100k searches issue

View previous topic View next topic Go down

100k searches issue

Post by spackler68 on 2nd August 2011, 6:51 pm

Hi,

I've got a something where my Google searches were redirected to 100K searches when I clicked on any of the search results. That lasted for one day and now my Symantec file system auto protect is malfuctioning and I'm denied access to any Windows installer.

I tried running OTL.com but got a a dialog box stating that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I do have administrators rights.

I ran aswMBR.exe and have this log file:

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-29 19:11:47
-----------------------------
19:11:47.484 OS Version: Windows 5.1.2600 Service Pack 3
19:11:47.484 Number of processors: 4 586 0x2505
19:11:47.484 ComputerName: 9WS4WM1 UserName: pscully
19:12:01.796 Initialize success
19:12:31.281 AVAST engine defs: 11072900
19:12:36.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:12:36.093 Disk 0 Vendor: WDC_WD16 01.0 Size: 152627MB BusType: 3
19:12:36.109 Disk 0 MBR read successfully
19:12:36.109 Disk 0 MBR scan
19:12:36.359 Disk 0 Windows XP default MBR code
19:12:36.390 Disk 0 scanning sectors +312560640
19:12:36.484 Disk 0 scanning C:\WINDOWS\system32\drivers
19:13:22.171 Service scanning
19:13:23.906 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
19:13:23.906 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
19:13:23.921 Service WGX C:\WINDOWS\System32\Drivers\WGX.SYS **LOCKED** 32
19:13:23.921 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
19:13:23.921 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
19:13:24.421 Modules scanning
19:14:11.687 Disk 0 trace - called modules:
19:14:11.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:14:11.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7b78a0]
19:14:11.718 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a20c028]
19:14:36.046 AVAST engine scan C:\WINDOWS
19:15:11.656 AVAST engine scan C:\WINDOWS\system32
19:17:55.375 AVAST engine scan C:\WINDOWS\system32\drivers
19:18:11.078 AVAST engine scan C:\Documents and Settings\pscully
19:57:55.250 AVAST engine scan C:\Documents and Settings\All Users
20:05:02.031 Scan finished successfully
20:06:50.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\MBR.dat"
20:06:50.078 The log file has been saved successfully to "C:\Documents and Settings\pscully\Desktop\Fixes\aswMBR.txt"

I then ran SecurityCheck.exe and got this log file:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec Endpoint Protection
Rockwell Windows Firewall Configuration Utility 1.00.03
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Java(TM) 6 Update 26
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player 10.3.181.34
Mozilla Firefox (3.6.18) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

Any help will be appreciated.

Thanks in advance,

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by Sneakyone on 3rd August 2011, 4:57 am

Hi,

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56134
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix results

Post by spackler68 on 3rd August 2011, 2:30 pm

Hi Sneakyone,

I tried to disable Symantec Endpoint Protection but the disable was grayed out.
Here is the ComboFix log, I attached it because it looked like an external link or email.

Thanks for your help.

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix log

Post by spackler68 on 3rd August 2011, 5:18 pm

Here it is for real (I hope):


spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by Sneakyone on 4th August 2011, 5:48 am

Hi,

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56134
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by spackler68 on 4th August 2011, 1:35 pm

Hi,
Here is the log from Malwarebytes:



Thanks in advance,

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by spackler68 on 4th August 2011, 2:49 pm

Hi,

I ran malwarebytes in safe mode as described in the Using malwarebytes Guide and posted that log in Post #6.
I then ran it again in normal mode twice and got the following two logs that I concatenated into one file.

Thanks,

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by Sneakyone on 5th August 2011, 6:11 am

Hi,

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56134
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by spackler68 on 5th August 2011, 9:13 pm

Hi,

Here is the log from ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-31 06:12:05
# local_time=2011-07-31 02:12:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=200996
# found=0
# cleaned=0
# scan_time=6257
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=639feb87add2954580920f367a8b6a34
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-05 07:52:33
# local_time=2011-08-05 03:52:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=237513
# found=3
# cleaned=3
# scan_time=21654
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036050.sys a variant of Win32/Rootkit.Kryptik.DM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP179\A0036051.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39A642AC-C956-49A1-ADCF-C297E6B297EC}\RP188\A0036457.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


My Symantec Endpoint Protection also found Trojan.Zeroaccess when I started my machine at home.

Thanks,

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by Sneakyone on 6th August 2011, 7:27 am

Hi,

How's your computer running now?


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56134
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by spackler68 on 8th August 2011, 1:08 pm

Hi,

I'm still denied access to any windows installer. It either does the configuration of the installer and stops or I get a dialog box with: "Cannot launch C:\Windows\System32\msiexec.exe
Access is denied"

I cannot run OTL.com either.

Thanks in advance,

spackler68
Novice
Novice

Posts Posts : 15
Joined Joined : 2011-07-29
OS OS : XP
Points Points : 19833
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 100k searches issue

Post by Sneakyone on 9th August 2011, 5:17 am

Hi,


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 9th August 2011, 1:34 pm

    Hi,

    Here is the Win32kDiag log file:

    Running from: C:\Documents and Settings\pscully\Desktop\Fixes\Win32kDiag.exe

    Log file at : C:\Documents and Settings\pscully\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Cannot access: C:\WINDOWS\system32\CCM\CcmExec.exe

    [1] 2009-09-18 04:00:00 764768 C:\WINDOWS\system32\CCM\CcmExec.exe ()



    Cannot access: C:\WINDOWS\system32\msiexec.exe

    [1] 2008-04-14 06:42:30 78848 C:\WINDOWS\$NtUninstallKB942288-v3$\msiexec.exe (Microsoft Corporation)

    [1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\dllcache\msiexec.exe (Microsoft Corporation)

    [1] 2008-05-19 02:57:42 95744 C:\WINDOWS\system32\msiexec.exe ()





    Finished!

    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Sneakyone on 10th August 2011, 5:50 am

    Hi,

    Submit a file for analysis.

    1. Please visit this website: [You must be registered and logged in to see this link.]
    2. Press the "Browse" button and locate the following file in bold:
      C:\WINDOWS\system32\msiexec.exe
    3. Press the "Upload button to submit the file for analysis.
    4. Allow it to be scanned, it could take a few minutes depending on server load.
    5. Copy and paste the result back here.


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 10th August 2011, 10:42 pm

    Hi,

    The file did not want to be uploaded. The main analysis page tried to upload and did nothing else. I tried installing the Uploader 2.0 and it responded the it couldn't open the file.

    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Sneakyone on 12th August 2011, 3:02 am

    Hi,

    Could you please upload it to mediafire.com and post a link here?


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 12th August 2011, 12:53 pm

    Hi,

    I get an upload failure: 'Permissions error. Error#-503'

    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Sneakyone on 13th August 2011, 1:51 am

    Can you right click on the file and copy it to your desktop, then upload it?


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 16th August 2011, 1:03 pm

    Hi,

    I can't copy it to my desktop. I get a dialog box with this message:
    'Cannot copy misexec.exe: Access id Denied.'

    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Sneakyone on 17th August 2011, 10:15 pm

    Hi,

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      FCopy::
      C:\WINDOWS\system32\dllcache\msiexec.exe | C:\WINDOWS\system32\msiexec.exe

    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 18th August 2011, 8:28 pm

    Hi,

    Here is the ComboFix log:

    ComboFix 11-08-18.02 - pscully 08/18/2011 16:12:29.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2616 [GMT -4:00]
    Running from: c:\documents and settings\pscully\Desktop\Fixes\commy.exe
    Command switches used :: c:\documents and settings\pscully\Desktop\Fixes\CFScript.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\msiexec.exe --> c:\windows\system32\msiexec.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-18 to 2011-08-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-18 20:06 . 2011-08-18 20:06 -------- d-----w- c:\documents and settings\pscully\Application Data\smkits
    2011-08-18 19:22 . 2011-08-18 19:22 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\BostonUniversity
    2011-08-18 13:01 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-08-18 13:01 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-08-18 13:01 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-08-18 13:01 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-08-18 13:01 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-08-18 13:01 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-08-18 13:01 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-08-18 13:01 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-08-10 22:38 . 2011-08-10 22:38 -------- d-----w- c:\program files\VirusTotalUploader2
    2011-08-08 13:40 . 2011-08-08 13:40 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-08-08 13:40 . 2011-08-08 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-08-08 13:34 . 2011-08-08 13:34 -------- d--h--w- c:\windows\PIF
    2011-08-04 14:14 . 2011-08-04 14:14 -------- d-----w- c:\windows\system32\Wave Systems Corp
    2011-08-04 13:25 . 2011-08-04 13:25 -------- d-----w- c:\documents and settings\pscully\Application Data\Malwarebytes
    2011-08-04 13:25 . 2011-08-04 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-03 14:11 . 2011-08-03 14:32 -------- d-----w- c:\documents and settings\pscully\Application Data\InfraRecorder
    2011-08-03 14:10 . 2011-08-03 14:10 -------- d-----w- c:\program files\InfraRecorder
    2011-08-03 12:32 . 2011-08-03 12:32 -------- d-----w- C:\Downloads
    2011-08-03 12:31 . 2011-08-15 18:01 -------- d-----w- c:\program files\FlashGet
    2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
    2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\program files\TechSmith
    2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\TechSmith
    2011-07-28 16:51 . 2011-07-28 16:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2011-07-28 02:36 . 2011-07-28 02:36 -------- d-----w- c:\documents and settings\pscully\Local Settings\Application Data\PCHealth
    2011-07-28 02:14 . 2011-07-28 02:22 -------- d-----w- c:\windows\SxsCaPendDel
    2011-07-28 01:17 . 2011-07-28 01:17 -------- d-----w- c:\program files\Common Files\L&H
    2011-07-28 01:04 . 2011-07-28 01:04 -------- d-----r- C:\MSOCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-18 19:58 . 2011-01-14 18:17 0 ----a-w- c:\documents and settings\pscully\Local Settings\Application Data\WavXMapDrive.bat
    2011-08-15 00:08 . 2011-07-13 12:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-28 02:11 . 2011-02-24 16:52 2377696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2011-06-02 14:07 . 2010-11-16 09:37 1867904 ----a-w- c:\windows\system32\win32k.sys
    2011-08-12 05:57 . 2011-08-18 13:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-18 19:54 . 2011-08-18 19:54 16384 c:\windows\Temp\Perflib_Perfdata_450.dat
    + 2010-11-16 09:37 . 2011-08-18 20:00 582036 c:\windows\system32\perfh009.dat
    - 2010-11-16 09:37 . 2011-08-03 13:17 582036 c:\windows\system32\perfh009.dat
    + 2010-11-16 09:37 . 2011-08-18 20:00 116426 c:\windows\system32\perfc009.dat
    - 2010-11-16 09:37 . 2011-08-03 13:17 116426 c:\windows\system32\perfc009.dat
    + 2011-08-15 00:08 . 2011-08-15 00:08 243360 c:\windows\system32\Macromed\Flash\FlashUtil10v_Plugin.exe
    + 2011-01-14 21:46 . 2011-08-15 00:08 6277280 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-29 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-29 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-29 144920]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-03-29 278528]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-15 115560]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-01-14 158592]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-14 34232]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "RightFAX Print-to-Fax Driver"="c:\program files\RightFax\Client\FaxCtrl.exe" [2007-03-22 98304]
    "eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.0\Bin\InboxMonitor.exe" [2006-11-21 65536]
    "eDP2eD"="c:\program files\eCopy\Desktop 9.0\Bin\eDP2eD.exe" [2006-11-21 118784]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "Asset Insight SUM"="c:\program files\Insight\Tools\AISOFTMN.EXE" [2002-04-23 8091]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "CompatibleRUPSecurity"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2723623973-1505943458-2159161028-60746\Scripts\Logon\0\0]
    "Script"=RAdminConfig.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AllAlertsDisabled"=dword:00000001
    "TermService"=dword:00000001
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
    "c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
    "c:\\WINDOWS\\system32\\OpcEnum.exe"=
    "c:\\Program Files\\Rockwell Software\\RSLinx\\RSLINX.EXE"=
    "c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
    "c:\\Program Files\\Rockwell Software\\RSCommon\\rssql_xml.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_tmctrl.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_trnmgr.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_cfg_server.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_comp_storer.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_lnxcoll.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_rnacoll.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_rsvcoll.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_opccoll.exe"=
    "c:\\Program Files\\Rockwell Software\\RSSql\\rssql_trx_csv.exe"=
    "c:\\Program Files\\Schneider Electric\\ConneXium\\LANconfig\\lanconf.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4899:UDP"= 4899:UDP:RAdmin
    "4899:TCP"= 4899:TCP:RAdmin
    "135:TCP"= 135:TCP:Port 135 TCP
    "137:UDP"= 137:UDP:@xpsp2res.dll,-22001
    "400:TCP"= 400:TCP:Port 400 TCP
    "401:TCP"= 401:TCP:Port 401 TCP
    "402:TCP"= 402:TCP:Port 402 TCP
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [07/23/2008 4:07 PM 63544]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [11/20/2009 6:42 PM 278304]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [12/17/2009 11:45 AM 812448]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [12/17/2009 11:45 AM 27040]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [12/10/2009 2:09 PM 376608]
    R2 NA_Service;NetAccess Service;c:\windows\system32\NA_Service.exe [01/17/2011 2:47 PM 49152]
    R2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [06/25/2008 2:14 PM 218408]
    R2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [06/25/2008 2:14 PM 218408]
    R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [11/16/2010 5:31 AM 47616]
    R2 rssql_cfg_server;FactoryTalk Transaction Manager Configuration Server;c:\program files\Rockwell Software\RSSql\rssql_cfg_server.exe [09/25/2007 8:46 PM 229444]
    R2 rssql_comp_storer;FactoryTalk Transaction Manager Compression Server;c:\program files\Rockwell Software\RSSql\rssql_comp_storer.exe [09/25/2007 8:48 PM 114757]
    R2 UsbConnect;Usb PLC;c:\windows\system32\UsbConnect.exe [01/17/2011 2:48 PM 77824]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [11/16/2010 5:30 AM 42672]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/16/2010 5:30 AM 113664]
    R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [11/16/2010 5:31 AM 33832]
    R3 Duntlw;UNTLW device;c:\windows\system32\drivers\DuntlwNT.sys [01/17/2011 2:47 PM 53568]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [11/16/2010 5:30 AM 167080]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [07/27/2011 4:00 AM 105592]
    R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [06/25/2008 2:12 PM 222504]
    R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [11/16/2010 5:31 AM 132352]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [11/16/2010 5:31 AM 215040]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [03/18/2010 2:16 PM 130384]
    S2 FTActivationBoost;FactoryTalk Activation Helper;"c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe" --> c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [?]
    S2 r_server;Remote Administrator Service;c:\program files\RAdmin\r_server.exe [07/24/2001 12:15 PM 241664]
    S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [07/23/2008 4:19 PM 106496]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [01/20/2011 3:01 PM 20160]
    S3 ClmbxPnP;Cyberlogic MBX Driver (PnP);c:\windows\system32\Drivers\ClmbxPnP.sys --> c:\windows\system32\Drivers\ClmbxPnP.sys [?]
    S3 CLMbxUsb;Cyberlogic MBX Driver (USB);c:\windows\system32\drivers\CLMbxUsb.sys [01/21/2011 4:54 PM 94608]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [09/15/2009 3:59 PM 23888]
    S3 eMBX;Cyberlogic Ethernet MBX Driver;c:\program files\Cyberlogic\Ethernet MBX Driver\EMbxRpcS.exe [02/05/2008 3:51 PM 222480]
    S3 EmuLogix 5868 Slot0;EmuLogix 5868 Slot0;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot1;EmuLogix 5868 Slot1;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot10;EmuLogix 5868 Slot10;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot11;EmuLogix 5868 Slot11;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot12;EmuLogix 5868 Slot12;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot13;EmuLogix 5868 Slot13;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot14;EmuLogix 5868 Slot14;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot15;EmuLogix 5868 Slot15;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot16;EmuLogix 5868 Slot16;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot2;EmuLogix 5868 Slot2;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot3;EmuLogix 5868 Slot3;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot4;EmuLogix 5868 Slot4;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot5;EmuLogix 5868 Slot5;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot6;EmuLogix 5868 Slot6;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot7;EmuLogix 5868 Slot7;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot8;EmuLogix 5868 Slot8;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 EmuLogix 5868 Slot9;EmuLogix 5868 Slot9;c:\program files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [07/08/2005 8:21 AM 1425408]
    S3 gMBX;Cyberlogic MBX Gateway Server;c:\program files\Common Files\Cyberlogic Shared\gMbxRpcS.exe [10/04/2007 11:00 AM 182544]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/25/2010 1:07 PM 35088]
    S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [07/05/2008 7:19 PM 39067]
    S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [07/05/2008 7:19 PM 155440]
    S3 rssql_ddecoll;FactoryTalk Transaction Manager DDE Connector;c:\program files\Rockwell Software\RSSql\rssql_ddecoll.exe [09/25/2007 8:48 PM 118849]
    S3 rssql_lnxcoll;FactoryTalk Transaction Manager RSlinx Connector;c:\program files\Rockwell Software\RSSql\rssql_lnxcoll.exe [09/25/2007 8:48 PM 315457]
    S3 rssql_mts_storer;FactoryTalk Transaction Manager COM+ Enterprise Connector;c:\program files\Rockwell Software\RSSql\rssql_mts_storer.exe [09/25/2007 8:48 PM 65604]
    S3 rssql_oci_storer;FactoryTalk Transaction Manager OCI Enterprise Connector ;c:\program files\Rockwell Software\RSSql\rssql_oci_storer.exe [09/25/2007 8:47 PM 73796]
    S3 rssql_oledb_storer;FactoryTalk Transaction Manager OLE-DB Enterprise Connector ;c:\program files\Rockwell Software\RSSql\rssql_oledb_storer.exe [09/25/2007 8:47 PM 65606]
    S3 rssql_opccoll;FactoryTalk Transaction Manager OPC Connector;c:\program files\Rockwell Software\RSSql\rssql_opccoll.exe [09/25/2007 8:48 PM 315457]
    S3 rssql_rnacoll;FactoryTalk Transaction Manager FactoryTalk Connector;c:\program files\Rockwell Software\RSSql\rssql_rnacoll.exe [09/25/2007 8:49 PM 315457]
    S3 rssql_rsvcoll;FactoryTalk Transaction Manager RSView Connector;c:\program files\Rockwell Software\RSSql\rssql_rsvcoll.exe [09/25/2007 8:48 PM 307265]
    S3 rssql_storer;FactoryTalk Transaction Manager ODBC Enterprise Connector;c:\program files\Rockwell Software\RSSql\rssql_storer.exe [09/25/2007 8:47 PM 69696]
    S3 rssql_tb;FactoryTalk Transaction Manager Transaction Manager Service;c:\program files\Rockwell Software\RSSql\rssql_trnmgr.exe [09/25/2007 8:47 PM 155712]
    S3 rssql_tmctrl;FactoryTalk Transaction Manager Transaction and Control Manager ;c:\program files\Rockwell Software\RSSql\rssql_tmctrl.exe [09/25/2007 8:47 PM 176192]
    S3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [07/23/2008 4:09 PM 98304]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/16/2010 5:37 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [03/18/2010 2:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [07/22/2009 11:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [03/30/2009 4:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [03/30/2009 4:23 AM 366936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 139.158.8.4 10.171.189.88 139.160.64.155 157.198.12.10
    DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
    FF - ProfilePath - c:\documents and settings\pscully\Application Data\Mozilla\Firefox\Profiles\1bb1k3xt.default\
    FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2011-08-18 16:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe???????????Nj?w??????@???D????????|P?E????|???????????????|????P?E?????????8???????????????????>?@?????T???@????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="REMOVED"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(4540)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\msi.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-08-18 16:25:07
    ComboFix-quarantined-files.txt 2011-08-18 20:25
    ComboFix2.txt 2011-08-03 13:20
    .
    Pre-Run: 40,798,785,536 bytes free
    Post-Run: 40,909,385,728 bytes free
    .
    - - End Of File - - AE5547FEF9477E2FF366DB2E68D0E251


    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Sneakyone on 19th August 2011, 3:41 am

    Hi,

    Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].


    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


    I'm livin' life in the fast lane.

    Sneakyone
    Master
    Master

    Posts Posts : 2707
    Joined Joined : 2010-01-10
    Gender Gender : Male
    OS OS : Windows 7 Ultimate 64-bit
    Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
    Points Points : 56134
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 19th August 2011, 1:17 pm

    Hi,

    Here is the Malwarebytes log:

    Malwarebytes' Anti-Malware 1.51.1.1800
    [You must be registered and logged in to see this link.]

    Database version: 7507

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    08/19/2011 9:16:03 AM
    mbam-log-2011-08-19 (09-16-03).txt

    Scan type: Quick scan
    Objects scanned: 211163
    Time elapsed: 5 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Dr Jay on 20th August 2011, 5:16 pm

    What other signs of infection are there?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302999
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 21st August 2011, 12:35 pm

    Hi,

    My Windows installer is working now. The only thing that is out of the ordinary is my 'Symantic Endpoint Protection File System Auto-Protect is malfunctioning'

    I ran Malwarebytes again after a reboot and got those same two hits:

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Is this an issue?

    Thanks,

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Dr Jay on 21st August 2011, 5:56 pm

    Not much of an issue...

    do you want to try to reinstall your Symantec Product?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302999
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by spackler68 on 22nd August 2011, 6:06 pm

    Hi,

    I will try the reinstall.

    Thank you guys so much. I'll let you know how it goes.

    spackler68
    Novice
    Novice

    Posts Posts : 15
    Joined Joined : 2011-07-29
    OS OS : XP
    Points Points : 19833
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: 100k searches issue

    Post by Dr Jay on 22nd August 2011, 8:43 pm

    OKAY


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302999
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum