43, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: is3srv
19/10/2012 18:41:28, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 18:39:37, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 18:39:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
19/10/2012 18:39:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
19/10/2012 18:39:31, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
19/10/2012 18:39:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
19/10/2012 18:39:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache is3srv spldr Wanarpv6
19/10/2012 18:39:12, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 18:38:40, Error: sptd [4] - Driver detected an internal error in its data structures for .
19/10/2012 04:34:58, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
19/10/2012 02:38:36, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache spldr Wanarpv6
19/10/2012 01:35:01, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:35:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
19/10/2012 01:35:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
19/10/2012 01:34:02, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 01:34:02, Error: Service Control Manager [7001] - The Apache2.2 service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
19/10/2012 00:48:09, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
15/10/2012 13:16:45, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the STacSV service.
12/10/2012 13:47:42, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
.
==== End Of File ===========================


Thanks again,

Colin.
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm
Advertisement
Register to Remove

Re: Metropolitan Police Ransomeware

Unread postby pgmigg » October 20th, 2012, 10:58 am

Hello ColinL,

Welcome to the forum! :)

My nickname is pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
    DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
    Extra Additions and Removals of files make the analysis more difficult.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Metropolitan Police Ransomeware

Unread postby pgmigg » October 20th, 2012, 4:02 pm

Hello ColinL,

Step 1.
Create a System Restore Point
Because we are going to be making changes to your computer, it is advisable to create a new System Restore Point.
  1. Right-click on Computer and select Properties.
  2. In the left pane under Tasks please click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection, then choose Create.
  4. In the System Restore dialog box, type a description for the restore point and then click Create again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK, then close the System Restore dialog.

If you have successfully created a System Restore Point... we can proceed.
If you have NOT successfully created a System Restore Point... do not go any further!
Please post back so we can determine why it was unsuccessful.


Step 2.
Remove Program(s)
  1. Click on Start, then click the Start Search box on the Start Menu.
  2. Copy and paste the value below without the word Code: into the open text entry box:
    Code: Select all
     appwiz.cpl 
    and press Enter - the Unistall or change a program list will be opened.
  3. Click each Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:
    Java Auto Updater
    Java(TM) 7 Update 1 (64-bit)
  4. Take extra care in answering questions posed by any Uninstaller.
  5. When the program(s) have been uninstalled, please close Control Panel.
  6. Reboot you computer.

Step 3.
TDSSKiller - Rootkit Removal Tool - Scan only
Please download the TDSSKiller.exe by Kaspersky and save it to your Desktop. <-Important!!!
  1. Right click on TDSSKiller.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
    If TDSSKiller does not run, please rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. zarodinu.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Please select Skip instead of Cure (default).
  5. Then click Continue, then Close and then Close again.
  6. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory (usually Local Disk C:).
  7. Copy and paste the contents of that file in your next reply.

Step 4.
OTL - Download
Please download OTL.exe by Old Timer and save it to your Desktop.

Fresh OTL Scan
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Under Output, ensure that Standard Output is selected.
  3. Check the boxes labeled:
    • Include 64 bit scans
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
  4. Click on Run Scan at the top left hand corner.
  5. When done, two Notepad files will open.
    • OTL.txt <-- Will be opened, maximized
    • Extras.txt <-- Will be minimized on task bar.
  6. Please post the contents of both OTL.txt and Extras.txt files in your next reply.

Step 5.
SystemLook
Please download SystemLook_x64.exe by jpshortstuff and save it to your Desktop.
Alternate download site.
  1. Right click on SystemLook_x64.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
    If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.
  2. Highlight and copy the following entries into SystemLook's main text entry window:

    Code: Select all
    :filefind
    *alotappbar*
    *Bandoo*
    *Blekko*
    *Conduit*
    *datamngr*
    *Fun4IM*
    *Funmoods*
    *iLivid*
    *IObit*
    *Searchnu*
    *Searchqu*
    *trolltech*
    *Vuze*
    *whitesmoke*
    *Yontoo*
    
    :folderfind
    *alotappbar*
    *Bandoo*
    *Blekko*
    *Conduit*
    *datamngr*
    *Fun4IM*
    *Funmoods*
    *iLivid*
    *IObit*
    *Searchnu*
    *Searchqu*
    *trolltech*
    *Vuze*
    *whitesmoke*
    *Yontoo*
    
    :Regfind
    alotappbar
    Bandoo
    Blekko
    Conduit
    datamngr
    Fun4IM
    Funmoods
    iLivid
    IObit
    Searchnu
    Searchqu
    trolltech
    Vuze
    whitesmoke
    Yontoo
    
  3. Press the Look button to start the scan.
    When finished, a Notepad window will open with the results of the scan.
    A file will be created (on your Desktop) with the results of the scan, named SystemLook.txt
  4. Please post the contents of the SystemLook.txt file in your next reply.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt log file
  3. Contents of a OTL.txt log file
  4. Contents of a Extras.txt log file
  5. Contents of the SystemLook.txt log file
  6. Do you see any changes in computer behavior?

Please do not hesitate to divide the post into multiple if it is too long...

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Metropolitan Police Ransomeware

Unread postby ColinL » October 21st, 2012, 1:34 pm

Hi there,

Sorry it took so long; the 3rd scan kept hanging my machine.

No change as far as I can see, the popup still appears on startup saying IE is trying to launch.

Logs:

TDSSKiller.2.8.13.0_21.10.2012_17.34.38_log

17:34:38.0049 6668 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
17:34:38.0574 6668 ============================================================
17:34:38.0574 6668 Current date / time: 2012/10/21 17:34:38.0574
17:34:38.0574 6668 SystemInfo:
17:34:38.0574 6668
17:34:38.0575 6668 OS Version: 6.1.7601 ServicePack: 1.0
17:34:38.0575 6668 Product type: Workstation
17:34:38.0575 6668 ComputerName: JACKLYN-PC
17:34:38.0576 6668 UserName: Jacklyn
17:34:38.0576 6668 Windows directory: C:\windows
17:34:38.0576 6668 System windows directory: C:\windows
17:34:38.0576 6668 Running under WOW64
17:34:38.0576 6668 Processor architecture: Intel x64
17:34:38.0576 6668 Number of processors: 2
17:34:38.0576 6668 Page size: 0x1000
17:34:38.0576 6668 Boot type: Normal boot
17:34:38.0576 6668 ============================================================
17:34:39.0762 6668 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
17:34:39.0779 6668 ============================================================
17:34:39.0779 6668 \Device\Harddisk0\DR0:
17:34:39.0780 6668 MBR partitions:
17:34:39.0780 6668 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D4C000
17:34:39.0780 6668 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D7E800, BlocksNum 0x38607030
17:34:39.0780 6668 ============================================================
17:34:39.0805 6668 C: <-> \Device\Harddisk0\DR0\Partition2
17:34:39.0805 6668 ============================================================
17:34:39.0805 6668 Initialize success
17:34:39.0805 6668 ============================================================
17:34:41.0892 6888 ============================================================
17:34:41.0892 6888 Scan started
17:34:41.0892 6888 Mode: Manual;
17:34:41.0893 6888 ============================================================
17:34:42.0693 6888 ================ Scan system memory ========================
17:34:42.0693 6888 System memory - ok
17:34:42.0695 6888 ================ Scan services =============================
17:34:44.0015 6888 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\windows\system32\drivers\1394ohci.sys
17:34:44.0022 6888 1394ohci - ok
17:34:44.0056 6888 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\windows\system32\drivers\ACPI.sys
17:34:44.0065 6888 ACPI - ok
17:34:44.0088 6888 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\windows\system32\drivers\acpipmi.sys
17:34:44.0091 6888 AcpiPmi - ok
17:34:44.0272 6888 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
17:34:44.0278 6888 AdobeARMservice - ok
17:34:44.0426 6888 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
17:34:44.0433 6888 AdobeFlashPlayerUpdateSvc - ok
17:34:44.0491 6888 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\windows\system32\drivers\adp94xx.sys
17:34:44.0512 6888 adp94xx - ok
17:34:44.0539 6888 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\windows\system32\drivers\adpahci.sys
17:34:44.0547 6888 adpahci - ok
17:34:44.0587 6888 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\windows\system32\drivers\adpu320.sys
17:34:44.0594 6888 adpu320 - ok
17:34:44.0642 6888 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\windows\System32\aelupsvc.dll
17:34:44.0646 6888 AeLookupSvc - ok
17:34:44.0781 6888 [ A6FB9DB8F1A86861D955FD6975977AE0 ] AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe
17:34:44.0788 6888 AESTFilters - ok
17:34:44.0854 6888 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\windows\system32\drivers\afd.sys
17:34:44.0877 6888 AFD - ok
17:34:44.0920 6888 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\windows\system32\drivers\agp440.sys
17:34:44.0925 6888 agp440 - ok
17:34:44.0960 6888 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\windows\System32\alg.exe
17:34:44.0964 6888 ALG - ok
17:34:44.0991 6888 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\windows\system32\drivers\aliide.sys
17:34:44.0994 6888 aliide - ok
17:34:45.0042 6888 [ 9CCAF5CCD848F8D77CD18DAA51F9C987 ] AMD External Events Utility C:\windows\system32\atiesrxx.exe
17:34:45.0048 6888 AMD External Events Utility - ok
17:34:45.0104 6888 AMD FUEL Service - ok
17:34:45.0139 6888 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\windows\system32\drivers\amdide.sys
17:34:45.0143 6888 amdide - ok
17:34:45.0170 6888 [ 6A2EEB0C4133B20773BB3DD0B7B377B4 ] amdiox64 C:\windows\system32\DRIVERS\amdiox64.sys
17:34:45.0174 6888 amdiox64 - ok
17:34:45.0212 6888 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\windows\system32\drivers\amdk8.sys
17:34:45.0216 6888 AmdK8 - ok
17:34:45.0650 6888 [ 8BD152EAAEFEB8667E7E43FD8CAC3642 ] amdkmdag C:\windows\system32\DRIVERS\atikmdag.sys
17:34:45.0913 6888 amdkmdag - ok
17:34:46.0048 6888 [ 4112266BD3949EBE9B0B8AB198D3D0EE ] amdkmdap C:\windows\system32\DRIVERS\atikmpag.sys
17:34:46.0056 6888 amdkmdap - ok
17:34:46.0135 6888 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\windows\system32\DRIVERS\amdppm.sys
17:34:46.0141 6888 AmdPPM - ok
17:34:46.0174 6888 [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata C:\windows\system32\drivers\amdsata.sys
17:34:46.0180 6888 amdsata - ok
17:34:46.0219 6888 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\windows\system32\drivers\amdsbs.sys
17:34:46.0226 6888 amdsbs - ok
17:34:46.0249 6888 [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata C:\windows\system32\drivers\amdxata.sys
17:34:46.0254 6888 amdxata - ok
17:34:46.0280 6888 [ BB4FE7889DB9CBBE61A308E99697F53C ] amd_sata C:\windows\system32\DRIVERS\amd_sata.sys
17:34:46.0283 6888 amd_sata - ok
17:34:46.0332 6888 [ 5631CBA53F1CBEA3F9E88348E6723391 ] amd_xata C:\windows\system32\DRIVERS\amd_xata.sys
17:34:46.0342 6888 amd_xata - ok
17:34:46.0463 6888 [ F41E453A90EF19217CEE1675F5256EE7 ] Apache2.2 c:\xampp\apache\bin\httpd.exe
17:34:46.0470 6888 Apache2.2 - ok
17:34:46.0532 6888 [ 6690E42CED5D067233ABAD42DA141213 ] ApfiltrService C:\windows\system32\DRIVERS\Apfiltr.sys
17:34:46.0544 6888 ApfiltrService - ok
17:34:46.0605 6888 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\windows\system32\drivers\appid.sys
17:34:46.0611 6888 AppID - ok
17:34:46.0651 6888 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\windows\System32\appidsvc.dll
17:34:46.0659 6888 AppIDSvc - ok
17:34:46.0693 6888 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\windows\System32\appinfo.dll
17:34:46.0697 6888 Appinfo - ok
17:34:46.0713 6888 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\windows\system32\drivers\arc.sys
17:34:46.0718 6888 arc - ok
17:34:46.0742 6888 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\windows\system32\drivers\arcsas.sys
17:34:46.0747 6888 arcsas - ok
17:34:47.0191 6888 [ 9217D874131AE6FF8F642F124F00A555 ] aspnet_state C:\windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
17:34:47.0195 6888 aspnet_state - ok
17:34:47.0243 6888 [ 55142B4F7A7E4C9C151C6000A6BF7809 ] aswFsBlk C:\windows\system32\drivers\aswFsBlk.sys
17:34:47.0247 6888 aswFsBlk - ok
17:34:47.0278 6888 [ AA9FDE3D630160B47DAB21BF8250111C ] aswMonFlt C:\windows\system32\drivers\aswMonFlt.sys
17:34:47.0283 6888 aswMonFlt - ok
17:34:47.0313 6888 [ 2A6675C24DF5159A9506CD13ECE5ABE9 ] aswRdr C:\windows\System32\Drivers\aswrdr2.sys
17:34:47.0317 6888 aswRdr - ok
17:34:47.0359 6888 [ 4E38475BDB51A867CCBA7D5DF7FDFC0C ] aswSnx C:\windows\system32\drivers\aswSnx.sys
17:34:47.0393 6888 aswSnx - ok
17:34:47.0443 6888 [ 9A49D80D65451AF22913AEF772CC3DA9 ] aswSP C:\windows\system32\drivers\aswSP.sys
17:34:47.0475 6888 aswSP - ok
17:34:47.0496 6888 [ C3EC420451AC5300A22190AE38418FBA ] aswTdi C:\windows\system32\drivers\aswTdi.sys
17:34:47.0500 6888 aswTdi - ok
17:34:47.0524 6888 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\windows\system32\DRIVERS\asyncmac.sys
17:34:47.0530 6888 AsyncMac - ok
17:34:47.0550 6888 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\windows\system32\drivers\atapi.sys
17:34:47.0553 6888 atapi - ok
17:34:47.0684 6888 [ 5493ED5D300AFC7A9A0A87FCA08E5381 ] athr C:\windows\system32\DRIVERS\athrx.sys
17:34:47.0766 6888 athr - ok
17:34:47.0825 6888 [ DBB487D09F56C674430AC454FD8BCAB9 ] AtiHDAudioService C:\windows\system32\drivers\AtihdW76.sys
17:34:47.0833 6888 AtiHDAudioService - ok
17:34:47.0889 6888 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\windows\System32\Audiosrv.dll
17:34:47.0923 6888 AudioEndpointBuilder - ok
17:34:47.0955 6888 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\windows\System32\Audiosrv.dll
17:34:47.0965 6888 AudioSrv - ok
17:34:48.0040 6888 [ 04AC21E821F259845BD7367CEE057290 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
17:34:48.0042 6888 avast! Antivirus - ok
17:34:48.0123 6888 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\windows\System32\AxInstSV.dll
17:34:48.0129 6888 AxInstSV - ok
17:34:48.0181 6888 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\windows\system32\drivers\bxvbda.sys
17:34:48.0216 6888 b06bdrv - ok
17:34:48.0263 6888 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\windows\system32\DRIVERS\b57nd60a.sys
17:34:48.0271 6888 b57nd60a - ok
17:34:48.0342 6888 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\windows\System32\bdesvc.dll
17:34:48.0350 6888 BDESVC - ok
17:34:48.0385 6888 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\windows\system32\drivers\Beep.sys
17:34:48.0391 6888 Beep - ok
17:34:48.0434 6888 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\windows\System32\bfe.dll
17:34:48.0494 6888 BFE - ok
17:34:48.0578 6888 [ 1EA7969E3271CBC59E1730697DC74682 ] BITS C:\windows\System32\qmgr.dll
17:34:48.0623 6888 BITS - ok
17:34:48.0664 6888 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\windows\system32\DRIVERS\blbdrive.sys
17:34:48.0669 6888 blbdrive - ok
17:34:48.0711 6888 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\windows\system32\DRIVERS\bowser.sys
17:34:48.0715 6888 bowser - ok
17:34:48.0739 6888 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\windows\system32\drivers\BrFiltLo.sys
17:34:48.0743 6888 BrFiltLo - ok
17:34:48.0773 6888 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\windows\system32\drivers\BrFiltUp.sys
17:34:48.0777 6888 BrFiltUp - ok
17:34:48.0811 6888 [ 05F5A0D14A2EE1D8255C2AA0E9E8E694 ] Browser C:\windows\System32\browser.dll
17:34:48.0818 6888 Browser - ok
17:34:48.0851 6888 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\windows\System32\Drivers\Brserid.sys
17:34:48.0874 6888 Brserid - ok
17:34:48.0887 6888 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\windows\System32\Drivers\BrSerWdm.sys
17:34:48.0892 6888 BrSerWdm - ok
17:34:48.0905 6888 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\windows\System32\Drivers\BrUsbMdm.sys
17:34:48.0909 6888 BrUsbMdm - ok
17:34:48.0923 6888 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\windows\System32\Drivers\BrUsbSer.sys
17:34:48.0927 6888 BrUsbSer - ok
17:34:48.0976 6888 [ CF98190A94F62E405C8CB255018B2315 ] BthEnum C:\windows\system32\drivers\BthEnum.sys
17:34:48.0981 6888 BthEnum - ok
17:34:49.0011 6888 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\windows\system32\drivers\bthmodem.sys
17:34:49.0016 6888 BTHMODEM - ok
17:34:49.0033 6888 [ 02DD601B708DD0667E1331FA8518E9FF ] BthPan C:\windows\system32\DRIVERS\bthpan.sys
17:34:49.0038 6888 BthPan - ok
17:34:49.0084 6888 [ 738D0E9272F59EB7A1449C3EC118E6C4 ] BTHPORT C:\windows\System32\Drivers\BTHport.sys
17:34:49.0107 6888 BTHPORT - ok
17:34:49.0169 6888 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\windows\system32\bthserv.dll
17:34:49.0178 6888 bthserv - ok
17:34:49.0223 6888 [ F188B7394D81010767B6DF3178519A37 ] BTHUSB C:\windows\System32\Drivers\BTHUSB.sys
17:34:49.0228 6888 BTHUSB - ok
17:34:49.0257 6888 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\windows\system32\DRIVERS\cdfs.sys
17:34:49.0262 6888 cdfs - ok
17:34:49.0301 6888 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\windows\system32\DRIVERS\cdrom.sys
17:34:49.0312 6888 cdrom - ok
17:34:49.0346 6888 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\windows\System32\certprop.dll
17:34:49.0351 6888 CertPropSvc - ok
17:34:49.0373 6888 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\windows\system32\drivers\circlass.sys
17:34:49.0378 6888 circlass - ok
17:34:49.0411 6888 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\windows\system32\CLFS.sys
17:34:49.0421 6888 CLFS - ok
17:34:49.0531 6888 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:34:49.0536 6888 clr_optimization_v2.0.50727_32 - ok
17:34:49.0596 6888 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
17:34:49.0602 6888 clr_optimization_v2.0.50727_64 - ok
17:34:49.0673 6888 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:34:49.0679 6888 clr_optimization_v4.0.30319_32 - ok
17:34:49.0711 6888 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
17:34:49.0717 6888 clr_optimization_v4.0.30319_64 - ok
17:34:49.0756 6888 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\windows\system32\DRIVERS\CmBatt.sys
17:34:49.0760 6888 CmBatt - ok
17:34:49.0783 6888 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\windows\system32\drivers\cmdide.sys
17:34:49.0787 6888 cmdide - ok
17:34:49.0829 6888 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\windows\system32\Drivers\cng.sys
17:34:49.0847 6888 CNG - ok
17:34:49.0898 6888 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\windows\system32\drivers\compbatt.sys
17:34:49.0902 6888 Compbatt - ok
17:34:49.0930 6888 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\windows\system32\DRIVERS\CompositeBus.sys
17:34:49.0934 6888 CompositeBus - ok
17:34:49.0948 6888 COMSysApp - ok
17:34:49.0973 6888 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\windows\system32\drivers\crcdisk.sys
17:34:49.0979 6888 crcdisk - ok
17:34:50.0024 6888 [ 9C01375BE382E834CC26D1B7EAF2C4FE ] CryptSvc C:\windows\system32\cryptsvc.dll
17:34:50.0031 6888 CryptSvc - ok
17:34:50.0083 6888 [ BC3D4F90978CD7C8EABD1BAF3BF7873A ] CtClsFlt C:\windows\system32\DRIVERS\CtClsFlt.sys
17:34:50.0092 6888 CtClsFlt - ok
17:34:50.0203 6888 [ 72794D112CBAFF3BC0C29BF7350D4741 ] cvhsvc C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
17:34:50.0219 6888 cvhsvc - ok
17:34:50.0264 6888 [ 44BDDEB03C84A1C993C992FFB5700357 ] CVirtA C:\windows\system32\DRIVERS\CVirtA64.sys
17:34:50.0269 6888 CVirtA - ok
17:34:50.0361 6888 [ 98C413E1A2FB6E5A4C101C25B3D0B275 ] CVPND C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
17:34:50.0407 6888 CVPND - ok
17:34:50.0442 6888 [ 79AF0E203D089AF442A3F70ED00A37FB ] CVPNDRVA C:\windows\system32\Drivers\CVPNDRVA.sys
17:34:50.0451 6888 CVPNDRVA - ok
17:34:50.0519 6888 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\windows\system32\rpcss.dll
17:34:50.0536 6888 DcomLaunch - ok
17:34:50.0580 6888 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\windows\System32\defragsvc.dll
17:34:50.0590 6888 defragsvc - ok
17:34:50.0632 6888 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\windows\system32\Drivers\dfsc.sys
17:34:50.0637 6888 DfsC - ok
17:34:50.0694 6888 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\windows\system32\dhcpcore.dll
17:34:50.0707 6888 Dhcp - ok
17:34:50.0752 6888 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\windows\system32\drivers\discache.sys
17:34:50.0759 6888 discache - ok
17:34:50.0798 6888 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\windows\system32\drivers\disk.sys
17:34:50.0806 6888 Disk - ok
17:34:50.0849 6888 [ 05CB5910B3CA6019FC3CCA815EE06FFB ] DNE C:\windows\system32\DRIVERS\dne64x.sys
17:34:50.0856 6888 DNE - ok
17:34:50.0903 6888 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\windows\System32\dnsrslvr.dll
17:34:50.0911 6888 Dnscache - ok
17:34:50.0973 6888 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\windows\System32\dot3svc.dll
17:34:50.0982 6888 dot3svc - ok
17:34:50.0997 6888 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\windows\system32\dps.dll
17:34:51.0004 6888 DPS - ok
17:34:51.0062 6888 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\windows\system32\drivers\drmkaud.sys
17:34:51.0066 6888 drmkaud - ok
17:34:51.0113 6888 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\windows\System32\drivers\dxgkrnl.sys
17:34:51.0147 6888 DXGKrnl - ok
17:34:51.0197 6888 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\windows\System32\eapsvc.dll
17:34:51.0205 6888 EapHost - ok
17:34:51.0320 6888 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\windows\system32\drivers\evbda.sys
17:34:51.0421 6888 ebdrv - ok
17:34:51.0450 6888 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\windows\System32\lsass.exe
17:34:51.0459 6888 EFS - ok
17:34:51.0520 6888 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\windows\ehome\ehRecvr.exe
17:34:51.0546 6888 ehRecvr - ok
17:34:51.0571 6888 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\windows\ehome\ehsched.exe
17:34:51.0580 6888 ehSched - ok
17:34:51.0629 6888 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\windows\system32\drivers\elxstor.sys
17:34:51.0650 6888 elxstor - ok
17:34:51.0673 6888 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\windows\system32\drivers\errdev.sys
17:34:51.0677 6888 ErrDev - ok
17:34:51.0736 6888 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\windows\system32\es.dll
17:34:51.0759 6888 EventSystem - ok
17:34:51.0796 6888 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\windows\system32\drivers\exfat.sys
17:34:51.0807 6888 exfat - ok
17:34:51.0833 6888 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\windows\system32\drivers\fastfat.sys
17:34:51.0842 6888 fastfat - ok
17:34:51.0889 6888 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\windows\system32\fxssvc.exe
17:34:51.0925 6888 Fax - ok
17:34:51.0950 6888 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\windows\system32\drivers\fdc.sys
17:34:51.0954 6888 fdc - ok
17:34:51.0980 6888 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\windows\system32\fdPHost.dll
17:34:51.0985 6888 fdPHost - ok
17:34:52.0002 6888 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\windows\system32\fdrespub.dll
17:34:52.0013 6888 FDResPub - ok
17:34:52.0094 6888 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\windows\system32\drivers\fileinfo.sys
17:34:52.0098 6888 FileInfo - ok
17:34:52.0135 6888 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\windows\system32\drivers\filetrace.sys
17:34:52.0141 6888 Filetrace - ok
17:34:52.0176 6888 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\windows\system32\drivers\flpydisk.sys
17:34:52.0180 6888 flpydisk - ok
17:34:52.0216 6888 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\windows\system32\drivers\fltmgr.sys
17:34:52.0227 6888 FltMgr - ok
17:34:52.0322 6888 [ 5C4CB4086FB83115B153E47ADD961A0C ] FontCache C:\windows\system32\FntCache.dll
17:34:52.0364 6888 FontCache - ok
17:34:52.0432 6888 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
17:34:52.0441 6888 FontCache3.0.0.0 - ok
17:34:52.0481 6888 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\windows\system32\drivers\FsDepends.sys
17:34:52.0485 6888 FsDepends - ok
17:34:52.0512 6888 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\windows\system32\drivers\Fs_Rec.sys
17:34:52.0523 6888 Fs_Rec - ok
17:34:52.0566 6888 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\windows\system32\DRIVERS\fvevol.sys
17:34:52.0575 6888 fvevol - ok
17:34:52.0603 6888 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\windows\system32\drivers\gagp30kx.sys
17:34:52.0608 6888 gagp30kx - ok
17:34:52.0652 6888 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\windows\System32\gpsvc.dll
17:34:52.0697 6888 gpsvc - ok
17:34:52.0720 6888 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\windows\system32\drivers\hcw85cir.sys
17:34:52.0727 6888 hcw85cir - ok
17:34:52.0768 6888 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\windows\system32\drivers\HdAudio.sys
17:34:52.0778 6888 HdAudAddService - ok
17:34:52.0807 6888 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\windows\system32\DRIVERS\HDAudBus.sys
17:34:52.0812 6888 HDAudBus - ok
17:34:52.0834 6888 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\windows\system32\drivers\HidBatt.sys
17:34:52.0840 6888 HidBatt - ok
17:34:52.0853 6888 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\windows\system32\drivers\hidbth.sys
17:34:52.0861 6888 HidBth - ok
17:34:52.0882 6888 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\windows\system32\drivers\hidir.sys
17:34:52.0892 6888 HidIr - ok
17:34:52.0917 6888 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\windows\system32\hidserv.dll
17:34:52.0925 6888 hidserv - ok
17:34:52.0960 6888 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\windows\system32\DRIVERS\hidusb.sys
17:34:52.0966 6888 HidUsb - ok
17:34:53.0007 6888 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\windows\system32\kmsvc.dll
17:34:53.0015 6888 hkmsvc - ok
17:34:53.0038 6888 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\windows\system32\ListSvc.dll
17:34:53.0048 6888 HomeGroupListener - ok
17:34:53.0083 6888 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\windows\system32\provsvc.dll
17:34:53.0097 6888 HomeGroupProvider - ok
17:34:53.0140 6888 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\windows\system32\drivers\HpSAMD.sys
17:34:53.0145 6888 HpSAMD - ok
17:34:53.0196 6888 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\windows\system32\drivers\HTTP.sys
17:34:53.0225 6888 HTTP - ok
17:34:53.0245 6888 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\windows\system32\drivers\hwpolicy.sys
17:34:53.0249 6888 hwpolicy - ok
17:34:53.0282 6888 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\windows\system32\DRIVERS\i8042prt.sys
17:34:53.0288 6888 i8042prt - ok
17:34:53.0318 6888 [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV C:\windows\system32\drivers\iaStorV.sys
17:34:53.0343 6888 iaStorV - ok
17:34:53.0438 6888 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
17:34:53.0479 6888 idsvc - ok
17:34:53.0525 6888 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\windows\system32\drivers\iirsp.sys
17:34:53.0529 6888 iirsp - ok
17:34:53.0577 6888 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\windows\System32\ikeext.dll
17:34:53.0610 6888 IKEEXT - ok
17:34:53.0627 6888 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\windows\system32\drivers\intelide.sys
17:34:53.0630 6888 intelide - ok
17:34:53.0648 6888 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\windows\system32\drivers\intelppm.sys
17:34:53.0659 6888 intelppm - ok
17:34:53.0692 6888 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\windows\system32\ipbusenum.dll
17:34:53.0700 6888 IPBusEnum - ok
17:34:53.0714 6888 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\windows\system32\DRIVERS\ipfltdrv.sys
17:34:53.0719 6888 IpFilterDriver - ok
17:34:53.0751 6888 [ A34A587FFFD45FA649FBA6D03784D257 ] iphlpsvc C:\windows\System32\iphlpsvc.dll
17:34:53.0766 6888 iphlpsvc - ok
17:34:53.0805 6888 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\windows\system32\drivers\IPMIDrv.sys
17:34:53.0809 6888 IPMIDRV - ok
17:34:53.0861 6888 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\windows\system32\drivers\ipnat.sys
17:34:53.0872 6888 IPNAT - ok
17:34:53.0900 6888 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\windows\system32\drivers\irenum.sys
17:34:53.0904 6888 IRENUM - ok
17:34:53.0917 6888 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\windows\system32\drivers\isapnp.sys
17:34:53.0924 6888 isapnp - ok
17:34:53.0948 6888 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\windows\system32\drivers\msiscsi.sys
17:34:53.0958 6888 iScsiPrt - ok
17:34:53.0980 6888 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\windows\system32\DRIVERS\kbdclass.sys
17:34:53.0984 6888 kbdclass - ok
17:34:54.0023 6888 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\windows\system32\drivers\kbdhid.sys
17:34:54.0028 6888 kbdhid - ok
17:34:54.0058 6888 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\windows\system32\lsass.exe
17:34:54.0064 6888 KeyIso - ok
17:34:54.0102 6888 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\windows\system32\Drivers\ksecdd.sys
17:34:54.0109 6888 KSecDD - ok
17:34:54.0131 6888 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\windows\system32\Drivers\ksecpkg.sys
17:34:54.0138 6888 KSecPkg - ok
17:34:54.0155 6888 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\windows\system32\drivers\ksthunk.sys
17:34:54.0160 6888 ksthunk - ok
17:34:54.0206 6888 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\windows\system32\msdtckrm.dll
17:34:54.0220 6888 KtmRm - ok
17:34:54.0264 6888 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\windows\system32\srvsvc.dll
17:34:54.0287 6888 LanmanServer - ok
17:34:54.0316 6888 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\windows\System32\wkssvc.dll
17:34:54.0328 6888 LanmanWorkstation - ok
17:34:54.0359 6888 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\windows\system32\DRIVERS\lltdio.sys
17:34:54.0363 6888 lltdio - ok
17:34:54.0396 6888 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\windows\System32\lltdsvc.dll
17:34:54.0408 6888 lltdsvc - ok
17:34:54.0434 6888 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\windows\System32\lmhsvc.dll
17:34:54.0442 6888 lmhosts - ok
17:34:54.0477 6888 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\windows\system32\drivers\lsi_fc.sys
17:34:54.0482 6888 LSI_FC - ok
17:34:54.0508 6888 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\windows\system32\drivers\lsi_sas.sys
17:34:54.0513 6888 LSI_SAS - ok
17:34:54.0536 6888 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\windows\system32\drivers\lsi_sas2.sys
17:34:54.0541 6888 LSI_SAS2 - ok
17:34:54.0562 6888 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\windows\system32\drivers\lsi_scsi.sys
17:34:54.0567 6888 LSI_SCSI - ok
17:34:54.0590 6888 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\windows\system32\drivers\luafv.sys
17:34:54.0596 6888 luafv - ok
17:34:54.0641 6888 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\windows\system32\Mcx2Svc.dll
17:34:54.0650 6888 Mcx2Svc - ok
17:34:54.0662 6888 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\windows\system32\drivers\megasas.sys
17:34:54.0666 6888 megasas - ok
17:34:54.0705 6888 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\windows\system32\drivers\MegaSR.sys
17:34:54.0714 6888 MegaSR - ok
17:34:54.0742 6888 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\windows\system32\mmcss.dll
17:34:54.0750 6888 MMCSS - ok
17:34:54.0763 6888 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\windows\system32\drivers\modem.sys
17:34:54.0768 6888 Modem - ok
17:34:54.0791 6888 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\windows\system32\DRIVERS\monitor.sys
17:34:54.0795 6888 monitor - ok
17:34:54.0819 6888 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\windows\system32\DRIVERS\mouclass.sys
17:34:54.0824 6888 mouclass - ok
17:34:54.0849 6888 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\windows\system32\DRIVERS\mouhid.sys
17:34:54.0853 6888 mouhid - ok
17:34:54.0881 6888 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\windows\system32\drivers\mountmgr.sys
17:34:54.0886 6888 mountmgr - ok
17:34:54.0912 6888 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\windows\system32\drivers\mpio.sys
17:34:54.0919 6888 mpio - ok
17:34:54.0939 6888 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\windows\system32\drivers\mpsdrv.sys
17:34:54.0944 6888 mpsdrv - ok
17:34:54.0992 6888 [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc C:\windows\system32\mpssvc.dll
17:34:55.0011 6888 MpsSvc - ok
17:34:55.0039 6888 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\windows\system32\drivers\mrxdav.sys
17:34:55.0044 6888 MRxDAV - ok
17:34:55.0083 6888 [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb C:\windows\system32\DRIVERS\mrxsmb.sys
17:34:55.0090 6888 mrxsmb - ok
17:34:55.0111 6888 [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10 C:\windows\system32\DRIVERS\mrxsmb10.sys
17:34:55.0119 6888 mrxsmb10 - ok
17:34:55.0139 6888 [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20 C:\windows\system32\DRIVERS\mrxsmb20.sys
17:34:55.0146 6888 mrxsmb20 - ok
17:34:55.0167 6888 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\windows\system32\drivers\msahci.sys
17:34:55.0171 6888 msahci - ok
17:34:55.0194 6888 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\windows\system32\drivers\msdsm.sys
17:34:55.0200 6888 msdsm - ok
17:34:55.0235 6888 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\windows\System32\msdtc.exe
17:34:55.0269 6888 MSDTC - ok
17:34:55.0312 6888 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\windows\system32\drivers\Msfs.sys
17:34:55.0317 6888 Msfs - ok
17:34:55.0339 6888 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\windows\System32\drivers\mshidkmdf.sys
17:34:55.0343 6888 mshidkmdf - ok
17:34:55.0366 6888 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\windows\system32\drivers\msisadrv.sys
17:34:55.0370 6888 msisadrv - ok
17:34:55.0415 6888 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\windows\system32\iscsiexe.dll
17:34:55.0427 6888 MSiSCSI - ok
17:34:55.0438 6888 msiserver - ok
17:34:55.0480 6888 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\windows\system32\drivers\MSKSSRV.sys
17:34:55.0485 6888 MSKSSRV - ok
17:34:55.0495 6888 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\windows\system32\drivers\MSPCLOCK.sys
17:34:55.0499 6888 MSPCLOCK - ok
17:34:55.0520 6888 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\windows\system32\drivers\MSPQM.sys
17:34:55.0525 6888 MSPQM - ok
17:34:55.0551 6888 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\windows\system32\drivers\MsRPC.sys
17:34:55.0560 6888 MsRPC - ok
17:34:55.0588 6888 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\windows\system32\DRIVERS\mssmbios.sys
17:34:55.0593 6888 mssmbios - ok
17:34:55.0607 6888 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\windows\system32\drivers\MSTEE.sys
17:34:55.0611 6888 MSTEE - ok
17:34:55.0667 6888 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\windows\system32\drivers\MTConfig.sys
17:34:55.0696 6888 MTConfig - ok
17:34:55.0731 6888 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\windows\system32\Drivers\mup.sys
17:34:55.0737 6888 Mup - ok
17:34:55.0824 6888 mysql - ok
17:34:55.0892 6888 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\windows\system32\qagentRT.dll
17:34:55.0908 6888 napagent - ok
17:34:55.0970 6888 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\windows\system32\DRIVERS\nwifi.sys
17:34:55.0979 6888 NativeWifiP - ok
17:34:56.0034 6888 [ 760E38053BF56E501D562B70AD796B88 ] NDIS C:\windows\system32\drivers\ndis.sys
17:34:56.0069 6888 NDIS - ok
17:34:56.0095 6888 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\windows\system32\DRIVERS\ndiscap.sys
17:34:56.0099 6888 NdisCap - ok
17:34:56.0118 6888 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\windows\system32\DRIVERS\ndistapi.sys
17:34:56.0122 6888 NdisTapi - ok
17:34:56.0157 6888 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\windows\system32\DRIVERS\ndisuio.sys
17:34:56.0162 6888 Ndisuio - ok
17:34:56.0184 6888 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\windows\system32\DRIVERS\ndiswan.sys
17:34:56.0191 6888 NdisWan - ok
17:34:56.0209 6888 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\windows\system32\drivers\NDProxy.sys
17:34:56.0213 6888 NDProxy - ok
17:34:56.0228 6888 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\windows\system32\DRIVERS\netbios.sys
17:34:56.0233 6888 NetBIOS - ok
17:34:56.0260 6888 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\windows\system32\DRIVERS\netbt.sys
17:34:56.0267 6888 NetBT - ok
17:34:56.0292 6888 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\windows\system32\lsass.exe
17:34:56.0298 6888 Netlogon - ok
17:34:56.0344 6888 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\windows\System32\netman.dll
17:34:56.0368 6888 Netman - ok
17:34:56.0395 6888 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetMsmqActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
17:34:56.0401 6888 NetMsmqActivator - ok
17:34:56.0411 6888 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetPipeActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
17:34:56.0416 6888 NetPipeActivator - ok
17:34:56.0436 6888 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\windows\System32\netprofm.dll
17:34:56.0451 6888 netprofm - ok
17:34:56.0463 6888 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
17:34:56.0467 6888 NetTcpActivator - ok
17:34:56.0478 6888 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
17:34:56.0482 6888 NetTcpPortSharing - ok
17:34:56.0527 6888 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\windows\system32\drivers\nfrd960.sys
17:34:56.0531 6888 nfrd960 - ok
17:34:56.0572 6888 [ 1EE99A89CC788ADA662441D1E9830529 ] NlaSvc C:\windows\System32\nlasvc.dll
17:34:56.0584 6888 NlaSvc - ok
17:34:56.0605 6888 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\windows\system32\drivers\Npfs.sys
17:34:56.0610 6888 Npfs - ok
17:34:56.0631 6888 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\windows\system32\nsisvc.dll
17:34:56.0640 6888 nsi - ok
17:34:56.0656 6888 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\windows\system32\drivers\nsiproxy.sys
17:34:56.0660 6888 nsiproxy - ok
17:34:56.0774 6888 [ E453ACF4E7D44E5530B5D5F2B9CA8563 ] Ntfs C:\windows\system32\drivers\Ntfs.sys
17:34:56.0830 6888 Ntfs - ok
17:34:56.0850 6888 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\windows\system32\drivers\Null.sys
17:34:56.0854 6888 Null - ok
17:34:56.0893 6888 [ 0A92CB65770442ED0DC44834632F66AD ] nvraid C:\windows\system32\drivers\nvraid.sys
17:34:56.0899 6888 nvraid - ok
17:34:56.0914 6888 [ DAB0E87525C10052BF65F06152F37E4A ] nvstor C:\windows\system32\drivers\nvstor.sys
17:34:56.0920 6888 nvstor - ok
17:34:56.0943 6888 [ 270D7CD42D6E3979F6DD0146650F0E05 ] nv_agp C:\windows\system32\drivers\nv_agp.sys
17:34:56.0948 6888 nv_agp - ok
17:34:56.0971 6888 [ 3589478E4B22CE21B41FA1BFC0B8B8A0 ] ohci1394 C:\windows\system32\drivers\ohci1394.sys
17:34:56.0976 6888 ohci1394 - ok
17:34:57.0011 6888 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:34:57.0017 6888 ose - ok
17:34:57.0297 6888 [ 61BFFB5F57AD12F83AB64B7181829B34 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
17:34:57.0440 6888 osppsvc - ok
17:34:57.0538 6888 [ 3EAC4455472CC2C97107B5291E0DCAFE ] p2pimsvc C:\windows\system32\pnrpsvc.dll
17:34:57.0563 6888 p2pimsvc - ok
17:34:57.0591 6888 [ 927463ECB02179F88E4B9A17568C63C3 ] p2psvc C:\windows\system32\p2psvc.dll
17:34:57.0625 6888 p2psvc - ok
17:34:57.0658 6888 [ 0086431C29C35BE1DBC43F52CC273887 ] Parport C:\windows\system32\drivers\parport.sys
17:34:57.0669 6888 Parport - ok
17:34:57.0700 6888 [ E9766131EEADE40A27DC27D2D68FBA9C ] partmgr C:\windows\system32\drivers\partmgr.sys
17:34:57.0705 6888 partmgr - ok
17:34:57.0742 6888 [ 3AEAA8B561E63452C655DC0584922257 ] PcaSvc C:\windows\System32\pcasvc.dll
17:34:57.0752 6888 PcaSvc - ok
17:34:57.0827 6888 [ 4B5F5774FF1C577B9515FDD2B5C535C5 ] PCDSRVC{1E208CE0-FB7451FF-06020101}_0 c:\program files\dell support center\pcdsrvc_x64.pkms
17:34:57.0835 6888 PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - ok
17:34:57.0871 6888 [ 94575C0571D1462A0F70BDE6BD6EE6B3 ] pci C:\windows\system32\drivers\pci.sys
17:34:57.0878 6888 pci - ok
17:34:57.0896 6888 [ B5B8B5EF2E5CB34DF8DCF8831E3534FA ] pciide C:\windows\system32\drivers\pciide.sys
17:34:57.0900 6888 pciide - ok
17:34:57.0926 6888 [ B2E81D4E87CE48589F98CB8C05B01F2F ] pcmcia C:\windows\system32\drivers\pcmcia.sys
17:34:57.0935 6888 pcmcia - ok
17:34:57.0959 6888 [ D6B9C2E1A11A3A4B26A182FFEF18F603 ] pcw C:\windows\system32\drivers\pcw.sys
17:34:57.0964 6888 pcw - ok
17:34:58.0003 6888 [ 68769C3356B3BE5D1C732C97B9A80D6E ] PEAUTH C:\windows\system32\drivers\peauth.sys
17:34:58.0033 6888 PEAUTH - ok
17:34:58.0825 6888 [ E495E408C93141E8FC72DC0C6046DDFA ] PerfHost C:\windows\SysWow64\perfhost.exe
17:34:58.0839 6888 PerfHost - ok
17:34:58.0922 6888 [ C7CF6A6E137463219E1259E3F0F0DD6C ] pla C:\windows\system32\pla.dll
17:34:58.0987 6888 pla - ok
17:34:59.0047 6888 [ 25FBDEF06C4D92815B353F6E792C8129 ] PlugPlay C:\windows\system32\umpnpmgr.dll
17:34:59.0062 6888 PlugPlay - ok
17:34:59.0095 6888 [ 7195581CEC9BB7D12ABE54036ACC2E38 ] PNRPAutoReg C:\windows\system32\pnrpauto.dll
17:34:59.0105 6888 PNRPAutoReg - ok
17:34:59.0134 6888 [ 3EAC4455472CC2C97107B5291E0DCAFE ] PNRPsvc C:\windows\system32\pnrpsvc.dll
17:34:59.0147 6888 PNRPsvc - ok
17:34:59.0218 6888 [ 4F15D75ADF6156BF56ECED6D4A55C389 ] PolicyAgent C:\windows\System32\ipsecsvc.dll
17:34:59.0249 6888 PolicyAgent - ok
17:34:59.0296 6888 [ A2CCA4FB273E6050F17A0A416CFF2FCD ] Power C:\windows\system32\umpo.dll
17:34:59.0309 6888 Power - ok
17:34:59.0375 6888 [ F92A2C41117A11A00BE01CA01A7FCDE9 ] PptpMiniport C:\windows\system32\DRIVERS\raspptp.sys
17:34:59.0380 6888 PptpMiniport - ok
17:34:59.0405 6888 [ 0D922E23C041EFB1C3FAC2A6F943C9BF ] Processor C:\windows\system32\drivers\processr.sys
17:34:59.0410 6888 Processor - ok
17:34:59.0442 6888 [ 53E83F1F6CF9D62F32801CF66D8352A8 ] ProfSvc C:\windows\system32\profsvc.dll
17:34:59.0463 6888 ProfSvc - ok
17:34:59.0483 6888 [ C118A82CD78818C29AB228366EBF81C3 ] ProtectedStorage C:\windows\system32\lsass.exe
17:34:59.0490 6888 ProtectedStorage - ok
17:34:59.0519 6888 [ 0557CF5A2556BD58E26384169D72438D ] Psched C:\windows\system32\DRIVERS\pacer.sys
17:34:59.0525 6888 Psched - ok
17:34:59.0563 6888 [ 87B04878A6D59D6C79251DC960C674C1 ] PxHlpa64 C:\windows\system32\Drivers\PxHlpa64.sys
17:34:59.0568 6888 PxHlpa64 - ok
17:34:59.0638 6888 [ A53A15A11EBFD21077463EE2C7AFEEF0 ] ql2300 C:\windows\system32\drivers\ql2300.sys
17:34:59.0683 6888 ql2300 - ok
17:34:59.0697 6888 [ 4F6D12B51DE1AAEFF7DC58C4D75423C8 ] ql40xx C:\windows\system32\drivers\ql40xx.sys
17:34:59.0702 6888 ql40xx - ok
17:34:59.0773 6888 [ 906191634E99AEA92C4816150BDA3732 ] QWAVE C:\windows\system32\qwave.dll
17:34:59.0807 6888 QWAVE - ok
17:34:59.0841 6888 [ 76707BB36430888D9CE9D705398ADB6C ] QWAVEdrv C:\windows\system32\drivers\qwavedrv.sys
17:34:59.0852 6888 QWAVEdrv - ok
17:34:59.0875 6888 [ 5A0DA8AD5762FA2D91678A8A01311704 ] RasAcd C:\windows\system32\DRIVERS\rasacd.sys
17:34:59.0879 6888 RasAcd - ok
17:34:59.0917 6888 [ 7ECFF9B22276B73F43A99A15A6094E90 ] RasAgileVpn C:\windows\system32\DRIVERS\AgileVpn.sys
17:34:59.0921 6888 RasAgileVpn - ok
17:34:59.0958 6888 [ 8F26510C5383B8DBE976DE1CD00FC8C7 ] RasAuto C:\windows\System32\rasauto.dll
17:34:59.0992 6888 RasAuto - ok
17:35:00.0025 6888 [ 471815800AE33E6F1C32FB1B97C490CA ] Rasl2tp C:\windows\system32\DRIVERS\rasl2tp.sys
17:35:00.0030 6888 Rasl2tp - ok
17:35:00.0058 6888 [ EE867A0870FC9E4972BA9EAAD35651E2 ] RasMan C:\windows\System32\rasmans.dll
17:35:00.0103 6888 RasMan - ok
17:35:00.0143 6888 [ 855C9B1CD4756C5E9A2AA58A15F58C25 ] RasPppoe C:\windows\system32\DRIVERS\raspppoe.sys
17:35:00.0149 6888 RasPppoe - ok
17:35:00.0179 6888 [ E8B1E447B008D07FF47D016C2B0EEECB ] RasSstp C:\windows\system32\DRIVERS\rassstp.sys
17:35:00.0184 6888 RasSstp - ok
17:35:00.0208 6888 [ 77F665941019A1594D887A74F301FA2F ] rdbss C:\windows\system32\DRIVERS\rdbss.sys
17:35:00.0219 6888 rdbss - ok
17:35:00.0288 6888 [ 302DA2A0539F2CF54D7C6CC30C1F2D8D ] rdpbus C:\windows\system32\drivers\rdpbus.sys
17:35:00.0294 6888 rdpbus - ok
17:35:00.0329 6888 [ CEA6CC257FC9B7715F1C2B4849286D24 ] RDPCDD C:\windows\system32\DRIVERS\RDPCDD.sys
17:35:00.0333 6888 RDPCDD - ok
17:35:00.0361 6888 [ BB5971A4F00659529A5C44831AF22365 ] RDPENCDD C:\windows\system32\drivers\rdpencdd.sys
17:35:00.0365 6888 RDPENCDD - ok
17:35:00.0385 6888 [ 216F3FA57533D98E1F74DED70113177A ] RDPREFMP C:\windows\system32\drivers\rdprefmp.sys
17:35:00.0390 6888 RDPREFMP - ok
17:35:00.0423 6888 [ E61608AA35E98999AF9AAEEEA6114B0A ] RDPWD C:\windows\system32\drivers\RDPWD.sys
17:35:00.0431 6888 RDPWD - ok
17:35:00.0460 6888 [ 34ED295FA0121C241BFEF24764FC4520 ] rdyboost C:\windows\system32\drivers\rdyboost.sys
17:35:00.0467 6888 rdyboost - ok
17:35:00.0515 6888 [ 254FB7A22D74E5511C73A3F6D802F192 ] RemoteAccess C:\windows\System32\mprdim.dll
17:35:00.0524 6888 RemoteAccess - ok
17:35:00.0557 6888 [ E4D94F24081440B5FC5AA556C7C62702 ] RemoteRegistry C:\windows\system32\regsvc.dll
17:35:00.0568 6888 RemoteRegistry - ok
17:35:00.0618 6888 [ 3DD798846E2C28102B922C56E71B7932 ] RFCOMM C:\windows\system32\DRIVERS\rfcomm.sys
17:35:00.0625 6888 RFCOMM - ok
17:35:00.0931 6888 [ 3C957189B31C34D3AD21967B12B6AED7 ] RoxMediaDB12OEM c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
17:35:00.0975 6888 RoxMediaDB12OEM - ok
17:35:01.0014 6888 [ 2B73088CC2CA757A172B425C9398E5BC ] RoxWatch12 c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
17:35:01.0023 6888 RoxWatch12 - ok
17:35:01.0058 6888 [ E4DC58CF7B3EA515AE917FF0D402A7BB ] RpcEptMapper C:\windows\System32\RpcEpMap.dll
17:35:01.0067 6888 RpcEptMapper - ok
17:35:01.0106 6888 [ D5BA242D4CF8E384DB90E6A8ED850B8C ] RpcLocator C:\windows\system32\locator.exe
17:35:01.0114 6888 RpcLocator - ok
17:35:01.0148 6888 [ 5C627D1B1138676C0A7AB2C2C190D123 ] RpcSs C:\windows\system32\rpcss.dll
17:35:01.0163 6888 RpcSs - ok
17:35:01.0205 6888 [ DDC86E4F8E7456261E637E3552E804FF ] rspndr C:\windows\system32\DRIVERS\rspndr.sys
17:35:01.0210 6888 rspndr - ok
17:35:01.0264 6888 [ BE29B0A3AC1E8BD02FFAB8CEE86BADFA ] RSUSBSTOR C:\windows\system32\Drivers\RtsUStor.sys
17:35:01.0272 6888 RSUSBSTOR - ok
17:35:01.0312 6888 [ EE082E06A82FF630351D1E0EBBD3D8D0 ] RTL8167 C:\windows\system32\DRIVERS\Rt64win7.sys
17:35:01.0336 6888 RTL8167 - ok
17:35:01.0354 6888 [ C118A82CD78818C29AB228366EBF81C3 ] SamSs C:\windows\system32\lsass.exe
17:35:01.0361 6888 SamSs - ok
17:35:01.0396 6888 [ AC03AF3329579FFFB455AA2DAABBE22B ] sbp2port C:\windows\system32\drivers\sbp2port.sys
17:35:01.0402 6888 sbp2port - ok
17:35:01.0413 6888 SBRE - ok
17:35:01.0454 6888 [ 9B7395789E3791A3B6D000FE6F8B131E ] SCardSvr C:\windows\System32\SCardSvr.dll
17:35:01.0466 6888 SCardSvr - ok
17:35:01.0482 6888 [ 253F38D0D7074C02FF8DEB9836C97D2B ] scfilter C:\windows\system32\DRIVERS\scfilter.sys
17:35:01.0487 6888 scfilter - ok
17:35:01.0534 6888 [ 262F6592C3299C005FD6BEC90FC4463A ] Schedule C:\windows\system32\schedsvc.dll
17:35:01.0581 6888 Schedule - ok
17:35:01.0660 6888 [ F17D1D393BBC69C5322FBFAFACA28C7F ] SCPolicySvc C:\windows\System32\certprop.dll
17:35:01.0663 6888 SCPolicySvc - ok
17:35:01.0718 6888 [ 6EA4234DC55346E0709560FE7C2C1972 ] SDRSVC C:\windows\System32\SDRSVC.dll
17:35:01.0730 6888 SDRSVC - ok
17:35:01.0768 6888 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\windows\system32\drivers\secdrv.sys
17:35:01.0774 6888 secdrv - ok
17:35:01.0794 6888 [ BC617A4E1B4FA8DF523A061739A0BD87 ] seclogon C:\windows\system32\seclogon.dll
17:35:01.0804 6888 seclogon - ok
17:35:01.0824 6888 [ C32AB8FA018EF34C0F113BD501436D21 ] SENS C:\windows\System32\sens.dll
17:35:01.0835 6888 SENS - ok
17:35:01.0875 6888 [ 0336CFFAFAAB87A11541F1CF1594B2B2 ] SensrSvc C:\windows\system32\sensrsvc.dll
17:35:01.0885 6888 SensrSvc - ok
17:35:01.0907 6888 [ CB624C0035412AF0DEBEC78C41F5CA1B ] Serenum C:\windows\system32\drivers\serenum.sys
17:35:01.0912 6888 Serenum - ok
17:35:01.0944 6888 [ C1D8E28B2C2ADFAEC4BA89E9FDA69BD6 ] Serial C:\windows\system32\drivers\serial.sys
17:35:01.0949 6888 Serial - ok
17:35:01.0963 6888 [ 1C545A7D0691CC4A027396535691C3E3 ] sermouse C:\windows\system32\drivers\sermouse.sys
17:35:01.0968 6888 sermouse - ok
17:35:02.0022 6888 [ 0B6231BF38174A1628C4AC812CC75804 ] SessionEnv C:\windows\system32\sessenv.dll
17:35:02.0036 6888 SessionEnv - ok
17:35:02.0048 6888 [ A554811BCD09279536440C964AE35BBF ] sffdisk C:\windows\system32\drivers\sffdisk.sys
17:35:02.0052 6888 sffdisk - ok
17:35:02.0066 6888 [ FF414F0BAEFEBA59BC6C04B3DB0B87BF ] sffp_mmc C:\windows\system32\drivers\sffp_mmc.sys
17:35:02.0070 6888 sffp_mmc - ok
17:35:02.0083 6888 [ DD85B78243A19B59F0637DCF284DA63C ] sffp_sd C:\windows\system32\drivers\sffp_sd.sys
17:35:02.0087 6888 sffp_sd - ok
17:35:02.0100 6888 [ A9D601643A1647211A1EE2EC4E433FF4 ] sfloppy C:\windows\system32\drivers\sfloppy.sys
17:35:02.0107 6888 sfloppy - ok
17:35:02.0164 6888 [ C6CC9297BD53E5229653303E556AA539 ] Sftfs C:\windows\system32\DRIVERS\Sftfslh.sys
17:35:02.0198 6888 Sftfs - ok
17:35:02.0264 6888 [ 13693B6354DD6E72DC5131DA7D764B90 ] sftlist C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
17:35:02.0289 6888 sftlist - ok
17:35:02.0344 6888 [ 390AA7BC52CEE43F6790CDEA1E776703 ] Sftplay C:\windows\system32\DRIVERS\Sftplaylh.sys
17:35:02.0353 6888 Sftplay - ok
17:35:02.0378 6888 [ 617E29A0B0A2807466560D4C4E338D3E ] Sftredir C:\windows\system32\DRIVERS\Sftredirlh.sys
17:35:02.0385 6888 Sftredir - ok
17:35:02.0487 6888 [ 74EC60E20516AAA573BE74F31175270F ] SftService C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
17:35:02.0550 6888 SftService - ok
17:35:02.0575 6888 [ 8F571F016FA1976F445147E9E6C8AE9B ] Sftvol C:\windows\system32\DRIVERS\Sftvollh.sys
17:35:02.0581 6888 Sftvol - ok
17:35:02.0622 6888 [ C3CDDD18F43D44AB713CF8C4916F7696 ] sftvsa C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
17:35:02.0629 6888 sftvsa - ok
17:35:02.0672 6888 [ B95F6501A2F8B2E78C697FEC401970CE ] SharedAccess C:\windows\System32\ipnathlp.dll
17:35:02.0695 6888 SharedAccess - ok
17:35:02.0734 6888 [ AAF932B4011D14052955D4B212A4DA8D ] ShellHWDetection C:\windows\System32\shsvcs.dll
17:35:02.0764 6888 ShellHWDetection - ok
17:35:02.0794 6888 [ 843CAF1E5FDE1FFD5FF768F23A51E2E1 ] SiSRaid2 C:\windows\system32\drivers\SiSRaid2.sys
17:35:02.0800 6888 SiSRaid2 - ok
17:35:02.0818 6888 [ 6A6C106D42E9FFFF8B9FCB4F754F6DA4 ] SiSRaid4 C:\windows\system32\drivers\sisraid4.sys
17:35:02.0826 6888 SiSRaid4 - ok
17:35:02.0882 6888 [ F07AF60B152221472FBDB2FECEC4896D ] SkypeUpdate C:\Program Files (x86)\Skype\Updater\Updater.exe
17:35:02.0889 6888 SkypeUpdate - ok
17:35:02.0912 6888 [ 548260A7B8654E024DC30BF8A7C5BAA4 ] Smb C:\windows\system32\DRIVERS\smb.sys
17:35:02.0918 6888 Smb - ok
17:35:02.0973 6888 [ 6313F223E817CC09AA41811DAA7F541D ] SNMPTRAP C:\windows\System32\snmptrap.exe
17:35:02.0985 6888 SNMPTRAP - ok
17:35:03.0013 6888 [ B9E31E5CACDFE584F34F730A677803F9 ] spldr C:\windows\system32\drivers\spldr.sys
17:35:03.0018 6888 spldr - ok
17:35:03.0071 6888 [ 85DAA09A98C9286D4EA2BA8D0E644377 ] Spooler C:\windows\System32\spoolsv.exe
17:35:03.0106 6888 Spooler - ok
17:35:03.0237 6888 [ E17E0188BB90FAE42D83E98707EFA59C ] sppsvc C:\windows\system32\sppsvc.exe
17:35:03.0359 6888 sppsvc - ok
17:35:03.0383 6888 [ 93D7D61317F3D4BC4F4E9F8A96A7DE45 ] sppuinotify C:\windows\system32\sppuinotify.dll
17:35:03.0394 6888 sppuinotify - ok
17:35:03.0487 6888 [ A15860E920B02C9A7CE8F3A6C2FF1E3A ] sptd C:\windows\System32\Drivers\sptd.sys
17:35:03.0532 6888 sptd - ok
17:35:03.0575 6888 [ 441FBA48BFF01FDB9D5969EBC1838F0B ] srv C:\windows\system32\DRIVERS\srv.sys
17:35:03.0585 6888 srv - ok
17:35:03.0612 6888 [ B4ADEBBF5E3677CCE9651E0F01F7CC28 ] srv2 C:\windows\system32\DRIVERS\srv2.sys
17:35:03.0623 6888 srv2 - ok
17:35:03.0652 6888 [ 27E461F0BE5BFF5FC737328F749538C3 ] srvnet C:\windows\system32\DRIVERS\srvnet.sys
17:35:03.0660 6888 srvnet - ok
17:35:03.0706 6888 [ 51B52FBD583CDE8AA9BA62B8B4298F33 ] SSDPSRV C:\windows\System32\ssdpsrv.dll
17:35:03.0728 6888 SSDPSRV - ok
17:35:03.0746 6888 [ AB7AEBF58DAD8DAAB7A6C45E6A8885CB ] SstpSvc C:\windows\system32\sstpsvc.dll
17:35:03.0757 6888 SstpSvc - ok
17:35:03.0876 6888 [ A6B2EC3A2B6AD7C3F7B2F3495CADE4C0 ] STacSV C:\Program Files\IDT\WDM\STacSV64.exe
17:35:03.0908 6888 STacSV - ok
17:35:03.0934 6888 [ F3817967ED533D08327DC73BC4D5542A ] stexstor C:\windows\system32\drivers\stexstor.sys
17:35:03.0941 6888 stexstor - ok
17:35:04.0010 6888 [ EBA98394A7D58F7552C52192BD8FA7E6 ] STHDA C:\windows\system32\DRIVERS\stwrt64.sys
17:35:04.0034 6888 STHDA - ok
17:35:04.0089 6888 [ 8DD52E8E6128F4B2DA92CE27402871C1 ] stisvc C:\windows\System32\wiaservc.dll
17:35:04.0124 6888 stisvc - ok
17:35:04.0170 6888 [ 7731F46EC0D687A931CBA063E8F90EF0 ] stllssvr c:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
17:35:04.0180 6888 stllssvr - ok
17:35:04.0216 6888 [ D01EC09B6711A5F8E7E6564A4D0FBC90 ] swenum C:\windows\system32\DRIVERS\swenum.sys
17:35:04.0220 6888 swenum - ok
17:35:04.0268 6888 [ E08E46FDD841B7184194011CA1955A0B ] swprv C:\windows\System32\swprv.dll
17:35:04.0313 6888 swprv - ok
17:35:04.0379 6888 [ BF9CCC0BF39B418C8D0AE8B05CF95B7D ] SysMain C:\windows\system32\sysmain.dll
17:35:04.0435 6888 SysMain - ok
17:35:04.0501 6888 [ E3C61FD7B7C2557E1F1B0B4CEC713585 ] TabletInputService C:\windows\System32\TabSvc.dll
17:35:04.0521 6888 TabletInputService - ok
17:35:04.0549 6888 [ 40F0849F65D13EE87B9A9AE3C1DD6823 ] TapiSrv C:\windows\System32\tapisrv.dll
17:35:04.0573 6888 TapiSrv - ok
17:35:04.0604 6888 [ 1BE03AC720F4D302EA01D40F588162F6 ] TBS C:\windows\System32\tbssvc.dll
17:35:04.0616 6888 TBS - ok
17:35:04.0703 6888 [ F782CAD3CEDBB3F9FFE3BF2775D92DDC ] Tcpip C:\windows\system32\drivers\tcpip.sys
17:35:04.0759 6888 Tcpip - ok
17:35:04.0844 6888 [ F782CAD3CEDBB3F9FFE3BF2775D92DDC ] TCPIP6 C:\windows\system32\DRIVERS\tcpip.sys
17:35:04.0866 6888 TCPIP6 - ok
17:35:04.0919 6888 [ DF687E3D8836BFB04FCC0615BF15A519 ] tcpipreg C:\windows\system32\drivers\tcpipreg.sys
17:35:04.0923 6888 tcpipreg - ok
17:35:04.0955 6888 [ 3371D21011695B16333A3934340C4E7C ] TDPIPE C:\windows\system32\drivers\tdpipe.sys
17:35:04.0960 6888 TDPIPE - ok
17:35:04.0987 6888 [ 51C5ECEB1CDEE2468A1748BE550CFBC8 ] TDTCP C:\windows\system32\drivers\tdtcp.sys
17:35:04.0992 6888 TDTCP - ok
17:35:05.0014 6888 [ DDAD5A7AB24D8B65F8D724F5C20FD806 ] tdx C:\windows\system32\DRIVERS\tdx.sys
17:35:05.0019 6888 tdx - ok
17:35:05.0046 6888 [ 561E7E1F06895D78DE991E01DD0FB6E5 ] TermDD C:\windows\system32\DRIVERS\termdd.sys
17:35:05.0051 6888 TermDD - ok
17:35:05.0094 6888 [ 2E648163254233755035B46DD7B89123 ] TermService C:\windows\System32\termsrv.dll
17:35:05.0141 6888 TermService - ok
17:35:05.0157 6888 [ F0344071948D1A1FA732231785A0664C ] Themes C:\windows\system32\themeservice.dll
17:35:05.0190 6888 Themes - ok
17:35:05.0219 6888 [ E40E80D0304A73E8D269F7141D77250B ] THREADORDER C:\windows\system32\mmcss.dll
17:35:05.0228 6888 THREADORDER - ok
17:35:05.0276 6888 [ 7E7AFD841694F6AC397E99D75CEAD49D ] TrkWks C:\windows\System32\trkwks.dll
17:35:05.0289 6888 TrkWks - ok
17:35:05.0344 6888 [ 773212B2AAA24C1E31F10246B15B276C ] TrustedInstaller C:\windows\servicing\TrustedInstaller.exe
17:35:05.0350 6888 TrustedInstaller - ok
17:35:05.0376 6888 [ CE18B2CDFC837C99E5FAE9CA6CBA5D30 ] tssecsrv C:\windows\system32\DRIVERS\tssecsrv.sys
17:35:05.0381 6888 tssecsrv - ok
17:35:05.0409 6888 [ D11C783E3EF9A3C52C0EBE83CC5000E9 ] TsUsbFlt C:\windows\system32\drivers\tsusbflt.sys
17:35:05.0415 6888 TsUsbFlt - ok
17:35:05.0447 6888 [ 9CC2CCAE8A84820EAECB886D477CBCB8 ] TsUsbGD C:\windows\system32\drivers\TsUsbGD.sys
17:35:05.0452 6888 TsUsbGD - ok
17:35:05.0498 6888 [ 3566A8DAAFA27AF944F5D705EAA64894 ] tunnel C:\windows\system32\DRIVERS\tunnel.sys
17:35:05.0505 6888 tunnel - ok
17:35:05.0539 6888 [ B4DD609BD7E282BFC683CEC7EAAAAD67 ] uagp35 C:\windows\system32\drivers\uagp35.sys
17:35:05.0546 6888 uagp35 - ok
17:35:05.0575 6888 [ FF4232A1A64012BAA1FD97C7B67DF593 ] udfs C:\windows\system32\DRIVERS\udfs.sys
17:35:05.0598 6888 udfs - ok
17:35:05.0644 6888 [ 3CBDEC8D06B9968ABA702EBA076364A1 ] UI0Detect C:\windows\system32\UI0Detect.exe
17:35:05.0657 6888 UI0Detect - ok
17:35:05.0695 6888 [ 4BFE1BC28391222894CBF1E7D0E42320 ] uliagpkx C:\windows\system32\drivers\uliagpkx.sys
17:35:05.0701 6888 uliagpkx - ok
17:35:05.0732 6888 [ DC54A574663A895C8763AF0FA1FF7561 ] umbus C:\windows\system32\DRIVERS\umbus.sys
17:35:05.0738 6888 umbus - ok
17:35:05.0761 6888 [ B2E8E8CB557B156DA5493BBDDCC1474D ] UmPass C:\windows\system32\drivers\umpass.sys
17:35:05.0766 6888 UmPass - ok
17:35:05.0799 6888 [ D47EC6A8E81633DD18D2436B19BAF6DE ] upnphost C:\windows\System32\upnphost.dll
17:35:05.0834 6888 upnphost - ok
17:35:05.0864 6888 [ 19AD7990C0B67E48DAC5B26F99628223 ] usbccgp C:\windows\system32\DRIVERS\usbccgp.sys
17:35:05.0870 6888 usbccgp - ok
17:35:05.0911 6888 [ AF0892A803FDDA7492F595368E3B68E7 ] usbcir C:\windows\system32\drivers\usbcir.sys
17:35:05.0918 6888 usbcir - ok
17:35:05.0946 6888 [ C025055FE7B87701EB042095DF1A2D7B ] usbehci C:\windows\system32\DRIVERS\usbehci.sys
17:35:05.0951 6888 usbehci - ok
17:35:05.0986 6888 [ 573D192E268F0C5B486B7E96F661E538 ] usbfilter C:\windows\system32\DRIVERS\usbfilter.sys
17:35:05.0991 6888 usbfilter - ok
17:35:06.0046 6888 [ 287C6C9410B111B68B52CA298F7B8C24 ] usbhub C:\windows\system32\DRIVERS\usbhub.sys
17:35:06.0056 6888 usbhub - ok
17:35:06.0087 6888 [ 9840FC418B4CBD632D3D0A667A725C31 ] usbohci C:\windows\system32\DRIVERS\usbohci.sys
17:35:06.0099 6888 usbohci - ok
17:35:06.0119 6888 [ 73188F58FB384E75C4063D29413CEE3D ] usbprint C:\windows\system32\drivers\usbprint.sys
17:35:06.0124 6888 usbprint - ok
17:35:06.0152 6888 [ FED648B01349A3C8395A5169DB5FB7D6 ] USBSTOR C:\windows\system32\DRIVERS\USBSTOR.SYS
17:35:06.0158 6888 USBSTOR - ok
17:35:06.0172 6888 [ 62069A34518BCF9C1FD9E74B3F6DB7CD ] usbuhci C:\windows\system32\drivers\usbuhci.sys
17:35:06.0179 6888 usbuhci - ok
17:35:06.0218 6888 [ 454800C2BC7F3927CE030141EE4F4C50 ] usbvideo C:\windows\system32\Drivers\usbvideo.sys
17:35:06.0227 6888 usbvideo - ok
17:35:06.0253 6888 [ EDBB23CBCF2CDF727D64FF9B51A6070E ] UxSms C:\windows\System32\uxsms.dll
17:35:06.0267 6888 UxSms - ok
17:35:06.0296 6888 [ C118A82CD78818C29AB228366EBF81C3 ] VaultSvc C:\windows\system32\lsass.exe
17:35:06.0303 6888 VaultSvc - ok
17:35:06.0352 6888 [ C5C876CCFC083FF3B128F933823E87BD ] vdrvroot C:\windows\system32\drivers\vdrvroot.sys
17:35:06.0357 6888 vdrvroot - ok
17:35:06.0399 6888 [ 8D6B481601D01A456E75C3210F1830BE ] vds C:\windows\System32\vds.exe
17:35:06.0433 6888 vds - ok
17:35:06.0459 6888 [ DA4DA3F5E02943C2DC8C6ED875DE68DD ] vga C:\windows\system32\DRIVERS\vgapnp.sys
17:35:06.0464 6888 vga - ok
17:35:06.0493 6888 [ 53E92A310193CB3C03BEA963DE7D9CFC ] VgaSave C:\windows\System32\drivers\vga.sys
17:35:06.0498 6888 VgaSave - ok
17:35:06.0529 6888 [ 2CE2DF28C83AEAF30084E1B1EB253CBB ] vhdmp C:\windows\system32\drivers\vhdmp.sys
17:35:06.0542 6888 vhdmp - ok
17:35:06.0564 6888 [ E5689D93FFE4E5D66C0178761240DD54 ] viaide C:\windows\system32\drivers\viaide.sys
17:35:06.0569 6888 viaide - ok
17:35:06.0597 6888 [ D2AAFD421940F640B407AEFAAEBD91B0 ] volmgr C:\windows\system32\drivers\volmgr.sys
17:35:06.0603 6888 volmgr - ok
17:35:06.0630 6888 [ A255814907C89BE58B79EF2F189B843B ] volmgrx C:\windows\system32\drivers\volmgrx.sys
17:35:06.0644 6888 volmgrx - ok
17:35:06.0681 6888 [ 0D08D2F3B3FF84E433346669B5E0F639 ] volsnap C:\windows\system32\drivers\volsnap.sys
17:35:06.0693 6888 volsnap - ok
17:35:06.0727 6888 [ 5E2016EA6EBACA03C04FEAC5F330D997 ] vsmraid C:\windows\system32\drivers\vsmraid.sys
17:35:06.0734 6888 vsmraid - ok
17:35:06.0806 6888 [ B60BA0BC31B0CB414593E169F6F21CC2 ] VSS C:\windows\system32\vssvc.exe
17:35:06.0866 6888 VSS - ok
17:35:06.0899 6888 [ 36D4720B72B5C5D9CB2B9C29E9DF67A1 ] vwifibus C:\windows\system32\DRIVERS\vwifibus.sys
17:35:06.0905 6888 vwifibus - ok
17:35:06.0928 6888 [ 6A3D66263414FF0D6FA754C646612F3F ] vwififlt C:\windows\system32\DRIVERS\vwififlt.sys
17:35:06.0935 6888 vwififlt - ok
17:35:06.0956 6888 [ 6A638FC4BFDDC4D9B186C28C91BD1A01 ] vwifimp C:\windows\system32\DRIVERS\vwifimp.sys
17:35:06.0962 6888 vwifimp - ok
17:35:07.0013 6888 [ 1C9D80CC3849B3788048078C26486E1A ] W32Time C:\windows\system32\w32time.dll
17:35:07.0031 6888 W32Time - ok
17:35:07.0064 6888 [ 4E9440F4F152A7B944CB1663D3935A3E ] WacomPen C:\windows\system32\drivers\wacompen.sys
17:35:07.0069 6888 WacomPen - ok
17:35:07.0105 6888 [ 356AFD78A6ED4457169241AC3965230C ] WANARP C:\windows\system32\DRIVERS\wanarp.sys
17:35:07.0112 6888 WANARP - ok
17:35:07.0131 6888 [ 356AFD78A6ED4457169241AC3965230C ] Wanarpv6 C:\windows\system32\DRIVERS\wanarp.sys
17:35:07.0135 6888 Wanarpv6 - ok
17:35:07.0262 6888 [ 3CEC96DE223E49EAAE3651FCF8FAEA6C ] WatAdminSvc C:\windows\system32\Wat\WatAdminSvc.exe
17:35:07.0318 6888 WatAdminSvc - ok
17:35:07.0402 6888 [ 78F4E7F5C56CB9716238EB57DA4B6A75 ] wbengine C:\windows\system32\wbengine.exe
17:35:07.0471 6888 wbengine - ok
17:35:07.0503 6888 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\windows\System32\wbiosrvc.dll
17:35:07.0524 6888 WbioSrvc - ok
17:35:07.0556 6888 [ 7368A2AFD46E5A4481D1DE9D14848EDD ] wcncsvc C:\windows\System32\wcncsvc.dll
17:35:07.0590 6888 wcncsvc - ok
17:35:07.0624 6888 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\windows\System32\WcsPlugInService.dll
17:35:07.0638 6888 WcsPlugInService - ok
17:35:07.0673 6888 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\windows\system32\drivers\wd.sys
17:35:07.0682 6888 Wd - ok
17:35:07.0723 6888 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\windows\system32\drivers\Wdf01000.sys
17:35:07.0770 6888 Wdf01000 - ok
17:35:07.0802 6888 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\windows\system32\wdi.dll
17:35:07.0824 6888 WdiServiceHost - ok
17:35:07.0846 6888 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\windows\system32\wdi.dll
17:35:07.0859 6888 WdiSystemHost - ok
17:35:07.0909 6888 [ 3DB6D04E1C64272F8B14EB8BC4616280 ] WebClient C:\windows\System32\webclnt.dll
17:35:07.0953 6888 WebClient - ok
17:35:07.0985 6888 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\windows\system32\wecsvc.dll
17:35:08.0008 6888 Wecsvc - ok
17:35:08.0036 6888 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\windows\System32\wercplsupport.dll
17:35:08.0070 6888 wercplsupport - ok
17:35:08.0108 6888 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\windows\System32\WerSvc.dll
17:35:08.0141 6888 WerSvc - ok
17:35:08.0184 6888 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\windows\system32\DRIVERS\wfplwf.sys
17:35:08.0189 6888 WfpLwf - ok
17:35:08.0236 6888 [ B14EF15BD757FA488F9C970EEE9C0D35 ] WimFltr C:\windows\system32\DRIVERS\wimfltr.sys
17:35:08.0244 6888 WimFltr - ok
17:35:08.0266 6888 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\windows\system32\drivers\wimmount.sys
17:35:08.0271 6888 WIMMount - ok
17:35:08.0292 6888 WinDefend - ok
17:35:08.0317 6888 WinHttpAutoProxySvc - ok
17:35:08.0804 6888 [ 19B07E7E8915D701225DA41CB3877306 ] Winmgmt C:\windows\system32\wbem\WMIsvc.dll
17:35:08.0814 6888 Winmgmt - ok
17:35:08.0920 6888 [ BCB1310604AA415C4508708975B3931E ] WinRM C:\windows\system32\WsmSvc.dll
17:35:08.0990 6888 WinRM - ok
17:35:09.0046 6888 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\windows\System32\wlansvc.dll
17:35:09.0069 6888 Wlansvc - ok
17:35:09.0123 6888 [ 06C8FA1CF39DE6A735B54D906BA791C6 ] wlcrasvc C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
17:35:09.0128 6888 wlcrasvc - ok
17:35:09.0314 6888 [ 2BACD71123F42CEA603F4E205E1AE337 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
17:35:09.0379 6888 wlidsvc - ok
17:35:09.0416 6888 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\windows\system32\DRIVERS\wmiacpi.sys
17:35:09.0420 6888 WmiAcpi - ok
17:35:09.0454 6888 [ 38B84C94C5A8AF291ADFEA478AE54F93 ] wmiApSrv C:\windows\system32\wbem\WmiApSrv.exe
17:35:09.0461 6888 wmiApSrv - ok
17:35:09.0487 6888 WMPNetworkSvc - ok
17:35:09.0523 6888 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\windows\System32\wpcsvc.dll
17:35:09.0535 6888 WPCSvc - ok
17:35:09.0562 6888 [ 93221146D4EBBF314C29B23CD6CC391D ] WPDBusEnum C:\windows\system32\wpdbusenum.dll
17:35:09.0585 6888 WPDBusEnum - ok
17:35:09.0618 6888 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\windows\system32\drivers\ws2ifsl.sys
17:35:09.0622 6888 ws2ifsl - ok
17:35:09.0646 6888 [ E8B1FE6669397D1772D8196DF0E57A9E ] wscsvc C:\windows\System32\wscsvc.dll
17:35:09.0660 6888 wscsvc - ok
17:35:09.0670 6888 WSearch - ok
17:35:09.0828 6888 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\windows\system32\wuaueng.dll
17:35:09.0924 6888 wuauserv - ok
17:35:09.0947 6888 [ D3381DC54C34D79B22CEE0D65BA91B7C ] WudfPf C:\windows\system32\drivers\WudfPf.sys
17:35:09.0953 6888 WudfPf - ok
17:35:09.0984 6888 [ CF8D590BE3373029D57AF80914190682 ] WUDFRd C:\windows\system32\DRIVERS\WUDFRd.sys
17:35:09.0991 6888 WUDFRd - ok
17:35:10.0029 6888 [ 7A95C95B6C4CF292D689106BCAE49543 ] wudfsvc C:\windows\System32\WUDFSvc.dll
17:35:10.0041 6888 wudfsvc - ok
17:35:10.0074 6888 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\windows\System32\wwansvc.dll
17:35:10.0096 6888 WwanSvc - ok
17:35:10.0159 6888 ================ Scan global ===============================
17:35:10.0198 6888 [ BA0CD8C393E8C9F83354106093832C7B ] C:\windows\system32\basesrv.dll
17:35:10.0265 6888 [ F46BBAAC1C4980F4D0DD463F190A42D3 ] C:\windows\system32\winsrv.dll
17:35:10.0309 6888 [ F46BBAAC1C4980F4D0DD463F190A42D3 ] C:\windows\system32\winsrv.dll
17:35:10.0348 6888 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\windows\system32\sxssrv.dll
17:35:10.0386 6888 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\windows\system32\services.exe
17:35:10.0409 6888 [Global] - ok
17:35:10.0410 6888 ================ Scan MBR ==================================
17:35:10.0434 6888 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
17:35:17.0504 6888 \Device\Harddisk0\DR0 - ok
17:35:17.0506 6888 ================ Scan VBR ==================================
17:35:17.0530 6888 [ B4A651EA79A9998884DA67ECFFB5E2E7 ] \Device\Harddisk0\DR0\Partition1
17:35:17.0562 6888 \Device\Harddisk0\DR0\Partition1 - ok
17:35:17.0592 6888 [ 9353CF31A6EC515E78353D1600509A2F ] \Device\Harddisk0\DR0\Partition2
17:35:17.0638 6888 \Device\Harddisk0\DR0\Partition2 - ok
17:35:17.0639 6888 ============================================================
17:35:17.0639 6888 Scan finished
17:35:17.0639 6888 ============================================================
17:35:17.0670 5020 Detected object count: 0
17:35:17.0671 5020 Actual detected object count: 0
17:35:21.0574 6932 Deinitialize success

Oter logs wouldn't fit and will be put in the following posts.

Thanks,

Colin.
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Metropolitan Police Ransomeware

Unread postby ColinL » October 21st, 2012, 1:36 pm

OTL

OTL logfile created on: 21/10/2012 17:36:19 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jacklyn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.61 Gb Total Physical Memory | 2.40 Gb Available Physical Memory | 66.47% Memory free
7.21 Gb Paging File | 4.96 Gb Available in Paging File | 68.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 341.85 Gb Free Space | 75.80% Space Free | Partition Type: NTFS

Computer Name: JACKLYN-PC | User Name: Jacklyn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/21 15:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
PRC - [2012/10/19 20:35:25 | 001,199,576 | ---- | M] (Spotify Ltd) -- C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012/08/21 10:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/02/01 11:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
PRC - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/10 10:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\httpd.exe
PRC - [2011/09/10 10:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) -- c:\xampp\apache\bin\httpd.exe
PRC - [2011/09/09 18:46:10 | 008,158,720 | ---- | M] () -- c:\xampp\mysql\bin\mysqld.exe
PRC - [2011/09/06 18:29:20 | 004,259,648 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
PRC - [2011/08/18 16:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
PRC - [2011/08/18 16:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2011/08/08 18:26:12 | 000,475,200 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
PRC - [2011/08/08 18:26:00 | 002,034,752 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
PRC - [2011/08/01 18:56:48 | 000,460,096 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
PRC - [2011/03/04 12:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2010/11/17 16:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/10 11:06:15 | 000,460,312 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppgooglenaclpluginchrome.dll
MOD - [2012/10/10 11:06:13 | 012,435,992 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\PepperFlash\pepflashplayer.dll
MOD - [2012/10/10 11:06:12 | 004,005,912 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
MOD - [2012/10/10 11:04:57 | 000,578,072 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\libglesv2.dll
MOD - [2012/10/10 11:04:55 | 000,123,928 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\libegl.dll
MOD - [2012/10/10 11:04:44 | 000,156,712 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avutil-51.dll
MOD - [2012/10/10 11:04:43 | 000,275,496 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avformat-54.dll
MOD - [2012/10/10 11:04:42 | 002,168,360 | ---- | M] () -- C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\avcodec-54.dll
MOD - [2012/06/14 10:57:43 | 014,340,608 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll
MOD - [2012/06/14 10:56:44 | 012,436,480 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/06/14 10:56:24 | 001,591,808 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/06/14 10:56:16 | 012,237,824 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll
MOD - [2012/06/12 23:17:32 | 002,297,856 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll
MOD - [2012/06/11 16:05:52 | 000,368,128 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll
MOD - [2012/06/11 16:00:54 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll
MOD - [2012/06/11 16:00:39 | 005,452,800 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/06/11 16:00:28 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/06/11 16:00:25 | 007,967,232 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/06/11 16:00:05 | 011,492,864 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/02/01 11:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
MOD - [2012/02/01 11:44:34 | 008,151,040 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtGui4.dll
MOD - [2012/02/01 11:44:34 | 002,278,400 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtCore4.dll
MOD - [2011/08/18 16:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
MOD - [2011/08/08 18:26:12 | 000,475,200 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
MOD - [2011/08/08 18:26:00 | 002,034,752 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
MOD - [2011/07/21 08:36:00 | 000,327,744 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\en-US\UI\ManagerUI.dll
MOD - [2011/07/17 10:35:36 | 000,058,944 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\DataService.dll
MOD - [2011/06/24 23:20:26 | 000,565,968 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\sqlite3.dll
MOD - [2010/11/25 04:44:02 | 000,375,280 | ---- | M] () -- c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\SQLite352.dll
MOD - [2010/11/17 16:35:34 | 000,514,544 | ---- | M] () -- C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2010/03/22 15:52:42 | 006,776,832 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtGui4.dll
MOD - [2010/03/16 20:28:28 | 000,326,144 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtXml4.dll
MOD - [2010/03/16 20:28:16 | 000,635,904 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtNetwork4.dll
MOD - [2010/03/16 20:28:04 | 001,926,144 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\QtCore4.dll
MOD - [2010/03/11 19:52:34 | 000,225,280 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qmng4.dll
MOD - [2010/03/11 19:52:34 | 000,028,160 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qgif4.dll
MOD - [2010/03/05 15:07:58 | 000,125,952 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qjpeg4.dll
MOD - [2010/03/05 15:07:58 | 000,031,744 | ---- | M] () -- C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qico4.dll


========== Services (SafeList) ==========

SRV:64bit: - [2012/08/21 10:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2011/08/06 07:14:06 | 000,365,568 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2011/07/14 02:15:36 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/05/27 20:06:16 | 000,301,568 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
SRV:64bit: - [2010/09/23 00:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/03/03 11:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
SRV - [2012/10/09 17:51:24 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/10 10:43:18 | 000,018,432 | ---- | M] (Apache Software Foundation) [Auto | Running] -- c:\xampp\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2011/09/09 18:46:10 | 008,158,720 | ---- | M] () [Auto | Running] -- c:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2011/08/18 16:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2011/03/04 12:45:08 | 001,529,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/11/25 11:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 11:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/03/18 20:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/09/17 21:15:51 | 000,560,184 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2012/08/21 10:13:13 | 000,969,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/08/21 10:13:13 | 000,359,464 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/08/21 10:13:13 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/08/21 10:13:12 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/08/21 10:13:12 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2012/08/21 10:13:11 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/08/17 22:26:48 | 000,025,584 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020101}_0)
DRV:64bit: - [2012/03/01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/01 08:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 08:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 08:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 08:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/07/14 03:00:06 | 009,978,880 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/07/14 01:33:58 | 000,309,248 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/06/16 23:08:26 | 000,040,064 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2011/06/16 23:08:24 | 000,079,488 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/06/07 02:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011/05/27 20:06:16 | 000,528,384 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2011/04/22 02:17:10 | 002,727,424 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2011/04/01 04:35:12 | 000,355,960 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/03/04 12:51:50 | 000,306,536 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV:64bit: - [2011/01/20 17:20:46 | 000,176,096 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2010/12/16 07:06:46 | 000,047,232 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2010/11/21 04:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 04:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 04:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/30 01:11:42 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/03/19 09:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/02/18 15:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2010/02/08 08:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/11/16 18:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV:64bit: - [2006/11/01 18:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{2F1E335A-858A-4BE9-8F6B-D0AF1D018B53}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{2F1E335A-858A-4BE9-8F6B-D0AF1D018B53}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Users\Jacklyn\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)



========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java(TM) Platform SE 7 U4 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.40.255 (Enabled) = C:\windows\SysWOW64\npDeployJava1.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: WildTangent Games App V2 Presence Detector (Enabled) = C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Jacklyn\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll
CHR - Extension: YouTube = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Fast save = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpgkoeinjnkgcieloaioiohencfcjjjc\1.1_0\
CHR - Extension: Funmoods = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\
CHR - Extension: Funmoods = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\
CHR - Extension: avast! WebRep = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\
CHR - Extension: EXIF Reader = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nchnjcdahncnilbicljpnbfobpnljnki\2.7.4_0\
CHR - Extension: Gmail = C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll File not found
O2 - BHO: (no name) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
O3 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [DellStage] C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe ()
O4:64bit: - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe (Dell, Inc.)
O4 - HKLM..\Run: [Desktop Disc Tool] c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [RoxWatchTray] c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001..\Run: [Spotify] C:\Users\Jacklyn\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001..\Run: [Spotify Web Helper] C:\Users\Jacklyn\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk = C:\ProgramData\lsass.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Policies\Microsoft\Internet Explorer\restrictions present
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87D899B5-EEBA-4AC0-AD7F-31EF7DE59B20}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell - "" = AutoRun
O33 - MountPoints2\{31cd2339-b4d3-11e1-857d-24b6fd349c29}\Shell\AutoRun\command - "" = E:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/21 15:02:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
[2012/10/21 14:59:49 | 002,213,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jacklyn\Desktop\tdsskiller.exe
[2012/10/19 20:22:40 | 000,687,724 | R--- | C] (Swearware) -- C:\Users\Jacklyn\Desktop\dds.scr
[2012/10/19 19:40:55 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\Desktop\HJT
[2012/10/19 19:40:55 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/10/19 19:35:25 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012/10/19 19:35:24 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Roaming\TestApp
[2012/10/19 19:22:01 | 000,000,000 | ---D | C] -- C:\windows\pss
[2012/10/19 18:46:32 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6DA5DAD7-0C5E-4638-AE98-8A31B838EB27}
[2012/10/19 00:59:24 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\ProgramData\lsass.exe
[2012/10/14 19:37:13 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\Dell Edoc Viewer
[2012/10/13 02:27:59 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{66A6EFE5-84F2-49F7-8620-33D118BFF744}
[2012/10/12 13:47:45 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{E66C16C7-A407-439A-AEFB-0BA9FD6B190A}
[2012/10/11 17:03:54 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{EE4A6E54-3801-42B0-97C0-920EA687968D}
[2012/10/10 18:18:43 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntoskrnl.exe
[2012/10/10 18:18:40 | 003,914,096 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntoskrnl.exe
[2012/10/10 18:18:39 | 003,968,880 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntkrnlpa.exe
[2012/10/10 18:18:22 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\kernel32.dll
[2012/10/10 18:18:22 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\KernelBase.dll
[2012/10/10 18:18:21 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\conhost.exe
[2012/10/10 18:18:21 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
[2012/10/10 18:18:19 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64.dll
[2012/10/10 18:18:19 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\setup16.exe
[2012/10/10 18:18:18 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64win.dll
[2012/10/10 18:18:18 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntvdm64.dll
[2012/10/10 18:18:18 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntvdm64.dll
[2012/10/10 18:18:18 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64cpu.dll
[2012/10/10 18:18:18 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wow32.dll
[2012/10/10 18:18:18 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 18:18:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 18:18:17 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 18:18:17 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 18:18:17 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 18:18:16 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\instnm.exe
[2012/10/10 18:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 18:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 18:18:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 18:18:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 18:18:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 18:18:14 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 18:18:14 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 18:18:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 18:18:13 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 18:18:13 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 18:18:13 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 18:18:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 18:18:12 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 18:18:12 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 18:18:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 18:18:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 18:18:11 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\user.exe
[2012/10/10 18:17:53 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wintrust.dll
[2012/10/10 18:17:03 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\crypt32.dll
[2012/10/10 18:17:01 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\cryptnet.dll
[2012/10/01 17:51:41 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{1C90144F-9726-4D9F-8A38-FEA2D8844A41}
[2012/09/30 17:22:47 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\Microsoft Games
[2012/09/30 12:12:53 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{6AC53B89-442E-457A-A288-9CF6177AC8CB}
[2012/09/28 08:03:00 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{5862D5A3-519F-4D8E-B3FD-834C0E795F71}
[2012/09/27 03:00:30 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{40B50D8C-E0E5-4700-87EE-06A75F1C518A}
[2012/09/26 19:47:56 | 000,245,760 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\OxpsConverter.exe
[2012/09/26 10:51:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Systems VPN Client
[2012/09/26 10:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Deterministic Networks
[2012/09/26 10:51:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Cisco Systems
[2012/09/26 00:51:06 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{1AA034B2-E608-4C51-B130-55B365A28467}
[2012/09/25 07:10:36 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
[2012/09/25 07:10:35 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
[2012/09/25 07:10:33 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieui.dll
[2012/09/25 07:10:32 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieui.dll
[2012/09/25 07:10:32 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieUnatt.exe
[2012/09/25 07:10:32 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieUnatt.exe
[2012/09/25 07:10:31 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\url.dll
[2012/09/25 07:10:31 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\url.dll
[2012/09/25 07:10:27 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\inetcpl.cpl
[2012/09/25 07:10:27 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\inetcpl.cpl
[2012/09/25 07:10:26 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript9.dll
[2012/09/25 07:10:25 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
[2012/09/25 07:10:13 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\jscript.dll
[2012/09/25 07:10:12 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\vbscript.dll
[2012/09/25 07:10:10 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript.dll
[2012/09/25 00:49:26 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{5CB659D4-4BF9-4BB7-A104-8B694C4E88A9}
[2012/09/22 13:42:23 | 000,000,000 | ---D | C] -- C:\Users\Jacklyn\AppData\Local\{FA0F6A67-6B65-45C8-9ABA-F5EACD1F0D06}
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/21 16:56:00 | 000,000,916 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2611650137-3530031623-2658461397-1001UA.job
[2012/10/21 16:51:01 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/10/21 15:56:01 | 000,000,864 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2611650137-3530031623-2658461397-1001Core.job
[2012/10/21 15:36:08 | 000,165,376 | ---- | M] () -- C:\Users\Jacklyn\Desktop\SystemLook_x64.exe
[2012/10/21 15:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jacklyn\Desktop\OTL.exe
[2012/10/21 14:59:58 | 002,213,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jacklyn\Desktop\tdsskiller.exe
[2012/10/21 14:57:47 | 000,020,928 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/21 14:57:47 | 000,020,928 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/21 14:49:58 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/10/21 14:49:48 | 2903,519,232 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/21 02:03:34 | 003,913,092 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/10/21 02:03:34 | 001,773,738 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/10/21 02:03:34 | 000,006,498 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/10/19 20:22:50 | 000,687,724 | R--- | M] (Swearware) -- C:\Users\Jacklyn\Desktop\dds.scr
[2012/10/19 19:40:55 | 000,002,997 | ---- | M] () -- C:\Users\Jacklyn\Desktop\HiJackThis.lnk
[2012/10/19 18:50:31 | 000,000,624 | ---- | M] () -- C:\windows\SysNative\drivers\kgpcpy.cfg
[2012/10/19 02:20:44 | 083,023,306 | ---- | M] () -- C:\ProgramData\erolpxei.pad
[2012/10/19 00:59:27 | 000,000,816 | ---- | M] () -- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012/10/19 00:59:24 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\ProgramData\lsass.exe
[2012/10/09 18:09:01 | 000,017,689 | ---- | M] () -- C:\Users\Jacklyn\Desktop\division_singles_entry_forms.pdf
[2012/10/09 18:08:16 | 000,110,193 | ---- | M] () -- C:\Users\Jacklyn\Desktop\super_cups.pdf
[2012/10/09 18:07:37 | 000,026,422 | ---- | M] () -- C:\Users\Jacklyn\Desktop\division_2_cup.pdf
[2012/10/09 17:51:23 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerApp.exe
[2012/10/09 17:51:22 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/09/28 12:30:50 | 000,002,100 | -H-- | M] () -- C:\Users\Jacklyn\Documents\Default.rdp
[2012/09/26 10:52:24 | 000,001,594 | ---- | M] () -- C:\windows\VPNInstall.MIF
[2012/09/26 10:51:15 | 000,002,653 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
[2012/09/24 23:16:58 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\windows\SysWow64\npDeployJava1.dll
[2012/09/24 23:16:53 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\windows\SysWow64\deployJava1.dll
[2012/09/23 00:20:48 | 000,584,259 | ---- | M] () -- C:\Users\Jacklyn\Desktop\Other Events.pdf
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/21 15:36:06 | 000,165,376 | ---- | C] () -- C:\Users\Jacklyn\Desktop\SystemLook_x64.exe
[2012/10/19 19:40:55 | 000,002,997 | ---- | C] () -- C:\Users\Jacklyn\Desktop\HiJackThis.lnk
[2012/10/19 18:50:09 | 000,000,624 | ---- | C] () -- C:\windows\SysNative\drivers\kgpcpy.cfg
[2012/10/19 00:59:27 | 000,000,816 | ---- | C] () -- C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012/10/19 00:59:25 | 083,023,306 | ---- | C] () -- C:\ProgramData\erolpxei.pad
[2012/10/09 18:09:00 | 000,017,689 | ---- | C] () -- C:\Users\Jacklyn\Desktop\division_singles_entry_forms.pdf
[2012/10/09 18:08:16 | 000,110,193 | ---- | C] () -- C:\Users\Jacklyn\Desktop\super_cups.pdf
[2012/10/09 18:07:36 | 000,026,422 | ---- | C] () -- C:\Users\Jacklyn\Desktop\division_2_cup.pdf
[2012/09/26 11:01:42 | 000,002,100 | -H-- | C] () -- C:\Users\Jacklyn\Documents\Default.rdp
[2012/09/26 10:52:24 | 000,001,594 | ---- | C] () -- C:\windows\VPNInstall.MIF
[2012/09/26 10:51:15 | 000,002,653 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
[2012/09/23 00:20:46 | 000,584,259 | ---- | C] () -- C:\Users\Jacklyn\Desktop\Other Events.pdf
[2012/06/15 22:14:39 | 000,819,200 | -HS- | C] () -- C:\windows\SysWow64\xvidcore.dll
[2012/06/15 22:14:39 | 000,180,224 | -HS- | C] () -- C:\windows\SysWow64\xvidvfw.dll
[2012/06/14 00:20:06 | 000,000,287 | ---- | C] () -- C:\windows\SIERRA.INI
[2012/06/13 19:45:23 | 000,197,120 | ---- | C] () -- C:\windows\patchw32.dll
[2012/06/11 21:38:29 | 000,031,470 | ---- | C] () -- C:\Users\Jacklyn\AppData\Local\funmoods.crx
[2012/03/28 04:53:00 | 000,003,929 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat
[2012/03/28 03:15:37 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2012/03/28 03:06:11 | 000,017,776 | ---- | C] () -- C:\windows\EvtMessage.dll
[2012/02/26 13:02:17 | 000,000,096 | ---- | C] () -- C:\windows\LaunApp.ini
[2012/02/26 13:02:12 | 000,000,325 | ---- | C] () -- C:\windows\Prelaunch.ini
[2012/02/26 13:02:12 | 000,000,271 | ---- | C] () -- C:\windows\WisPriority.ini
[2012/02/26 13:02:12 | 000,000,035 | ---- | C] () -- C:\windows\DELL_LANGCODE.ini
[2012/02/26 13:02:12 | 000,000,033 | ---- | C] () -- C:\windows\DELL_OSTYPE.ini
[2012/02/26 13:02:12 | 000,000,032 | ---- | C] () -- C:\windows\WisHWDest.ini
[2012/02/26 13:02:12 | 000,000,028 | ---- | C] () -- C:\windows\WisLangCode.ini
[2012/02/26 13:02:12 | 000,000,023 | ---- | C] () -- C:\windows\WisSysInfo.ini
[2012/02/26 11:54:12 | 000,788,116 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/07/14 00:55:06 | 000,053,760 | ---- | C] () -- C:\windows\SysWow64\OVDecode.dll

========== ZeroAccess Check ==========

[2009/07/14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/06/13 20:06:33 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Atari
[2012/09/17 21:21:27 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\DAEMON Tools Pro
[2012/08/06 11:26:28 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Electronic Arts
[2012/06/10 23:01:22 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Fingertapps
[2012/07/25 10:33:39 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\IDT
[2012/06/10 23:01:05 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Leadertech
[2012/06/14 17:50:58 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\PCDr
[2012/10/16 17:40:22 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\SoftGrid Client
[2012/06/28 05:14:59 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\SPORE
[2012/10/21 14:58:44 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Spotify
[2012/10/19 19:35:24 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\TestApp
[2012/06/25 23:04:07 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\TP
[2012/08/29 21:14:57 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\Unity
[2012/06/19 19:35:01 | 000,000,000 | ---D | M] -- C:\Users\Jacklyn\AppData\Roaming\WildTangent

========== Purity Check ==========



< End of report >

Extras

OTL Extras logfile created on: 21/10/2012 17:36:19 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jacklyn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.61 Gb Total Physical Memory | 2.40 Gb Available Physical Memory | 66.47% Memory free
7.21 Gb Paging File | 4.96 Gb Available in Paging File | 68.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 341.85 Gb Free Space | 75.80% Space Free | Partition Type: NTFS

Computer Name: JACKLYN-PC | User Name: Jacklyn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03587A81-B4C8-44FA-8284-2C8E8AAA0498}" = rport=10243 | protocol=6 | dir=out | app=system |
"{05C442DC-D99A-4019-B3CC-7FF071814D27}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{18D28917-6174-4BBC-B01B-BF2376C4AB42}" = lport=10243 | protocol=6 | dir=in | app=system |
"{237E9FED-C353-4587-91C7-B00FAF66CB8D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{23C614EE-E28B-47F5-82EF-5EE044263497}" = rport=137 | protocol=17 | dir=out | app=system |
"{24177875-A199-4CCA-B47F-8BDC97E20117}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{345B7DEE-438B-49ED-8BB0-613000F22CEE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{353D6EBC-EFC3-4753-8567-518AB842BA5D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{56582ED5-FC87-4558-86C3-FC4B2BCFEB79}" = lport=2869 | protocol=6 | dir=in | app=system |
"{61EFB818-04A2-45B1-964C-AE79A2E8FDB6}" = lport=138 | protocol=17 | dir=in | app=system |
"{6399185B-EFF3-4D6D-92CD-65A412B05DAA}" = lport=137 | protocol=17 | dir=in | app=system |
"{64792C8F-1E76-4EB0-84C6-550689FF0CE5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7E558730-F542-481E-9B2D-C9C2338EBE86}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{81D35255-4CD1-4599-AE78-C9E834593852}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{82AE8E11-B7EB-4A75-9F01-F72DD61E9175}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{99D163DE-CCB1-4EB1-9E7B-B99567CB952F}" = rport=138 | protocol=17 | dir=out | app=system |
"{AE0B1B47-34A0-4195-9DC6-6A93F816D662}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B08D657C-A854-449F-B5EE-104CE9312707}" = lport=445 | protocol=6 | dir=in | app=system |
"{B523B65F-9032-4986-9B77-377D52C6B2A9}" = rport=139 | protocol=6 | dir=out | app=system |
"{BE04528A-AD4D-473A-ADA6-BE643D0EFE18}" = rport=445 | protocol=6 | dir=out | app=system |
"{C4A956EB-192B-4E4E-A095-D7E1BC9A4296}" = lport=139 | protocol=6 | dir=in | app=system |
"{C5B3AAF1-0BFD-453F-8915-1157B34CCAA6}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EE4D6131-829F-4502-A65C-F01ED690CE99}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A2DFCD5-609A-4C9A-A3D8-E001F3E70130}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{167D240E-A73D-48B7-9AAF-5AB9C7D408E7}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{19FDA39B-E19B-406D-94EC-19DC973C3224}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}" = protocol=6 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"{2BA0CFBD-32B3-4B8F-A342-688FEF12800E}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{33985FE9-540B-4DA2-8087-1DFD354D7BF2}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe |
"{35E0178B-CC86-4E56-9BFF-D2FEEE03B294}" = protocol=17 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
"{392B76EE-00F0-457E-A833-A355C34F09FB}" = protocol=6 | dir=out | app=system |
"{3A6ACD04-6E5D-4D8B-A37E-B167ED074584}" = dir=in | app=c:\program files\dell stage\dell stage\accuweather\accuweather.exe |
"{414CC7D1-6277-437D-82FF-B881A921DC80}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{444100AD-1CC8-4BEB-BC1D-5D6034668A81}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{484EF2CD-5D6C-4888-ACAB-FF72C72C9FFD}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{48B9DDE7-8CD1-46CB-8C26-C2A0895D95ED}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{4BA28F52-3522-4ED1-B7E1-D39F2B56D5CE}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe |
"{4C19E1A0-F0F8-4566-A50F-A1E3DF7BDDB8}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{4CB8862C-ACF1-4BA3-85A5-AFBE8CD5EADB}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{587F16E7-10C2-445A-8E9B-0C25E95F4CDE}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe |
"{58B9E318-D8FC-45F2-8765-99E24CB80024}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{5D5B5D02-B32E-44C3-A173-07B7D08BE814}" = protocol=17 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"{614A2B98-1216-47BF-9ED1-ECEC962B74B3}" = protocol=17 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
"{6A307EBE-9FCB-43AF-93C0-77E932AC4625}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe |
"{6F2A80B5-8997-43C6-A0DC-AB5DEAB2173F}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe |
"{71E07BDF-1F24-43FA-9C1A-AEFBAE6C1E08}" = dir=in | app=c:\program files\dell stage\dell stage\stage_primary.exe |
"{7594C316-B235-4361-81CF-205F38A4F431}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{816873CE-0C86-42EA-8714-81430E24BD92}" = protocol=6 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
"{84653354-AEC6-4040-8950-5022F5BC6539}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe |
"{86E61FAB-8719-4D4A-977D-F92AED47551C}" = dir=in | app=c:\program files\dell stage\musicstage\musicstageengine.exe |
"{8B438362-CE73-40DB-B4A8-676E5DA99D19}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe |
"{8EFCB0A7-A7F0-463F-BE6D-297378048B39}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{92EC8823-FBB2-4F08-929E-B53DE037A08B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{94728F65-5CEC-407A-856B-4E689992C62B}" = protocol=6 | dir=in | app=c:\program files (x86)\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
"{95B1D254-0D07-4C55-AC8A-E0ADC4B68BA0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{A2E2009F-AD38-41A2-8FFF-D8EB6927F837}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{A31773F8-B5D5-4186-AC26-4C6140D4CC8D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B07B710F-A591-4DE2-8742-47593EF96DC3}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{B4E5468E-E626-4450-9496-3FE0681E006B}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
"{B5EE4B99-D541-46AA-94DB-67A70015F9DA}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{B6CBB6C8-A97E-43B2-937D-0E5E8921A0B8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BAEAD94D-964B-4875-A6DD-92E8A73C69B8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C26B62A9-6A9E-4D99-ACDB-35A674BF72F0}" = dir=in | app=c:\program files (x86)\dell\videostage\videostage.exe |
"{C26D7175-F4E5-4FE1-8D9F-998026D18216}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
"{C96804BF-EE8C-4577-9CA9-817717EC3A85}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe |
"{CD1E90F2-9220-459B-9E6D-654B21B38129}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe |
"{CD6BF49D-E6B2-491F-A542-D0A3347AF2E3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CFF289A0-6C89-4EB1-BAA9-40D52B420F30}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{D995F622-AA56-464D-9447-1157858B5171}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DAB7C9CD-22C0-48DE-8735-E9DE35532559}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe |
"{E4CF0872-C8F1-4D64-B168-2650C89A228F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E6D22196-95E1-48DE-8742-A4E2F477EC73}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F683ABBC-71F7-40AC-A719-D6475864ABD3}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
"{FE08CEE4-6F19-4457-AC90-A98191349AD2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"TCP Query User{13C61F8B-A71F-4F2A-90B6-275215A5C469}C:\program files (x86)\defcon\defcon.exe" = protocol=6 | dir=in | app=c:\program files (x86)\defcon\defcon.exe |
"TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"TCP Query User{A1BAEDDE-9E57-4EAC-904A-31E357591CAC}C:\xampp\apache\bin\httpd.exe" = protocol=6 | dir=in | app=c:\xampp\apache\bin\httpd.exe |
"TCP Query User{D09324D4-C497-4F49-853E-067B77CC6DCB}C:\users\jacklyn\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\jacklyn\appdata\roaming\spotify\spotify.exe |
"UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"UDP Query User{6A3AF2AE-DCD0-431F-BFF1-C120818D1183}C:\xampp\apache\bin\httpd.exe" = protocol=17 | dir=in | app=c:\xampp\apache\bin\httpd.exe |
"UDP Query User{B094F9D3-7A78-4C56-B63A-9C153A9ADA2E}C:\users\jacklyn\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\jacklyn\appdata\roaming\spotify\spotify.exe |
"UDP Query User{DDF2F20E-0972-4373-A9F8-04280EB98D23}C:\program files (x86)\defcon\defcon.exe" = protocol=17 | dir=in | app=c:\program files (x86)\defcon\defcon.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}" = Cisco Systems VPN Client 5.0.07.0440
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6A29BC26-68EB-EE27-0775-C6A5D9880FB8}" = ATI AVIVO64 Codecs
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D6DFAD6-09E5-445E-A4B5-A388FEEBD90D}" = RBVirtualFolder64Inst
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{AB7F413C-C973-1E76-1500-A379C6876468}" = ccc-utility64
"{D44E2164-C3EA-09BF-8396-07BFF727025A}" = AMD Media Foundation Decoders
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6B0EA7E-5C19-7421-C2EB-927DA66A1081}" = AMD Catalyst Install Manager
"{F82DEF3B-AB08-942C-3EA9-18277410B384}" = AMD Fuel
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"PC-Doctor for Windows" = Dell Support Center
"WinRAR archiver" = WinRAR 4.20 beta 3 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0ED7EE95-6A97-47AA-AD73-152C08A15B04}" = Dell DataSafe Local Backup
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2244FF47-8247-C94C-4459-0B6F57495400}" = CCC Help Hungarian
"{2299EEBD-0A83-4B26-AA4A-057AE9E5BAE8}" = Dell Stage Remote
"{25AE6DBA-D866-1325-1F82-D6BFFA4D6110}" = CCC Help Chinese Standard
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A0F2CC5-3065-492C-8380-B03AA7106B1A}" = Dell Product Registration
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{315B5C4F-8FB3-117A-DB04-C09D99781848}" = Catalyst Control Center Profiles Mobile
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{33B2BCA3-DAAA-92E4-A612-1E25349CC439}" = Catalyst Control Center Localization All
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3BD7DD08-991B-4A2F-A165-614ED14EAADD}" = Dell MusicStage
"{400182B4-CA55-46A9-9D88-F8413DCFB36D}" = Blio
"{4296F858-23E0-1875-96F4-ECAC0B65B2A5}" = CCC Help Russian
"{44619C87-6A22-E5B5-B756-A4E87CF287ED}" = CCC Help Japanese
"{451517F1-7E41-400B-AA36-FB7E2563526D}" = Dell Wireless Driver Installation
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4CDFB50C-EFC7-5740-8351-9DA8327076AB}" = CCC Help Chinese Traditional
"{51F2D101-6579-CA0C-0B69-DEC94C4C7EC9}" = CCC Help German
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{58DB59A3-47B7-CB43-8AAA-400A6EB3FAD3}" = CCC Help Korean
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{63229B8B-B757-2A22-D56B-36CA72DD401B}" = CCC Help Greek
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73B91779-D763-560C-2623-5835DFBC5016}" = CCC Help Thai
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B09AC97-2063-0928-0C94-7330E4AEF4D9}" = CCC Help Danish
"{8B16758A-B4E4-F49C-76C4-13D2A067CC24}" = CCC Help Swedish
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon® 3
"{91CF243B-116F-965D-726C-89713A3B1922}" = CCC Help Norwegian
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{933FBD25-7171-D8B5-3E31-095750D6BD8C}" = CCC Help Finnish
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{97F75C51-951B-E04C-8CFD-25900D388693}" = CCC Help Polish
"{98AB97E8-FA29-02A4-941D-222C4A83DAC3}" = AMD VISION Engine Control Center
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9668246-FB70-4103-A1E3-66C9BC2EFB49}" = Dell DataSafe Local Backup - Support Software
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.4) MUI
"{AD57ECE4-976A-0447-4C4C-644C6059341F}" = CCC Help Turkish
"{AF4D3C63-009B-4A17-B02E-D395065DD3F0}" = Dell Stage Remote
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{AFEA7544-6B97-4867-A94D-1C39BA61B64F}" = Catalyst Control Center - Branding
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B106F6AB-EEC6-FCC3-1492-0A54E7B0D52E}" = CCC Help French
"{B191A02C-9F58-C0B1-6996-12C612B214E0}" = Catalyst Control Center InstallProxy
"{B62174EB-2AE6-D3A0-381D-DA9FDBF70C82}" = CCC Help Czech
"{B73009A8-78AB-47D2-9D63-99271D9457B1}" = CCC Help Italian
"{BE731865-5041-3F42-C7E9-68292DB8A044}" = Catalyst Control Center Graphics Previews Common
"{C594B957-CC60-589C-D825-E6406D8759F5}" = CCC Help Spanish
"{C5BF5D70-6C6E-915A-A3DA-F4F86ACEEFE3}" = CCC Help Portuguese
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CED8DCFA-2DD0-49EF-377A-F414B644D8E3}" = CCC Help English
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E4335E82-17B3-460F-9E70-39D9BC269DB3}" = Dell PhotoStage
"{E50FD74A-DAAC-C9D0-F9D8-EDCDD08CAB2D}" = CCC Help Dutch
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{EA926717-CE5A-4CB4-AB21-9E6E9565A458}" = RCT3 Soaked
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FC45E4D6-FEA5-4091-B172-4351D130C2E1}" = Dell Stage
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"avast" = avast! Free Antivirus
"Defcon_is1" = Defcon v1.6
"Dell Webcam Central" = Dell Webcam Central
"DivX Codec" = DivX Codec
"InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"S.T.A.L.K.E.R. - Clear Sky_is1" = S.T.A.L.K.E.R. - Clear Sky [v1.0003]
"S.W.A.T. 4_is1" = S.W.A.T. 4
"VLC media player" = VLC media player 2.0.0
"WinLiveSuite" = Windows Live Essentials
"xampp" = XAMPP 1.7.7

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"EA SPORTS Game Face Browser Plugin" = EA SPORTS Game Face Browser Plugin 1.5.3.0
"Google Chrome" = Google Chrome
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 30/08/2012 17:32:53 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 30/08/2012 17:32:53 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 30/08/2012 20:24:06 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 30/08/2012 20:24:06 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 31/08/2012 04:29:15 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 31/08/2012 04:29:15 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 31/08/2012 07:46:31 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 31/08/2012 07:46:31 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 31/08/2012 09:00:49 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 31/08/2012 09:00:49 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

[ Dell Events ]
Error - 10/06/2012 18:11:23 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 10/06/2012 18:11:23 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/06/2012 17:29:16 | Computer Name = Jacklyn-PC | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

[ System Events ]
Error - 07/10/2012 09:20:57 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 07/10/2012 16:26:04 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 08/10/2012 16:32:40 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 10/10/2012 15:52:58 | Computer Name = Jacklyn-PC | Source = DCOM | ID = 10010
Description =

Error - 10/10/2012 15:53:10 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error %%1.

Error - 11/10/2012 12:02:12 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the SftService service.

Error - 11/10/2012 12:07:03 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x800f0902: Update for Windows 7 for x64-based Systems (KB2749655).

Error - 11/10/2012 12:07:03 | Computer Name = Jacklyn-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x800f0902: Update for Windows 7 for x64-based Systems (KB2731771).

Error - 11/10/2012 12:31:09 | Computer Name = Jacklyn-PC | Source = DCOM | ID = 10010
Description =

Error - 11/10/2012 12:31:27 | Computer Name = Jacklyn-PC | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error %%1.


< End of report >
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Metropolitan Police Ransomeware

Unread postby ColinL » October 21st, 2012, 1:39 pm

Hi there,

The final log can be found below:

SystemLook

SystemLook 30.07.11 by jpshortstuff
Log created at 18:00 on 21/10/2012 by Jacklyn
Administrator - Elevation successful

========== filefind ==========

Searching for "*alotappbar*"
No files found.

Searching for "*Bandoo*"
No files found.

Searching for "*Blekko*"
No files found.

Searching for "*Conduit*"
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Feeds\http___alerts_conduit-services_com_root_897164_892962_UK.xml --a---- 188 bytes [19:01 11/06/2012] [20:29 11/06/2012] E2A87E535CF5282072AA46166D27D1DF

Searching for "*datamngr*"
No files found.

Searching for "*Fun4IM*"
No files found.

Searching for "*Funmoods*"
C:\Users\Jacklyn\AppData\Local\funmoods.crx --a---- 31470 bytes [20:38 11/06/2012] [20:38 11/06/2012] BC64C97573527DDBC0F6522A28E6C96E
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\style\funmoods_chrome_1.0.1.css --a---- 1915 bytes [20:05 12/06/2012] [20:05 12/06/2012] 932E88939025DEA549719B7FFB869668

Searching for "*iLivid*"
No files found.

Searching for "*IObit*"
No files found.

Searching for "*Searchnu*"
No files found.

Searching for "*Searchqu*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*Vuze*"
No files found.

Searching for "*whitesmoke*"
No files found.

Searching for "*Yontoo*"
No files found.

========== folderfind ==========

Searching for "*alotappbar*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Blekko*"
No folders found.

Searching for "*Conduit*"
C:\Program Files (x86)\Conduit d------ [18:54 11/06/2012]
C:\Users\Jacklyn\AppData\Local\Conduit d------ [18:54 11/06/2012]
C:\Users\Jacklyn\AppData\LocalLow\Conduit d------ [18:54 11/06/2012]

Searching for "*datamngr*"
No folders found.

Searching for "*Fun4IM*"
No folders found.

Searching for "*Funmoods*"
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods d------ [20:05 12/06/2012]
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com d------ [19:03 10/10/2012]
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\macromedia.com\support\flashplayer\sys\#f.funmoods.com d------ [19:03 10/10/2012]
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#f.funmoods.com d------ [21:04 04/08/2012]

Searching for "*iLivid*"
No folders found.

Searching for "*IObit*"
No folders found.

Searching for "*Searchnu*"
No folders found.

Searching for "*Searchqu*"
No folders found.

Searching for "*trolltech*"
No folders found.

Searching for "*Vuze*"
C:\Users\Jacklyn\Documents\Vuze Downloads d------ [19:05 11/06/2012]

Searching for "*whitesmoke*"
No folders found.

Searching for "*Yontoo*"
No folders found.

========== Regfind ==========

Searching for "alotappbar"
No data found.

Searching for "Bandoo"
No data found.

Searching for "Blekko"
No data found.

Searching for "Conduit"
[HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit]
[HKEY_CURRENT_USER\Software\AppDataLow\Software\ConduitSearchScopes]
[HKEY_CURRENT_USER\Software\Conduit]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
"URL"="http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
"FaviconURL"="http://search.conduit.com/favicon.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
@="Conduit Community Alerts"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
@="C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit\Community Alerts]
"Path"="C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit\HomePage]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"="http://search.conduit.com?SearchSource=10&ctid=CT2504091"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
@="Conduit Community Alerts"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
@="C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\Conduit]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\ConduitSearchScopes]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
"URL"="http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
"FaviconURL"="http://search.conduit.com/favicon.ico"

Searching for "datamngr"
No data found.

Searching for "Fun4IM"
No data found.

Searching for "Funmoods"
[HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
"path"="C:\Users\Jacklyn\AppData\Local\funmoods.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer]
@="funmoods.dskBnd.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer]
@="funmoods.funmoodsHlpr.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CurVer]
@="funmoodsApp.appCore.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
@="funmoodsCmn 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortEng.dll\2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
@="funmoodsCmn 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortEng.dll\2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
"path"="C:\Users\Jacklyn\AppData\Local\funmoods.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
"path"="C:\Users\Jacklyn\AppData\Local\funmoods.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"="Funmoods Toolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASMANCS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}]
@="Funmoods Helper Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
@="funmoodsCmn 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortEng.dll\2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
@="C:\PROGRA~2\Funmoods\1.5.23.22\escortApp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
@="C:\PROGRA~2\Funmoods\1.5.23.22"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
"path"="C:\Users\Jacklyn\AppData\Local\funmoods.crx"

Searching for "iLivid"
No data found.

Searching for "IObit"
No data found.

Searching for "Searchnu"
No data found.

Searching for "Searchqu"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

Searching for "Vuze"
[HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe]
[HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe]
"AppPath"="C:\Program Files (x86)\Vuze\Azureus.exe"
[HKEY_CURRENT_USER\Software\Classes\.vuze]
[HKEY_CURRENT_USER\Software\Classes\.vuze]
@="Vuze"
[HKEY_CURRENT_USER\Software\Classes\.vuze]
"Content Type"="application/x-vuze"
[HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-vuze]
[HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-vuze]
"Extension"=".vuze"
[HKEY_CURRENT_USER\Software\Classes\Vuze]
[HKEY_CURRENT_USER\Software\Classes\Vuze]
@="Vuze File"
[HKEY_CURRENT_USER\Software\Classes\Vuze]
"Content Type"="application/x-vuze"
[HKEY_CURRENT_USER\Software\Classes\Vuze\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_CURRENT_USER\Software\Classes\Vuze\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze]
@="Vuze"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus]
@="Vuze Download"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze]
@="Vuze File"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze\Content Type]
@="application/x-vuze"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASMANCS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Vuze\Azureus.exe|Name=Azureus / Vuze|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\vuze\azureus.exe|Name=Azureus|Desc=Azureus|Defer=User|"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
"AppPath"="C:\Program Files (x86)\Vuze\Azureus.exe"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze]
@="Vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze]
"Content Type"="application/x-vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\MIME\Database\Content Type\application/x-vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\MIME\Database\Content Type\application/x-vuze]
"Extension"=".vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
@="Vuze File"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
"Content Type"="application/x-vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\.vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\.vuze]
@="Vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\.vuze]
"Content Type"="application/x-vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\program files (x86)\vuze\azureus.exe"="Azureus"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\MIME\Database\Content Type\application/x-vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\MIME\Database\Content Type\application/x-vuze]
"Extension"=".vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]
@="Vuze File"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]
"Content Type"="application/x-vuze"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\DefaultIcon]
@="C:\Program Files (x86)\Vuze\Azureus.exe,0"
[HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\shell\open\command]
@=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""

Searching for "whitesmoke"
No data found.

Searching for "Yontoo"
No data found.

-= EOF =-

Thanks again for your help.

Cheers,

Colin.
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Metropolitan Police Ransomeware

Unread postby pgmigg » October 22nd, 2012, 1:22 am

Hello ColinL,

Good job! :)
No change as far as I can see, the popup still appears on startup saying IE is trying to launch.
Yes, you are right - I was needed more scans and now I have enough information to start a real treatment...

Step 1.
OTL - Run Fix Script
You should still have OTL.exe on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Underneath Output at the top, make sure Standard Output is selected.
  3. Copy and Paste the following code into the Image text box. Do not include the word Code
    Code: Select all
    :OTL
    IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
    IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
    O2 - BHO: (no name) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
    O3 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
    O3 - HKU\S-1-5-21-2611650137-3530031623-2658461397-1001\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    
    :Files
    C:\Users\Jacklyn\AppData\Local\funmoods.crx
    C:\Users\Jacklyn\AppData\LocalLow\Conduit
    C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\style\funmoods_chrome_1.0.1.css
    C:\Program Files (x86)\Conduit
    C:\Users\Jacklyn\AppData\Local\Conduit
    C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods
    C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com
    C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\macromedia.com\support\flashplayer\sys\#f.funmoods.com
    C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#f.funmoods.com
    C:\Users\Jacklyn\Documents\Vuze
    C:\Windows\*.tmp
    ipconfig /flushdns /c
    
    :Reg
    [-HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit]
    [-HKEY_CURRENT_USER\Software\AppDataLow\Software\ConduitSearchScopes]
    [-HKEY_CURRENT_USER\Software\Conduit]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
    "URL"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
    "FaviconURL"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
    @=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]
    @=""
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\Conduit]
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\ConduitSearchScopes]
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
    "URL"=-
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}]
    "FaviconURL"=-
    [HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
    "path"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
    "path"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
    "path"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASMANCS]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki]
    "path"=-
    [-HKEY_CURRENT_USER\Software\Trolltech]
    [-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech]
    [-HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe]
    [-HKEY_CURRENT_USER\Software\Classes\.vuze]
    [HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    "C:\program files (x86)\vuze\azureus.exe"=-
    [HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon]
    @=""
    [HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command]
    @=""
    [-HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-vuze]
    [-HKEY_CURRENT_USER\Software\Classes\Vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASMANCS]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"=-
    "{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"=-
    "TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"=-
    "UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"=-
    "{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"=-
    "TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"=-
    "UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}"=-
    "{5D5B5D02-B32E-44C3-A173-07B7D08BE814}"=-
    "TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe"=-
    "UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe"=-
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe]
    "AppPath"="C:\Program Files (x86)\Vuze\Azureus.exe"
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze]
    "Content Type"=-
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command]
    @=""
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\MIME\Database\Content Type\application/x-vuze]
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\shell\open\command]
    @=""
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\.vuze]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    "C:\program files (x86)\vuze\azureus.exe"="Azureus"
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command]
    @=""C:\Program Files (x86)\Vuze\Azureus.exe" "%1""
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\MIME\Database\Content Type\application/x-vuze]
    [-HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze]
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\DefaultIcon]
    @=""
    [HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\shell\open\command]
    @=""
    
    :Commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [EMPTYJAVA]
    [CREATERESTOREPOINT]
    
  4. Click under the Custom Scan/Fixes box and paste the copied text.
  5. Click the Run Fix button. If prompted... click OK.
  6. OTL may ask to reboot the machine. Please do so if asked.
  7. Let the program run unhindered and reboot the PC when it is done.
    When the computer reboots, and you start your usual account, a Notepad text file will appear.
  8. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log

Step 2.
Show Hidden and System files
  1. Close all programs so that you are at your desktop.
  2. Press Image.
  3. Click the Start Search box on the Start Menu
  4. Copy and paste the following value, in the open text entry box:
    change search options for files and folders
    then press Enter button
  5. Click on the View tab, then under the "Hidden files and folders" section please
    • SELECT "Show hidden files and folders"
  6. Find below and
    • remove check mark from check box "Hide extensions for known file types"
    • remove check mark from check box "Hide protected operating system files"
  7. Press the Apply, then the OK buttons.

Step 3.
Upload File/Files for testing
  1. Please go to jotti.org or Virustotal
  2. Copy/paste this file with path into the white box at the top:
    C:\windows\SysWow64\setup16.exe
  3. Press Submit - this will submit the file for testing.
    Note: If you will see a message "File already analysed", please click on "Reanalyse" button.
  4. Please wait for all the scanners to finish.
  5. Then copy and paste the permalink (web address) in your next response.
    Example of web address:
    Image

Step 4.
Malwarebytes' Anti-Malware [MBAM]
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download sites available here or here.
  1. Make sure you are connected to the Internet.
  2. Double-click on mbam-setup.exe to install the application.
  3. When the installation begins, follow the prompts and do not make any changes to default settings.
  4. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
  1. Make sure the "Perform Full Scan" option is selected.
  2. Then click on the Scan button.
  3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  5. When the scan is finished, a message box will say "The scan completed successfully. Click '[b]Show Results' to display all objects found[/b]".
  6. Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
  3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  5. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log log file after OTL FixScript run
  3. The resulting web link after online file scan by Virus Total.
  4. Contents of the most recent MBAM Log file.
  5. Do you see any changes in computer behavior?

Please do not hesitate to divide the post into multiple if it is too long...

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Metropolitan Police Ransomeware

Unread postby ColinL » October 23rd, 2012, 6:30 pm

Hi there. The requested logs are below:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{ba14329e-9550-4989-b3f2-9732e92d17cc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba14329e-9550-4989-b3f2-9732e92d17cc}\ not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83A99AB6-7961-44C2-8B14-2364763B75BA}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{977AE9CC-AF83-45E8-9E03-E2798216E2D5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}\ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA14329E-9550-4989-B3F2-9732E92D17CC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
========== FILES ==========
C:\Users\Jacklyn\AppData\Local\funmoods.crx moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Log folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\LanguagePacks folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Feeds folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\light folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\dark folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Dialogs\AppNotificationDialog folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts\Dialogs folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit\Community Alerts folder moved successfully.
C:\Users\Jacklyn\AppData\LocalLow\Conduit folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\style\funmoods_chrome_1.0.1.css moved successfully.
C:\Program Files (x86)\Conduit\Community Alerts folder moved successfully.
C:\Program Files (x86)\Conduit folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Conduit folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\style folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\js folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods\img folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki\1.6.0_0\funmoods folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com\assets\data\fm_swf_engine.swf folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com\assets\data folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com\assets folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\f.funmoods.com folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\JZMHPXHN\macromedia.com\support\flashplayer\sys\#f.funmoods.com folder moved successfully.
C:\Users\Jacklyn\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#f.funmoods.com folder moved successfully.
File\Folder C:\Users\Jacklyn\Documents\Vuze not found.
C:\Windows\msdownld.tmp folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jacklyn\Desktop\cmd.bat deleted successfully.
C:\Users\Jacklyn\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\ConduitSearchScopes\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Conduit\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA} not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA} not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\\@|"" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\\@|"" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\Conduit\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\AppDataLow\Software\ConduitSearchScopes\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA} not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Microsoft\Internet Explorer\SearchScopes\{83A99AB6-7961-44C2-8B14-2364763B75BA} not found.
Registry value HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki\\path deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\\@|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki\\path deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki\\path not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\FunmoodsSetupV2_RASMANCS\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\\@|"" /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki\\path not found.
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Trolltech\ not found.
Registry key HKEY_CURRENT_USER\Software\Conduit\AppPaths\Vuze.exe\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.vuze\ deleted successfully.
HKEY_CURRENT_USER\Software\Classes\BC\DefaultIcon\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\BC\shell\open\command\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\BCTP\DefaultIcon\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\BCTP\shell\open\command\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\DHT\DefaultIcon\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\DHT\shell\open\command\\@|"" /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\program files (x86)\vuze\azureus.exe deleted successfully.
HKEY_CURRENT_USER\Software\Classes\Magnet\DefaultIcon\\@|"" /E : value set successfully!
HKEY_CURRENT_USER\Software\Classes\Magnet\shell\open\command\\@|"" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-vuze\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\Vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Vuze_Installer_RASMANCS\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5D5B5D02-B32E-44C3-A173-07B7D08BE814} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D5B5D02-B32E-44C3-A173-07B7D08BE814}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5D5B5D02-B32E-44C3-A173-07B7D08BE814} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D5B5D02-B32E-44C3-A173-07B7D08BE814}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{288A0F6F-8831-40F2-B9D8-CE13F0B5AF19}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5D5B5D02-B32E-44C3-A173-07B7D08BE814} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D5B5D02-B32E-44C3-A173-07B7D08BE814}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{32FF593C-E831-4F95-80DC-9070700874A7}C:\program files (x86)\vuze\azureus.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{536D7B75-AF46-4958-8B76-F7460E13EDF2}C:\program files (x86)\vuze\azureus.exe not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Conduit\AppPaths\Vuze.exe\\"AppPath"|"C:\Program Files (x86)\Vuze\Azureus.exe" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\.vuze not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BC\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\BCTP\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\DHT\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Magnet\shell\open\command\\@|"" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\MIME\Database\Content Type\application/x-vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\ not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001\Software\Classes\Vuze\shell\open\command\\@|"" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\.vuze not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BC\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\BCTP\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\DHT\shell\open\command\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\"C:\program files (x86)\vuze\azureus.exe"|"Azureus" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Magnet\shell\open\command\\@|""C:\Program Files (x86)\Vuze\Azureus.exe" "%1"" /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\MIME\Database\Content Type\application/x-vuze\ not found.
Registry value HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\\ not found.
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\DefaultIcon\\@|"" /E : value set successfully!
HKEY_USERS\S-1-5-21-2611650137-3530031623-2658461397-1001_Classes\Vuze\shell\open\command\\@|"" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jacklyn
->Temp folder emptied: 6364165 bytes
->Temporary Internet Files folder emptied: 5511069 bytes
->Java cache emptied: 42724 bytes
->Google Chrome cache emptied: 226876588 bytes
->Flash cache emptied: 57355 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 424121282 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50467 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 639 bytes
RecycleBin emptied: 23288815818 bytes

Total Files Cleaned = 22,842.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Jacklyn
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Jacklyn
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 10232012_194419

Files\Folders moved on Reboot...
C:\Users\Jacklyn\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


VirusTotal:

https://www.virustotal.com/file/c44c4f8 ... 351018871/

MBAB:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.23.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jacklyn :: JACKLYN-PC [administrator]

Protection: Enabled

23/10/2012 20:09:43
mbam-log-2012-10-23 (20-09-43).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 335257
Time elapsed: 1 hour(s), 6 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\lsass.exe (Trojan.Delf) -> Quarantined and deleted successfully.
C:\Users\Jacklyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Quarantined and deleted successfully.

(end)
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Metropolitan Police Ransomeware

Unread postby ColinL » October 23rd, 2012, 6:33 pm

The machine is now booting without ie attempting launch so things seem to be looking up.

Thanks,

Colin.
ColinL
Active Member
 
Posts: 12
Joined: October 19th, 2012, 2:51 pm

Re: Metropolitan Police Ransomeware

Unread postby pgmigg » October 23rd, 2012, 11:37 pm

Hello Colin,
The machine is now booting without ie attempting launch so things seem to be looking up.
It is nice to read but we are not finished yet - let continue...

Step 1.
ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

  1. Firstly please Disable any Antivirus you have active, as shown in This topic.
  2. Note: Don't forget to re-enable it after the scan.
  3. Next please click on the following link to open a new window to ESET online scannner
  4. Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  5. Select the option YES, I accept the Terms of Use then click on: Image
  6. When prompted allow the Add-On/Active X to install.
  7. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  8. Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  9. Now click on: Image
  10. The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  11. When completed the Online Scan will begin automatically.
  12. Do not touch either the mouse or keyboard during the scan otherwise it may stall.
  13. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  14. Now click on: Image
  15. Use notepad to open the log file located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  16. Copy and paste that log as a reply to this topic.

Step 2.
Fresh OTL Scan
You should still have OTL.exe on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Under Output, ensure that Standard Output is selected.
  3. Check the boxes labeled:
    • Include 64 bit scans
    • Scan All Users
    • Extra Registry > Use SafeList
  4. Click on Run Scan at the top left hand corner.
  5. When done, one Notepad file OTL.txt <-- Will be opened, maximized
  6. Please post the content of OTL.txt file in your next reply.

Step 3.
SystemLook
You should still have SystemLook_x64.exe on your desktop.
  1. Right click on SystemLook_x64.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
    If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.
  2. Highlight and copy the following entries into SystemLook's main text entry window:

    Code: Select all
    :filefind
    *Conduit*
    *Funmoods*
    
    :folderfind
    *Conduit*
    *Funmoods*
    *Vuze*
    
    :Regfind
    Conduit
    Funmoods
    trolltech
    Vuze
    
  3. Press the Look button to start the scan.
    When finished, a Notepad window will open with the results of the scan.
    A file will be created (on your Desktop) with the results of the scan, named SystemLook.txt
  4. Please post the contents of the SystemLook.txt file in your next reply.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the C:\Program Files\ESET\EsetOnlineScanner\log.txt log file
  3. Contents of the most recent OTL.txt file
  4. Contents of the SystemLook.txt log file
  5. Do you see any changes in computer behavior?

Please do not hesitate to divide the post into multiple if it is too long...

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Metropolitan Police Ransomeware

Unread postby Cypher » October 27th, 2012, 11:14 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware