jwsmith
2012-12-21, 03:32
So I downloaded two applications from CNET. After the first one of these installed (and I am ALWAYS careful to click the correct download link and uncheck any unwanted 'crap-on' software), I noticed my Search Engine had been hijacked. And my default Search Toolbar. And my Start Page option. And my Home Tab. Across all 3 of my FireFox, IE and Chrome browsers. All by this despicable Incredibar, or its MyStart variant. Went through the tedious process of removing same. Only to have it show up again, after downloading the next application mentioned above (or maybe it was the first infection resurfacing again). I had been running clean after having to rebuild my system after a failed hard drive a week ago, and given that the Incredibar and MyStart hijacking occurred right after downloading the abovementioned apps, I am pretty certain that CNET was the source of my infection.
Anyway, I followed a few posts about removing Incredibar, and it seems to have been gone for the last week, but one of the posts did recommend running Spybot S&D to ensure it's truly gone. So, I downloaded Spybot S&D 2 and ran that, which reported a number of things it flagged for me to 'Fix' if I so chose. At that point, I thought I'd better get some advice because I don't really know what 'Fix' would do. I ran ERUNT, saving the System Registry only.
This is the report from the DDS program:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Jeffrey at 20:36:09 on 2012-12-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1461 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Box Sync\UpdateService.exe
C:\IDrive\IDriveE Service.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Box Sync\BoxSyncHelper.exe
C:\IDrive\IDrivePlugin.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Box Sync\BoxSync.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Users\Jeffrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\IDrive\IDriveETray.exe
C:\IDrive\IDriveEBackground.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\prevhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?refresh=1
BHO: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [IDriveE Startup] "c:\idrive\IDrvieEStartup.exe" Hide
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BoxSyncHelper] "c:\program files\box sync\BoxSyncHelper.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jeffrey\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\idrive~1.lnk - c:\idrive\IDriveEReg2ini.exe
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\boxsyn~1.lnk - c:\program files\box sync\BoxSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~1.lnk - c:\program files\common files\lpuninstall.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{03DFF60F-2A27-4FB5-94F3-1785F5D1287A} : DHCPNameServer = 65.32.5.111 65.32.5.112
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?refresh=1
FF - prefs.js: keyword.URL - hxxp://www.google.com.my/search?q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.124\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - ExtSQL: 2012-11-10 19:21; isreaditlater@ideashower.com; c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\extensions\isreaditlater@ideashower.com.xpi
FF - ExtSQL: 2012-12-01 15:28; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8NQHxNuM&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 24b01e67000000000000002421a66bc0
FF - user.js: extensions.incredibar_i.instlDay - 15685
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:34:38
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8NQHxNuM
FF - user.js: extensions.incredibar_i.upn2n - 92825549284318880
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 128
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-12-1 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-12-1 361032]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\box sync\UpdateService.exe [2012-11-7 8704]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-12-1 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-12-1 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-12-1 44808]
R2 IDriveE Service;IDriveE Service;c:\idrive\IDriveE Service.exe [2012-12-3 157128]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-13 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-13 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-13 168384]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2012-12-10 3467768]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-1 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-1 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-1 1343400]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile="c:\program files\editpadlite\EditPad.exe" "%1"
.
=============== Created Last 30 ================
.
2012-12-20 18:57:12 569856 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\ShowMan.exe
2012-12-18 18:00:35 -------- d-----r- c:\users\jeffrey\Dropbox
2012-12-18 17:49:35 -------- d-----w- c:\users\jeffrey\appdata\roaming\Dropbox
2012-12-18 09:42:57 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{300d67bc-c35a-4d9c-a8d0-582365730612}\mpengine.dll
2012-12-14 01:13:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-12-14 01:13:15 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-12-14 01:13:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-12-13 01:14:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 21:06:27 -------- d-----w- C:\Acer
2012-12-12 21:04:41 -------- d-----w- C:\totalcommander
2012-12-12 21:04:23 -------- d-----w- C:\Social Security
2012-12-12 21:04:12 -------- d-----w- C:\RMF
2012-12-12 21:04:03 -------- d-----w- C:\RFFLOW
2012-12-12 21:03:49 -------- d-----w- C:\Relocation Assessor
2012-12-12 21:03:38 -------- d-----w- C:\Quickenw
2012-12-12 21:03:07 -------- d-----w- C:\eDialog v 1.1
2012-12-12 21:02:56 -------- d-----w- C:\eDialog Dev
2012-12-12 16:30:44 -------- d-----w- c:\users\jeffrey\appdata\local\Eraser 6
2012-12-12 01:57:34 -------- d-----w- c:\users\jeffrey\appdata\roaming\TeamViewer
2012-12-11 21:44:53 -------- d-----w- C:\SM
2012-12-11 21:44:12 -------- d-----w- C:\Prey
2012-12-11 21:37:40 -------- d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
2012-12-11 21:37:07 -------- d-----w- C:\eDialog
2012-12-11 21:29:46 -------- d-----r- C:\DataSmiths Dev
2012-12-11 20:37:53 -------- d-----w- c:\program files\Beyond Compare 3
2012-12-11 20:25:27 -------- d-----w- c:\program files\Office Automation
2012-12-11 18:41:57 -------- d---a-w- c:\program files\CustomUIEditor
2012-12-11 01:41:56 -------- d-----w- c:\program files\TeamViewer
2012-12-10 23:58:01 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
2012-12-10 23:09:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\Malwarebytes
2012-12-10 23:08:47 -------- d-----w- c:\programdata\Malwarebytes
2012-12-10 23:08:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-10 23:08:46 -------- d-----w- c:\program files\Malware
2012-12-10 21:14:32 -------- d-----w- c:\program files\Eraser
2012-12-10 21:12:08 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-10 21:12:08 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-10 21:12:08 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-10 20:47:55 -------- d-----w- c:\program files\MZTools3VBA
2012-12-10 20:46:30 -------- d-----w- C:\Python27
2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Sync
2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Desktop
2012-12-10 19:42:36 -------- d-----w- c:\program files\Box Sync
2012-12-10 19:41:05 -------- d-----w- c:\users\jeffrey\appdata\local\Box Sync
2012-12-10 17:56:31 -------- d-----w- c:\users\jeffrey\appdata\local\Programs
2012-12-10 17:47:02 -------- d-----w- c:\users\jeffrey\appdata\local\Secunia PSI
2012-12-10 17:46:47 -------- d-----w- c:\program files\Secunia
2012-12-06 12:24:04 -------- d-----w- c:\program files\MSXML 4.0
2012-12-05 20:34:12 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC
2012-12-05 20:34:11 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC Sync
2012-12-05 20:33:55 -------- d-----w- c:\programdata\HTC
2012-12-05 20:33:54 -------- d-----w- c:\users\jeffrey\appdata\local\Apple Computer
2012-12-05 20:33:47 -------- d-----w- c:\users\jeffrey\appdata\local\HTC MediaHub
2012-12-05 20:33:40 -------- d-----w- c:\programdata\Motorola
2012-12-05 20:32:09 -------- d-----w- c:\program files\Spirent Communications
2012-12-05 20:32:09 -------- d-----w- c:\program files\HTC
2012-12-05 20:30:04 -------- d-----w- c:\users\jeffrey\appdata\local\Downloaded Installations
2012-12-05 20:27:29 -------- d-----w- C:\Temp
2012-12-05 19:36:54 -------- d-----w- c:\users\jeffrey\appdata\local\Macromedia
2012-12-04 15:42:35 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-12-04 15:16:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-04 15:16:03 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-03 23:50:50 -------- d-----w- c:\windows\system32\appmgmt
2012-12-03 23:21:21 -------- d-----w- c:\users\jeffrey\appdata\local\SpreadsheetTools
2012-12-03 23:18:41 -------- d-----w- c:\program files\LockXLS
2012-12-03 23:02:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\ASAP Utilities
2012-12-03 23:02:06 -------- d-----w- c:\program files\ASAP Utilities
2012-12-03 22:57:05 -------- d-----w- c:\users\jeffrey\appdata\roaming\MB4Outlook
2012-12-03 22:57:02 -------- d-----w- c:\users\jeffrey\appdata\local\assembly
2012-12-03 22:54:48 -------- d-----w- c:\program files\Sizer
2012-12-03 22:53:26 -------- d-----w- c:\program files\XML Marker
2012-12-03 22:52:07 -------- dc----w- c:\programdata\{CB729112-340D-49BD-AC12-D6F6BB735838}
2012-12-03 22:24:25 87 ----a-w- c:\windows\wpd99.drv
2012-12-03 22:24:25 -------- d-----w- c:\programdata\pdf995
2012-12-03 22:24:24 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2012-12-03 22:24:24 122880 ----a-w- c:\windows\system32\pdfmona.dll
2012-12-03 22:24:23 -------- d-----w- c:\program files\pdf995
2012-12-03 22:06:20 61440 ----a-w- c:\windows\UnDeploy.exe
2012-12-03 22:06:20 -------- d-----w- c:\program files\EditPadLite
2012-12-03 22:03:28 -------- d-----w- c:\program files\Agent Ransack
2012-12-03 22:01:17 2712200 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\procexp.exe
2012-12-03 21:48:25 -------- d-----w- c:\users\jeffrey\appdata\roaming\Mobisynapse
2012-12-03 21:48:13 -------- d-----w- c:\program files\Mobisynapse
2012-12-03 21:01:48 18944 ----a-w- c:\windows\system32\pvk2pfx.exe
2012-12-03 21:01:48 102912 ----a-w- c:\windows\system32\signtool.exe
2012-12-03 19:53:46 -------- d-----w- C:\DataSmiths
2012-12-03 19:21:49 -------- d-----w- C:\MyKeys
2012-12-03 19:17:24 -------- d-----w- C:\DataSmiths Dump
2012-12-03 19:10:31 -------- d-----w- c:\users\jeffrey\appdata\local\ProSoftnet
2012-12-03 16:42:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-12-03 16:06:42 -------- d-----w- c:\users\jeffrey\appdata\local\Mozilla
2012-12-02 23:02:23 -------- d-----w- c:\program files\HyperSnap-DX 5
2012-12-02 18:42:31 54040 ----a-w- c:\windows\system32\pxc40pm.dll
2012-12-02 18:42:20 -------- d-----w- c:\program files\Tracker Software
2012-12-02 15:10:27 2205 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\DeleteTemp Folder.vbs
2012-12-01 23:49:33 -------- d-----w- c:\users\jeffrey\appdata\local\WindowsUpdate
2012-12-01 23:44:30 -------- d-----w- c:\windows\PCHEALTH
2012-12-01 23:42:37 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-12-01 23:42:13 -------- d-----w- c:\users\jeffrey\appdata\local\Microsoft Help
2012-12-01 22:54:26 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-12-01 22:54:25 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2012-12-01 22:54:25 247808 ----a-w- c:\windows\system32\schannel.dll
2012-12-01 22:54:25 220160 ----a-w- c:\windows\system32\ncrypt.dll
2012-12-01 22:54:25 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-12-01 22:54:25 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2012-12-01 22:54:23 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-12-01 22:54:23 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-12-01 22:54:10 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-12-01 22:53:54 499712 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-12-01 22:53:54 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-12-01 22:53:54 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-12-01 22:53:54 175104 ----a-w- c:\windows\system32\netcorehc.dll
2012-12-01 22:53:54 156672 ----a-w- c:\windows\system32\ncsi.dll
2012-12-01 22:53:54 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-12-01 22:53:53 52224 ----a-w- c:\windows\system32\nlaapi.dll
2012-12-01 22:53:53 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-12-01 22:53:53 242176 ----a-w- c:\windows\system32\nlasvc.dll
2012-12-01 22:53:53 18944 ----a-w- c:\windows\system32\netevent.dll
2012-12-01 22:52:20 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-12-01 22:52:20 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-01 22:26:42 -------- d-----w- c:\windows\Panther
2012-12-01 22:04:37 -------- d-----w- c:\windows\system32\SPReview
2012-12-01 22:04:24 -------- d-----w- c:\windows\system32\EventProviders
2012-12-01 21:51:59 941568 ----a-w- c:\windows\system32\mblctr.exe
2012-12-01 21:50:55 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2012-12-01 21:50:55 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2012-12-01 21:31:11 -------- d-----w- c:\windows\system32\Wat
2012-12-01 21:30:51 805376 ----a-w- c:\windows\system32\FntCache.dll
2012-12-01 21:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-12-01 21:28:38 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
2012-12-01 21:28:38 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2012-12-01 21:28:37 -------- d-----w- c:\windows\system32\Lang
2012-12-01 21:12:23 1002008 ----a-w- c:\windows\system32\igxpun.exe
2012-12-01 21:12:23 -------- d-----w- c:\windows\system32\x64
2012-12-01 21:01:26 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-01 21:01:25 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-01 21:01:25 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-01 21:00:54 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-01 21:00:53 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-01 21:00:53 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-01 21:00:53 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-01 21:00:52 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-01 21:00:52 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-01 21:00:52 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-01 21:00:30 5120 ----a-w- c:\windows\system32\wmi.dll
2012-12-01 21:00:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-12-01 21:00:30 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-12-01 20:55:52 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-12-01 20:54:59 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-12-01 20:46:07 769024 ----a-w- c:\windows\system32\localspl.dll
2012-12-01 20:46:07 30208 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\winprint.dll
2012-12-01 20:46:05 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-12-01 20:46:00 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-12-01 20:46:00 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-12-01 20:46:00 107520 ----a-w- c:\windows\system32\cdd.dll
2012-12-01 20:45:59 123904 ----a-w- c:\windows\system32\poqexec.exe
2012-12-01 20:45:58 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2012-12-01 20:45:58 1137664 ----a-w- c:\windows\system32\mfc42.dll
2012-12-01 20:45:47 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-12-01 20:45:45 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-12-01 20:45:38 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-12-01 20:43:25 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-12-01 20:43:25 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-12-01 20:43:25 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2012-12-01 20:39:48 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-12-01 20:39:39 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-12-01 20:39:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-12-01 20:39:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-12-01 20:34:41 11004488 ----a-w- c:\program files\common files\lpuninstall.exe
2012-12-01 20:34:30 -------- d-----w- c:\program files\LastPass
2012-12-01 20:33:38 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-12-01 20:24:09 -------- d-----w- c:\users\jeffrey\appdata\local\Google
2012-12-01 20:24:07 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-12-01 20:24:05 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-12-01 20:24:04 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-12-01 20:23:46 -------- d-sh--w- c:\windows\Installer
2012-12-01 20:23:39 41224 ----a-w- c:\windows\avastSS.scr
2012-12-01 20:23:17 -------- d-----w- c:\programdata\AVAST Software
2012-12-01 20:23:17 -------- d-----w- c:\program files\AVAST Software
2012-12-01 20:01:55 -------- d-----w- c:\windows\system32\wbem\Performance
2012-12-01 20:00:57 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-12-01 22:29:40 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-05 20:32:16 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-11-05 20:32:09 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-04 16:47:18 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-10-04 16:43:05 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-10-04 14:57:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-10-04 14:41:50 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:50 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-09-25 22:47:43 78336 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 20:36:38.54 ===============
I have attached the zipped 'attach.txt' file.
Below are the two logs from the 'aswMBR' program (Note: after running this scan the first time, I thought the program had finished, so I clicked the 'Save Log' and saved the report but when I came back to the 'aswMBR' screen, the Scan was running (either again, or perhaps it had just 'paused' in the initial scan?). At any rate, I have included the report from clicking the 'Save Log' button the 2nd time as it included all the info from the first run:
2nd Log:
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-20 20:37:18
-----------------------------
20:37:18.799 OS Version: Windows 6.1.7601 Service Pack 1
20:37:18.799 Number of processors: 2 586 0x170A
20:37:18.799 ComputerName: JEFFREY-DESKTOP UserName: Jeffrey
20:37:21.471 Initialize success
20:37:21.612 AVAST engine defs: 12122001
20:37:58.627 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
20:37:58.627 Disk 0 Vendor: ST31000524AS JC4B Size: 953869MB BusType: 3
20:37:58.627 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
20:37:58.627 Disk 1 Vendor: Hitachi_HDS721616PLA380 P22OA70A Size: 157066MB BusType: 3
20:37:58.643 Disk 0 MBR read successfully
20:37:58.659 Disk 0 MBR scan
20:37:58.659 Disk 0 Windows 7 default MBR code
20:37:58.659 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:37:58.674 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
20:37:58.690 Disk 0 scanning sectors +1953521664
20:37:58.737 Disk 0 scanning C:\Windows\system32\drivers
20:38:06.784 Service scanning
20:38:18.393 Modules scanning
20:38:23.690 Disk 0 trace - called modules:
20:38:23.721 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys
20:38:23.721 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8607a460]
20:38:23.721 3 CLASSPNP.SYS[8c27e59e] -> nt!IofCallDriver -> [0x852d9590]
20:38:23.737 5 ACPI.sys[8ba4a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85be9030]
20:38:30.331 AVAST engine scan C:\Windows
20:38:42.127 AVAST engine scan C:\Windows\system32
20:38:45.987 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
20:38:46.002 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR.txt"
20:40:21.416 AVAST engine scan C:\Windows\system32\drivers
20:40:30.212 AVAST engine scan C:\Users\Jeffrey
20:41:30.369 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
20:41:30.384 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR2.txt"
I note the following advice in the 'Sticky' at: http://forums.spybot.info/showthread.php?t=288
"When Spybot-S&D is installed
TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.
TeaTimer can be re-enabled once the computer is clean.
1. Open Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer."
... However, I could not find a Mode menu, or a Resident Icon or a TeaTimer in the Spybot-S&D 2 interface ... so I am not sure what to do here - please advise.
I did run a Spybot-S&D 2 Scan before I saw that I should have updated the program first, and that first run indicated: "39 items found". I noticed that a separate 'Immunization' program came up automatically, but I closed both it and Spybot S&D 2 until I got some instructions about what to do here. I have since done the Spybot S&D 2 'Update' but haven't re-run the Scan until I know what to do about the "Resident TeaTimer" setting mentioned above.
Thanks for anyone's help!
Jeff
Anyway, I followed a few posts about removing Incredibar, and it seems to have been gone for the last week, but one of the posts did recommend running Spybot S&D to ensure it's truly gone. So, I downloaded Spybot S&D 2 and ran that, which reported a number of things it flagged for me to 'Fix' if I so chose. At that point, I thought I'd better get some advice because I don't really know what 'Fix' would do. I ran ERUNT, saving the System Registry only.
This is the report from the DDS program:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Jeffrey at 20:36:09 on 2012-12-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1461 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Box Sync\UpdateService.exe
C:\IDrive\IDriveE Service.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Box Sync\BoxSyncHelper.exe
C:\IDrive\IDrivePlugin.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Box Sync\BoxSync.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Users\Jeffrey\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\IDrive\IDriveETray.exe
C:\IDrive\IDriveEBackground.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\prevhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?refresh=1
BHO: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - c:\program files\tracker software\pdf-xchange 4\PXCIEAddin4.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [IDriveE Startup] "c:\idrive\IDrvieEStartup.exe" Hide
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BoxSyncHelper] "c:\program files\box sync\BoxSyncHelper.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jeffrey\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\idrive~1.lnk - c:\idrive\IDriveEReg2ini.exe
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\boxsyn~1.lnk - c:\program files\box sync\BoxSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~1.lnk - c:\program files\common files\lpuninstall.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\users\jeffrey\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{03DFF60F-2A27-4FB5-94F3-1785F5D1287A} : DHCPNameServer = 65.32.5.111 65.32.5.112
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?refresh=1
FF - prefs.js: keyword.URL - hxxp://www.google.com.my/search?q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.124\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - ExtSQL: 2012-11-10 19:21; isreaditlater@ideashower.com; c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\es60cfo3.default\extensions\isreaditlater@ideashower.com.xpi
FF - ExtSQL: 2012-12-01 15:28; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8NQHxNuM&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 24b01e67000000000000002421a66bc0
FF - user.js: extensions.incredibar_i.instlDay - 15685
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:34:38
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8NQHxNuM
FF - user.js: extensions.incredibar_i.upn2n - 92825549284318880
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 128
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-12-1 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-12-1 361032]
R2 #UpdateService;Box Sync Auto-updater;c:\program files\box sync\UpdateService.exe [2012-11-7 8704]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-12-1 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-12-1 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-12-1 44808]
R2 IDriveE Service;IDriveE Service;c:\idrive\IDriveE Service.exe [2012-12-3 157128]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-13 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-13 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-13 168384]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2012-12-10 3467768]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-1 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-1 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-1 1343400]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile="c:\program files\editpadlite\EditPad.exe" "%1"
.
=============== Created Last 30 ================
.
2012-12-20 18:57:12 569856 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\ShowMan.exe
2012-12-18 18:00:35 -------- d-----r- c:\users\jeffrey\Dropbox
2012-12-18 17:49:35 -------- d-----w- c:\users\jeffrey\appdata\roaming\Dropbox
2012-12-18 09:42:57 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{300d67bc-c35a-4d9c-a8d0-582365730612}\mpengine.dll
2012-12-14 01:13:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-12-14 01:13:15 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-12-14 01:13:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-12-13 01:14:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 21:06:27 -------- d-----w- C:\Acer
2012-12-12 21:04:41 -------- d-----w- C:\totalcommander
2012-12-12 21:04:23 -------- d-----w- C:\Social Security
2012-12-12 21:04:12 -------- d-----w- C:\RMF
2012-12-12 21:04:03 -------- d-----w- C:\RFFLOW
2012-12-12 21:03:49 -------- d-----w- C:\Relocation Assessor
2012-12-12 21:03:38 -------- d-----w- C:\Quickenw
2012-12-12 21:03:07 -------- d-----w- C:\eDialog v 1.1
2012-12-12 21:02:56 -------- d-----w- C:\eDialog Dev
2012-12-12 16:30:44 -------- d-----w- c:\users\jeffrey\appdata\local\Eraser 6
2012-12-12 01:57:34 -------- d-----w- c:\users\jeffrey\appdata\roaming\TeamViewer
2012-12-11 21:44:53 -------- d-----w- C:\SM
2012-12-11 21:44:12 -------- d-----w- C:\Prey
2012-12-11 21:37:40 -------- d-----w- C:\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
2012-12-11 21:37:07 -------- d-----w- C:\eDialog
2012-12-11 21:29:46 -------- d-----r- C:\DataSmiths Dev
2012-12-11 20:37:53 -------- d-----w- c:\program files\Beyond Compare 3
2012-12-11 20:25:27 -------- d-----w- c:\program files\Office Automation
2012-12-11 18:41:57 -------- d---a-w- c:\program files\CustomUIEditor
2012-12-11 01:41:56 -------- d-----w- c:\program files\TeamViewer
2012-12-10 23:58:01 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
2012-12-10 23:09:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\Malwarebytes
2012-12-10 23:08:47 -------- d-----w- c:\programdata\Malwarebytes
2012-12-10 23:08:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-10 23:08:46 -------- d-----w- c:\program files\Malware
2012-12-10 21:14:32 -------- d-----w- c:\program files\Eraser
2012-12-10 21:12:08 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-10 21:12:08 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-10 21:12:08 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-10 20:47:55 -------- d-----w- c:\program files\MZTools3VBA
2012-12-10 20:46:30 -------- d-----w- C:\Python27
2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Sync
2012-12-10 19:43:54 -------- d-----w- c:\users\jeffrey\appdata\roaming\Box Desktop
2012-12-10 19:42:36 -------- d-----w- c:\program files\Box Sync
2012-12-10 19:41:05 -------- d-----w- c:\users\jeffrey\appdata\local\Box Sync
2012-12-10 17:56:31 -------- d-----w- c:\users\jeffrey\appdata\local\Programs
2012-12-10 17:47:02 -------- d-----w- c:\users\jeffrey\appdata\local\Secunia PSI
2012-12-10 17:46:47 -------- d-----w- c:\program files\Secunia
2012-12-06 12:24:04 -------- d-----w- c:\program files\MSXML 4.0
2012-12-05 20:34:12 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC
2012-12-05 20:34:11 -------- d-----w- c:\users\jeffrey\appdata\roaming\HTC Sync
2012-12-05 20:33:55 -------- d-----w- c:\programdata\HTC
2012-12-05 20:33:54 -------- d-----w- c:\users\jeffrey\appdata\local\Apple Computer
2012-12-05 20:33:47 -------- d-----w- c:\users\jeffrey\appdata\local\HTC MediaHub
2012-12-05 20:33:40 -------- d-----w- c:\programdata\Motorola
2012-12-05 20:32:09 -------- d-----w- c:\program files\Spirent Communications
2012-12-05 20:32:09 -------- d-----w- c:\program files\HTC
2012-12-05 20:30:04 -------- d-----w- c:\users\jeffrey\appdata\local\Downloaded Installations
2012-12-05 20:27:29 -------- d-----w- C:\Temp
2012-12-05 19:36:54 -------- d-----w- c:\users\jeffrey\appdata\local\Macromedia
2012-12-04 15:42:35 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-12-04 15:16:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-04 15:16:03 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-03 23:50:50 -------- d-----w- c:\windows\system32\appmgmt
2012-12-03 23:21:21 -------- d-----w- c:\users\jeffrey\appdata\local\SpreadsheetTools
2012-12-03 23:18:41 -------- d-----w- c:\program files\LockXLS
2012-12-03 23:02:06 -------- d-----w- c:\users\jeffrey\appdata\roaming\ASAP Utilities
2012-12-03 23:02:06 -------- d-----w- c:\program files\ASAP Utilities
2012-12-03 22:57:05 -------- d-----w- c:\users\jeffrey\appdata\roaming\MB4Outlook
2012-12-03 22:57:02 -------- d-----w- c:\users\jeffrey\appdata\local\assembly
2012-12-03 22:54:48 -------- d-----w- c:\program files\Sizer
2012-12-03 22:53:26 -------- d-----w- c:\program files\XML Marker
2012-12-03 22:52:07 -------- dc----w- c:\programdata\{CB729112-340D-49BD-AC12-D6F6BB735838}
2012-12-03 22:24:25 87 ----a-w- c:\windows\wpd99.drv
2012-12-03 22:24:25 -------- d-----w- c:\programdata\pdf995
2012-12-03 22:24:24 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2012-12-03 22:24:24 122880 ----a-w- c:\windows\system32\pdfmona.dll
2012-12-03 22:24:23 -------- d-----w- c:\program files\pdf995
2012-12-03 22:06:20 61440 ----a-w- c:\windows\UnDeploy.exe
2012-12-03 22:06:20 -------- d-----w- c:\program files\EditPadLite
2012-12-03 22:03:28 -------- d-----w- c:\program files\Agent Ransack
2012-12-03 22:01:17 2712200 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\procexp.exe
2012-12-03 21:48:25 -------- d-----w- c:\users\jeffrey\appdata\roaming\Mobisynapse
2012-12-03 21:48:13 -------- d-----w- c:\program files\Mobisynapse
2012-12-03 21:01:48 18944 ----a-w- c:\windows\system32\pvk2pfx.exe
2012-12-03 21:01:48 102912 ----a-w- c:\windows\system32\signtool.exe
2012-12-03 19:53:46 -------- d-----w- C:\DataSmiths
2012-12-03 19:21:49 -------- d-----w- C:\MyKeys
2012-12-03 19:17:24 -------- d-----w- C:\DataSmiths Dump
2012-12-03 19:10:31 -------- d-----w- c:\users\jeffrey\appdata\local\ProSoftnet
2012-12-03 16:42:42 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-12-03 16:06:42 -------- d-----w- c:\users\jeffrey\appdata\local\Mozilla
2012-12-02 23:02:23 -------- d-----w- c:\program files\HyperSnap-DX 5
2012-12-02 18:42:31 54040 ----a-w- c:\windows\system32\pxc40pm.dll
2012-12-02 18:42:20 -------- d-----w- c:\program files\Tracker Software
2012-12-02 15:10:27 2205 ----a-w- c:\users\jeffrey\appdata\roaming\microsoft\internet explorer\quick launch\DeleteTemp Folder.vbs
2012-12-01 23:49:33 -------- d-----w- c:\users\jeffrey\appdata\local\WindowsUpdate
2012-12-01 23:44:30 -------- d-----w- c:\windows\PCHEALTH
2012-12-01 23:42:37 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-12-01 23:42:13 -------- d-----w- c:\users\jeffrey\appdata\local\Microsoft Help
2012-12-01 22:54:26 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-12-01 22:54:25 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2012-12-01 22:54:25 247808 ----a-w- c:\windows\system32\schannel.dll
2012-12-01 22:54:25 220160 ----a-w- c:\windows\system32\ncrypt.dll
2012-12-01 22:54:25 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-12-01 22:54:25 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2012-12-01 22:54:23 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-12-01 22:54:23 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-12-01 22:54:10 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-12-01 22:53:54 499712 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-12-01 22:53:54 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-12-01 22:53:54 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-12-01 22:53:54 175104 ----a-w- c:\windows\system32\netcorehc.dll
2012-12-01 22:53:54 156672 ----a-w- c:\windows\system32\ncsi.dll
2012-12-01 22:53:54 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-12-01 22:53:53 52224 ----a-w- c:\windows\system32\nlaapi.dll
2012-12-01 22:53:53 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-12-01 22:53:53 242176 ----a-w- c:\windows\system32\nlasvc.dll
2012-12-01 22:53:53 18944 ----a-w- c:\windows\system32\netevent.dll
2012-12-01 22:52:20 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-12-01 22:52:20 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-01 22:26:42 -------- d-----w- c:\windows\Panther
2012-12-01 22:04:37 -------- d-----w- c:\windows\system32\SPReview
2012-12-01 22:04:24 -------- d-----w- c:\windows\system32\EventProviders
2012-12-01 21:51:59 941568 ----a-w- c:\windows\system32\mblctr.exe
2012-12-01 21:50:55 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2012-12-01 21:50:55 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2012-12-01 21:31:11 -------- d-----w- c:\windows\system32\Wat
2012-12-01 21:30:51 805376 ----a-w- c:\windows\system32\FntCache.dll
2012-12-01 21:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-12-01 21:28:38 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
2012-12-01 21:28:38 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2012-12-01 21:28:37 -------- d-----w- c:\windows\system32\Lang
2012-12-01 21:12:23 1002008 ----a-w- c:\windows\system32\igxpun.exe
2012-12-01 21:12:23 -------- d-----w- c:\windows\system32\x64
2012-12-01 21:01:26 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-01 21:01:25 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-01 21:01:25 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-01 21:00:54 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-01 21:00:53 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-01 21:00:53 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-01 21:00:53 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-01 21:00:52 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-01 21:00:52 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-01 21:00:52 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-01 21:00:30 5120 ----a-w- c:\windows\system32\wmi.dll
2012-12-01 21:00:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-12-01 21:00:30 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-12-01 20:55:52 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-12-01 20:54:59 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-12-01 20:46:07 769024 ----a-w- c:\windows\system32\localspl.dll
2012-12-01 20:46:07 30208 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\winprint.dll
2012-12-01 20:46:05 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-12-01 20:46:00 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-12-01 20:46:00 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-12-01 20:46:00 107520 ----a-w- c:\windows\system32\cdd.dll
2012-12-01 20:45:59 123904 ----a-w- c:\windows\system32\poqexec.exe
2012-12-01 20:45:58 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2012-12-01 20:45:58 1137664 ----a-w- c:\windows\system32\mfc42.dll
2012-12-01 20:45:47 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-12-01 20:45:45 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-12-01 20:45:38 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-12-01 20:43:25 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-12-01 20:43:25 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-12-01 20:43:25 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2012-12-01 20:39:48 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-12-01 20:39:39 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-12-01 20:39:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-12-01 20:39:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-12-01 20:34:41 11004488 ----a-w- c:\program files\common files\lpuninstall.exe
2012-12-01 20:34:30 -------- d-----w- c:\program files\LastPass
2012-12-01 20:33:38 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-12-01 20:24:09 -------- d-----w- c:\users\jeffrey\appdata\local\Google
2012-12-01 20:24:07 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-12-01 20:24:05 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-12-01 20:24:04 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-12-01 20:23:46 -------- d-sh--w- c:\windows\Installer
2012-12-01 20:23:39 41224 ----a-w- c:\windows\avastSS.scr
2012-12-01 20:23:17 -------- d-----w- c:\programdata\AVAST Software
2012-12-01 20:23:17 -------- d-----w- c:\program files\AVAST Software
2012-12-01 20:01:55 -------- d-----w- c:\windows\system32\wbem\Performance
2012-12-01 20:00:57 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-12-01 22:29:40 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-05 20:32:16 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-11-05 20:32:09 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-04 16:47:18 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-10-04 16:43:05 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-10-04 14:57:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-10-04 14:41:50 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:50 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:50 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:50 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-09-25 22:47:43 78336 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 20:36:38.54 ===============
I have attached the zipped 'attach.txt' file.
Below are the two logs from the 'aswMBR' program (Note: after running this scan the first time, I thought the program had finished, so I clicked the 'Save Log' and saved the report but when I came back to the 'aswMBR' screen, the Scan was running (either again, or perhaps it had just 'paused' in the initial scan?). At any rate, I have included the report from clicking the 'Save Log' button the 2nd time as it included all the info from the first run:
2nd Log:
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-20 20:37:18
-----------------------------
20:37:18.799 OS Version: Windows 6.1.7601 Service Pack 1
20:37:18.799 Number of processors: 2 586 0x170A
20:37:18.799 ComputerName: JEFFREY-DESKTOP UserName: Jeffrey
20:37:21.471 Initialize success
20:37:21.612 AVAST engine defs: 12122001
20:37:58.627 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
20:37:58.627 Disk 0 Vendor: ST31000524AS JC4B Size: 953869MB BusType: 3
20:37:58.627 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
20:37:58.627 Disk 1 Vendor: Hitachi_HDS721616PLA380 P22OA70A Size: 157066MB BusType: 3
20:37:58.643 Disk 0 MBR read successfully
20:37:58.659 Disk 0 MBR scan
20:37:58.659 Disk 0 Windows 7 default MBR code
20:37:58.659 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:37:58.674 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
20:37:58.690 Disk 0 scanning sectors +1953521664
20:37:58.737 Disk 0 scanning C:\Windows\system32\drivers
20:38:06.784 Service scanning
20:38:18.393 Modules scanning
20:38:23.690 Disk 0 trace - called modules:
20:38:23.721 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys
20:38:23.721 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8607a460]
20:38:23.721 3 CLASSPNP.SYS[8c27e59e] -> nt!IofCallDriver -> [0x852d9590]
20:38:23.737 5 ACPI.sys[8ba4a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85be9030]
20:38:30.331 AVAST engine scan C:\Windows
20:38:42.127 AVAST engine scan C:\Windows\system32
20:38:45.987 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
20:38:46.002 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR.txt"
20:40:21.416 AVAST engine scan C:\Windows\system32\drivers
20:40:30.212 AVAST engine scan C:\Users\Jeffrey
20:41:30.369 Disk 0 MBR has been saved successfully to "C:\Users\Jeffrey\Desktop\MBR.dat"
20:41:30.384 The log file has been saved successfully to "C:\Users\Jeffrey\Desktop\aswMBR2.txt"
I note the following advice in the 'Sticky' at: http://forums.spybot.info/showthread.php?t=288
"When Spybot-S&D is installed
TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.
TeaTimer can be re-enabled once the computer is clean.
1. Open Spybot-S&D in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer."
... However, I could not find a Mode menu, or a Resident Icon or a TeaTimer in the Spybot-S&D 2 interface ... so I am not sure what to do here - please advise.
I did run a Spybot-S&D 2 Scan before I saw that I should have updated the program first, and that first run indicated: "39 items found". I noticed that a separate 'Immunization' program came up automatically, but I closed both it and Spybot S&D 2 until I got some instructions about what to do here. I have since done the Spybot S&D 2 'Update' but haven't re-run the Scan until I know what to do about the "Resident TeaTimer" setting mentioned above.
Thanks for anyone's help!
Jeff